Every company, large and small, that connects electronically or manually with consumers in the EU, has been scrambling to comply with the General Data Protection Regulation (GDPR). If you collect, process, or store data that can be used to identify people—names, addresses, images, email addresses, bank details, social networking comments, IP addresses, or really, any personal information at all—the GDPR requires you to get permission to have, keep, and use that data, to explain what you’ll do with it, and to ensure its security.
Although its effective date is the 25th of May, 2018—meaning, everyone who’s covered by the rule must comply with the regulations as of then—there’s still a good deal of uncertainty about what compliance with the GDPR looks like. An op ed in The New York Times called the GDPR “staggeringly complex,” relying on broad principles that are too vague for anyone to understand.
Webport Global recently connected with John O’Reilly, CEO of Protectorate Solutions, Ltd of Limerick, Ireland. He’s one of the few people you’re likely to meet who actually does understand the GDPR. His company was formed specifically to help SMEs comply with the new regulations. Read on to find out what the law requires, how to be sure you’re doing all that’s necessary to avoid the massive fines that are possible for non-compliance, and how Protectorate Solutions might help.
WPG: What problems is the GDPR meant to solve?
O’REILLY: The GDPR looks after the fundamental rights of privacy for the individual. When data protection acts came in a number of years ago, technology was at a certain level. Since then it's just accelerated. The risk has increased 100 fold to the individual's personal data. So the regulations had to evolve with that risk.
WPG: Have the rules about gathering information about customers changed, or just the rules about protecting the information?
O’REILLY: Both. Before you ever collect any information, you must ensure that you're telling them on your privacy notice what you're collecting, why you're collecting it, what's the purpose of it, and how it will be processed. How it’s processed covers everything from the way that you can use data to the way you dispose of it, and how long it's going to be retained. You also need to disclose who you're going to share their data with, and what is it being shared for. That's before they ever give their consent or provide their personal data.
WPG: Let’s use a hypothetical example of Joe’s Shoe Company. The worst happens, and there’s a data breach; the data Joe was required to protect fell into the wrong hands.
O’REILLY: If Joe’s customers discover that their information have been hacked, and then discover the hackers got their information from Joe, and, worse, Joe hasn't reported it, he's in trouble for the non-report. Each individual, each of these clients, can actually sue Joe for a breach of their personal data.
WPG: So an SME has a lot of exposure, even if there is no actual loss. What can the SME do to mitigate that exposure, and show they did everything in their power to be compliant and protect against breaches?
O’REILLY: You have to document everything, first of all. You must create a document from start to finish that’s like a diary of how you became compliant. You might come to a decision that may be incorrect, but at least an inspector can see that you tried, that you considered A, B and C, and you put as much security as possible. And that may be important to the end result of the investigation.
WPG: So, the steps that a company takes to comply might protect them, even in the event of a breach?
O’REILLY: It might give them certain protection, depending how compliant they are. So that could possibly bring down this massive penalty.
WPG: And those penalties are in addition to how much a person whose data is breached could sue for, so the next question must be: how massive might those penalties be?
O’REILLY: They range from 10 million to 20 million euros or 2 to 4 percent of the company’s global turnover, whichever is greater. My understanding is that if the company shows just blatant disregard for protection of personal information, personal data, and there were major breaches, they could be put out of business very quickly.
WPG: How might Protectorate Solutions have protected Joe from these risks?
O’REILLY: Protectorate Solution would have provided Joe with ironclad data encryption through its file organization and encryption software. If the hacker gets past his firewall and gets past all the password protections into his business, but Joe has all his customers’ data encrypted inside, it's like an inner wall of encryption defense. It goes beyond the firewall and password protection. Even if they're hacked, if it's all encrypted, the customers’ data can't be accessed. And under the General Data Protection Regulation, Joe doesn't have to notify every customer because the information that was stored is still safe.
WPG: So, if an SME’s customers’ data is safe, the business is safe?
O’REILLY: Yes, but under the GDPR, they will also have to show documentation, if asked for evidence of compliance.
WPG: What kind of documentation is required and how do you create it?
O’REILLY: I would say, look at your existing documentation, and see where it relates to personal information. This needs to be compliant with the principles of the GDPR. What you need to do then is just map the life cycle of the information. Where is the information coming from? How do we collect it? How many different sources? Where does it go in the business? How do we use it? Who has access to it? How is it deleted when its purpose is completed?
Map it all out, literally like drawing a map of where it comes to where it goes right up to advertising, from billing account to the disposal. And a lot of people don't dispose of it now. They always keep it for ‘what if?’ That doesn't apply anymore under GDPR. You’ll probably find that you’re collecting information that you don't need and that will be in breach of the GDPR.
WPG: So, an SME still has a good deal of preparation to do for the GDPR, even if Protectorate Solutions is guarding the company’s data from bad actors?
O’REILLY: You must put in policies and procedures, and training obviously and awareness with staff. You have to figure out how a breach could occur and mitigate the risks so as to protect personal data. Hacking isn’t the only way one can happen. For example, using automatic e-mail addresses, and hitting the wrong John O'Reilly could be a fatal blow under GDPR. But if you had our encryption program, and the right John O’Reilly is the only one with the password that is needed to open that email attachment, the wrong recipient can’t get that information, and it's still not a breach.
For more information about Protectorate Solutions and the GDPR, please visit:
One of the biggest costs of and impediments to more cross-border trade is the paperwork needs of the freight forward and...
More U.S. government money intended to counter China’s growing influence in the developing world means more opportunities for U.S. small and...
In a previous post, we discussed the importance for small and midsized business engaged in cross-border trade to have in place...
Small and midsized exporters want to know on which new export markets they should focus. Until now the best approach available...
Everyone longs for companionship—children especially. Grown-ups can pursue any number of options for connecting with others: joining a club, volunteering, even...
Michael Strange's family has been in the ice cream business for generations. His great-grandfather founded Bassetts Ice Cream Company in Philadelphia...