As the Internet makes it easier than ever to do business around the world, small businesses may find themselves increasingly subject to privacy laws in other countries. Yet only one in seven (14 per cent) small business owners know about the impending General Data Protection Regulation (GDPR), according to Shred-it’s 2017 Security Tracker conducted by Ipsos.
In May 2018, the GDPR will introduce sweeping new data protection requirements for businesses that process European Union (EU) citizens’ personal data. The GDPR comes with heavy penalties for businesses of any size and in any country that are non-compliant.
Not only are most small business owners unaware of the GDPR, but many are far from meeting the GDPR’s data protection standards. The Security Tracker revealed over a third (37 per cent) of small business owners never audit their company’s information security procedures and less than half (45 per cent) claim to have a strong understanding of their legal requirements to protect data.
“In today’s globalized business environment, the GDPR will affect not only multi-nationals but also small businesses that have transactions with EU citizens,” says Paul Saabas, Vice President at Shred-it. “Even if you’re not subject to the GDPR, your small business will benefit from strengthening its information security practices. As more and more personal data is transferred across borders, consumers may start to seek out businesses that meet both local and international privacy standards.”
1. Know what you don’t know
The first step in becoming compliant with any legislation is to know what data your business processes, where it’s stored and what the risks are. Audit both the data your business keeps – whether on hard drives, premise servers or paper files – as well as the data processed by third parties, such as your cloud storage providers. The GDPR mandates regular Privacy Impact Assessments (PIAs) to identify privacy risks in projects or initiatives. Carry out PIAs in the early stages of any project so that data protection is part of your thinking from the beginning.
2. Educate, inform, coach
All employees share the responsibility to protect sensitive data and keep your business compliant. The GDPR mandates ‘privacy by design’ in some cases, which requires businesses to build data protection measures into staff training and human resource policies. Get ahead of the curve and start teaching your employees about data protection and information security now. As the saying goes, ‘knowledge is power’ – and knowledge can save your business from the significant legal consequences or reputational damage of a data breach.
3. Ask an expert
When it comes to changes in legislation, don’t take your chances – especially with something as important as privacy compliance. Speak to an external legal expert who can help you understand if or how the GDPR affects your business, as well as your requirements for privacy protection in Canada.