New regulations always mean a flurry of activity for affected companies, and the European Union’s new General Data Protection Regulation is no exception.
The bill passed in 2016, but it gave companies two years to fall in line. That means the deadline of May 2018 is looming for companies with consumer data interests in the EU.
Not making that deadline could mean fines and civil suits. And then there’s the possibility of cultivating a bad reputation for not caring enough about the protection of personally identifiable data of consumers.
It doesn’t matter if a company is based in the EU or not. It doesn’t even matter how big or small they are. If they handle consumer data involving EU citizens, they are liable under the new regulations.
So, let’s break down three things that companies may be overlooking during their preparations.
1. Cloud Computing
When choosing a cloud provider, the level of protection they offer for data in general, but consumer data in particular, is already--or should be--very important for businesses. Cloud providers have a direct obligation to provide suitable protection for the data they host.
Before the GDPR, that was more of a marketing angle than a regulatory one, but the new regulations make it a bigger concern.
However, some companies are using this to their advantage. Even if their customers don’t deal with the EU, the ability to say they meet GDPR standards is a relevant marketing tactic.
But the cloud providers don’t have all the obligations. Cloud customers share some of the burden in that under the new regulations, they may be liable if the cloud provider they use to host data ends up falling outside of GDPR compliance.
That means businesses with EU customers have to be extremely picky when choosing a cloud provider going forward.
GDPR makes a distinction between companies that handle the data, versus companies that own the data - but the rules apply to both. Learn more about how GDPR impacts the use of personal data.
2. Internet of Things
Smartphones are the obvious one here.
Except, it might not be so obvious in the face of compliance with the GDPR. After all, IoT deals mostly with machine data, but a large amount of consumer data lurks on these devices, too.
The amount of customer data stored by applications is quite large. That applies to apps on smartphones, as well as smarthome devices.
A substantial privacy concern with IoT devices now is that they can be a pretty easy target for security breaches. With the new regulations, IoT manufacturers and providers are going to have to be more diligent about shoring up defenses on existing products as well as doubling down on security features when developing new devices.
3. Marketing and Sales Data
Many companies already have this one on their radar, but just as many companies may be overlooking it. Especially when it comes to Business-to-Business (B2B) companies.
Business-to-Consumer (B2C) clearly has a higher stake in customer data because they tend to deal more with individuals and thus have larger databases for consumer sales. This means they have a higher potential for harboring personally identifiable data.
But, B2B entities can’t afford to forget about this, either. Although they primarily deal with businesses, B2B sales and marketing professionals still utilize information for individuals in order to make those business sales.
One way to make sure this area isn’t overlooked is by updating Customer Relation Management (CRM) systems to be sure that they properly protect data of sales contacts.
No matter where your company is located, if you’re dealing with personally identifiable data from residents of the EU, you can’t afford to forget that the GDPR compliance deadline is coming in May 2018.
In particular, you want to make sure you aren’t overlooking affected data types that might not be immediately obvious like cloud computing, IoT, and marketing or sales data.
You can find this interview and many more, by subscribing to Defrag This.