Most businesses are seeking to answer one simple question: Is the GDPR something I have to worry about? Here are some basic criteria for assessing whether the GDPR applies to your organization:
- Do you have any business involving EU residents? The GDPR formally extends only to EU citizens’ personal data, although organizations are welcome to extend the protections to all consumer information if they so choose. If your operations are fully and completely isolated from Europe, the GDPR may not need to be on your radar screen. But keep in mind, it’s difficult to wall off much of a continent in this Internet age. Your company needn’t be located in the EU or have any physical presence there. If a simple newsletter sign-up, for example, could capture email addresses from French, German, or even British citizens (the U.K. appears set to implement the GDPR, Brexit aside) or any other EU residents, that activity must be GDPR-compliant.
- Do you collect or process personal data? The regulation covers “personal data,” which refers to essentially any information that could be used to identify an individual, such as name, address, email address, or IP address. The GDPR also covers “sensitive personal data,” which would span genetic information, religious or political views, images uploaded to the internet, and much more. Overall, “handling data” is a pretty low threshold to meet. A wide range of companies collect, use, process, or otherwise engage with the numerous types of data covered by the GDPR.
- Are you a data owner or processor? In a significant change, the regulation includes requirements for data processors. In the past, only so-called data controllers—organizations with ownership of particular data—were held accountable for privacy and security regulations. These data owners were expected to oversee any data processing partners, but the processors themselves were largely ignored. Now privacy and data protection requirements fall on both parties. Again, if your organization touches personal data in the EU, the GDPR likely applies.
What about Small Companies?
The GDPR is sweeping in terms of the companies and other organizations it will affect. Any organization involved with any EU resident’s personal information had better get informed. In fact, many experts are counseling startups and small businesses to get on board, as the protections required by the GDPR may be easier to establish in the early stages of IT systems and process development.
Even so, the mention of companies “250 or more employees” within parts of the GDPR text has led some smaller entities to ignore the regulation. Most experts say this is a mistake. According to Naked Security, “GDPR requires that any company doing business in the EU—no matter the size—more securely collect, store and use personal information. And like the big guys, smaller companies face fines for violations that may occur.”
Some provisions, such as requirements to employ a data protection officer (DPO), may apply primarily to larger companies, except where an entity is involved in “regular and systematic monitoring” at large scale. If data is a significant part of the business or central to its activities, however—or if there is involvement of such highly sensitive data as health, racial/ethnic, political, biometric, or genetic information—it’s probably best to assume the DPO requirement and other GDPR provisions will apply.
It’s also important to note that companies using cloud providers will not be exempt, so blaming AWS or Microsoft Azure will not qualify as an excuse for GDPR-related shortcomings.
The bottom line, many SMEs along with larger and multinational corporations will need to get a better handle on their data ASAP.
Chris Adams is President and COO of Park Place Technologies. Contact him at firstname.lastname@example.org.