It is now a little over four months since the EU first introduced the much-celebrated GDPR – the new flagship legislation on data protection and privacy. According to the GDPR provisions, its complicated and strict framework of rules designed to promote privacy awareness and safeguard personal data in a rapidly evolving digital economy applies to companies outside the EU as well. This means that the GDPR affects a wide range of medium-sized businesses that are based in the US – but how exactly?
New Focus on Personal Data Protection
The GDPR clearly states under Article 3 that its scope includes companies that are not based in the EU but either offer goods or services (even free of charge) to EU residents, or monitor behavior that takes place on EU soil. That means that you might fall under the ambit of the new legislation even if you do not realize it. For example, if your e-shop takes orders and processes payments from people based in an EU country, or even if your blog or website that tracks visitors with cookies is available to EU residents. This has left a lot of enterprises scrambling to comply with the new requirements.
One of the most important obligations that stem from GDPR is that companies need to take organizational and technical measures to protect the personal data that they collect, store and process. This means that even medium-sized businesses that are affected by the legislation must set up an internal policy that fosters lawful, restricted and fair processing of personal information, as well as educate their staff on how to make sure that they take all precautions to secure personal data. They also need to implement a comprehensive data security strategy and take technical measures such as anonymization of data and data masking, a process by which intelligent masking algorithms replace sensitive data with fictional information that looks realistic enough to unauthorized viewers.
Severe Consequences for Non-Compliant Companies
Not complying with GDPR requirements is simply not an option for medium-sized businesses, as the repercussions could be grave. In case of non-compliance, companies face hefty fines, reaching up to €20 million (roughly $26 million), or 4 percent of their yearly worldwide turnover – whichever is higher. The importance of personal data protection has been brought to the forefront again, lately, as big companies like Facebook have faced scrutiny for failing to properly secure users’ data. Last July, the Information Commissioner’s Office, the British privacy watchdog, announced that it would fine Facebook £500,000 (more than $650,000) for the breach, only because GDPR did not yet apply to the incident. Had the GDPR provisions been used, Facebook could have faced a fine of up to $1.9 billion.
If you are thinking that your medium-sized company need not worry since hackers would never turn their focus on it, you might want to reconsider. According to the 2018 Verizon Data Breach Investigation Report, 58% of security breaches over the past 12 months targeted small businesses. And as bleepingcomputer.com reported on February 6, 2018, research has shown that cybercriminals do not discriminate according to the size of an organization when deciding who to hit next. Small and large businesses are as likely to be a potential victim, with 50% of companies employing between 100 and 1,000 people being hit by ransomware, while the same figure was 58% for enterprises with more than 1,000 and up to 5,000 employees.
The GDPR rules are here to stay, so American mid-sized businesses need to understand their obligations and take concrete steps to improve their data protection readiness.