GDPR was implemented by the EU to protect the personal data of EU citizens from data breaches and other forms of misuse, and to hold enterprises that control or process that data accountable for misuse that occurs through their negligence.
And whether you've poured over the vast GDPR resources, or you've been checking in now and again to see how the situation is unfolding, you're no doubt aware that if you're doing business with the EU in any capacity, you need to be GDPR compliant.
Before we dive in, it's important to note that this post doesn't serve as legal advice. If you'd like guidance on your company's specific circumstances, please consult your legal counsel.
Depending entirely on your IT setup, hitting some of the GDPR benchmarks may have been a snap and required only a little retooling of your processes here and there. In other cases, it may have required a significant re-architecting of your IT, especially if you had a system in place that was put together piecemeal over time without taking into consideration cybersecurity from the outset.
Your best first step for determining the right course of action to take to ensure ongoing compliance is to pursue a GDPR "gap analysis," which will determine where your system is succeeding in meeting GDPR benchmarks, and where there is work to be done.
There are organizations that provide full end-to-end analysis and provide reports on where your operations stand with respect to the regulation, as well as downloadable tools you can use to get started.
After you recognize where the gaps are, you can plan the necessary steps to reach and maintain full compliance.
GDPR compliance will not be a "set it and forget it" setup. Just as managing cybersecurity these days requires being constantly on top of the emerging threats and changing demands, staying GDPR compliant means revamping certain aspects of your operations to keep up with the regulatory demands.
That means taking steps such as:
Since meeting such demands could mean significant changes in the culture and even hiring practices of your company, it's worth taking this seriously.
One of your biggest concerns about GDPR compliance is no doubt the sizable fines attached to non-compliance. The fines have been structured so that companies cannot simply write off non-compliance as a business expense, meaning that they are sizable enough for a business to really want to avoid.
That said, taking a deep dive into the announced penalties for failure to comply with GDPR shows that, at the very least, you won't face a catastrophic fine for a first offense deemed "non-intentional non-compliance." For such a violation, businesses will receive only a written warning -- so that may reduce some of your anxieties if you are concerned about getting dinged for an honest oversight right when things are getting implemented.
However, beyond that initial warning, a violation may lead to:
From there, you reach the fines – which can number in the millions or even tens of millions depending on the severity of the infraction.
While figuring out how this regulatory burden impacts how you do business and how it might put you at risk for fines, it's understandable that you might lose track of the considerable positive aspects of a rule like GDPR.
At the end of the day, GDPR exists to protect EU citizens from falling victim to cybercrime – an all-too-common thing in this day and age, and not just for people in the EU. And while it may seem a little odd to have to comply with regulations enacted by far-off political bodies, the intent behind the regulation is a sound one. Companies should take their customers' data privacy seriously, no matter what country they're in.
So while we've been talking about the impact that GDPR has on you and your business operations, keep in mind that it impacts your customers by increasing their confidence and comfort with using your services, and their loyalty to your brand.
As a cloud-based solution that always keeps data security top-of-mind, SpringCM has watched GDPR develop closely.
If you're interested in further understanding the details of GDPR's demands, their potential impact on businesses and how SpringCM has educated customers, download our whitepaper titled "GDPR: Securing Privacy."
Editor's Note: This post was originally published in November 2017. It has been updated for accuracy and comprehensiveness.