Chicago Business Attorney Blog
Small business owners with customers based in the European Union will want to circle May 25 on their calendars. That’s the date that the EU’s General Data Protection Regulation (GDPR) goes into effect, significantly impacting enterprise cybersecurity and data governance policies and practices among organizations that handle data on EU citizens and residents.
In the U.S., businesses do not face an overarching data protection law—measures related to data protection are contained in various statutes and regulations, many of them at the state level, with California and Massachusetts, home to major tech companies, having probably the strictest requirements.
Stateside small businesses will need to continue to keep track of the patchwork quilt of U.S. laws and regulations while gearing up to become 100 percent compliant with GDPR, which means they need to begin implementing the necessary technologies yesterday.
GDPR will protect a panoply of personally identifiable information like banking, health and government identity records, along with any data that can be geo-linked to a cell phone, medical device or another Internet-enabled gadget. Businesses will need to paint a complete picture of all the data they collect, store and process—and then ensure that they have adequate protections for it.
Adequate protections can amount to restriction of data access to certain authorized personnel, the use of proper authentication, the implementation of proper procedures to backup, retain, archive and destroy data, and evaluation of third parties that have access to the data—to ensure that they have all those same adequate protections.
This is a challenging set of requirements to balance, but making it more doable is the fact that the GDPR requirements for data protection are fairly well lined up with most of those in the U.S. Data protection practices required by GDPR do not conflict, for example, with the Cybersecurity Framework promulgated by the National Institute for Standards and Technology.
To make this new scenario manageable, small businesses should not purchase specific storage systems for EU customers, develop different policies and enforcement structures, or otherwise treat data in different ways for European and American customers. The most efficient solution would be a unified compliance regime that accounts for the GDPR’s more intensive requirements through increased information lifecycle management efforts.
In implementing this, businesses can manage their reams of data and metadata, track it through its lifecycle from creation to destruction, classify the data into tiers, and provide specific criteria to manage its storage. They will need to understand where data is kept, including whether it’s with a third party, who has access to it and whether backups exist. This will help maintain compliance with GDPR regulations.
Company leaders who have EU customers must ensure that they become compliant with GDPR while still maintaining all other location- or industry-specific cybersecurity and data privacy regulations. To accomplish this, they need to hire the right team, delegate to them and provide necessary resources to succeed—and avoid hefty fines and other consequences.
The calendar is moving quickly toward May 25, and the time to act is now.