All Blog Posts

GDPR: What is the first thing a business should do?

I’m sure you’ve noticed the impact of the European Union’s General Data Protection Regulation (GDPR) since it went into effect in May – it’s hard to miss. You’ve probably, at a minimum, been asked by sites to accept their new terms and cookie collection policies. But, there are still so many questions about what this means for businesses – especially small- to medium-sized businesses in the U.S.

We were curious as well – and asked our questions to Drew Larson at BrownWinick. His responses are below. After you read through, if you determine that GDPR applies to your organization and you need updates to your website or applications, please reach out.


Kelly: Who does GDPR apply to?

Drew: If a business has data on an EU citizen or resident, it likely applies. It does not matter where the business is located. So, you can be a business in the U.S., and GDPR applies to you.

Kelly: In only a few sentences, what does this mean to a business if they have data about an EU citizen?

Drew: It means that they need to provide more transparency into the data collection process and how they intend to use that data. Further, people need to be able to access the data you collect on them and they have a “right to be forgotten” – essentially, they can request that a business erase their personal data from their records. Finally, if there is a data breach, individuals must be notified within 72 hours.

Kelly: What are examples of some data that business may have on EU residents?

Drew: Examples of personal data would be names, email addresses, addresses, and phone numbers. You don’t necessarily always need consent from the individual to collect personal data, but consent is generally required when collecting sensitive data, such as race, religious or political affiliations, and any health details.

Kelly: So, if it applies to me, where do I start?

Drew: Do an audit of the information your company collects and ask yourself some questions like:

  • What information are we collecting?
  • How are we collecting it?
  • How are we using the data?
  • Have we obtained consent through the terms of use and privacy policies we in place?
  • Are we following those policies?
  • Could we give someone all of the data about them if they asked?
  • Could we “forget” them, if requested?

The answers to these questions will help you review and update your privacy policies and practices. This can be an overwhelming task and it may be advisable to consult counsel that is knowledgeable on GDPR and other data privacy regulations.

Once policies are up to date and you know the changes you need to make in regard to data collection, work with your IT team or technical partners (like Far Reach) to implement the recommendations. Recommendations may be adding a cookie collection alert to your website or updating the privacy policy and alerting your customers to the changes.

Kelly: What is the risk?

Drew: Because GDPR is relatively new, it’s hard to say what enforcement is going to look like. We know that the penalty is steep. The penalty is UP TO 4% of annual global turnover or €20,000,000, whichever is greater.

As far as data breaches go, the current research shows that the average breach notification cost is about $2.50 per customer. Depending on the number of customers, that can add up fast. It may be beneficial to consider what privacy measures would reduce your risk. For example, you may be able to mitigate some of the risks of a data breach by keeping the data encrypted, so it may be wise to explore this with your technology partners.

Kelly: What other takeaways should we be aware of?

Drew: Security and data privacy concerns are not going to go away. We’re seeing more regulations coming from various states. For example, California recently enacted a comprehensive data privacy law that is scheduled to go into effect in 2020. And this may be the tip of the iceberg. So, what can a business do to comply with a fast-changing patchwork of laws and regulations?

GDPR is getting a lot of attention right now, but it probably makes more sense for businesses to adopt a “Privacy by Design” attitude, which takes privacy into account through the entire software development process. The new California law imposes similar obligations on businesses as GDPR, so we expect that GDPR will likely provide a general framework for future regulations. Taking the time now to understand and comply with GDPR will help reduce the burdens on your business in the future as new laws arise on the horizon.

Here is a handout that briefly explains a lot of what we’ve talked about today. Feel free to print and share.