Are You Ready for GDPR? Part II
A few weeks ago, the Securetain team received an unexpected call from a client who had just signed a contract with a US-based company to migrate their corporate email system to a cloud provider. Along with the signed contract came a detailed five-page questionnaire on how private information would be handled. This is a wake-up call for small businesses, especially those doing business internationally: GDPR matters—even if you don’t think you’re affected.
The Surprising Reality of GDPR for Small Businesses
Many small businesses, particularly in the US, don’t consider GDPR (General Data Protection Regulation) because they don’t think they process personal data that falls under its jurisdiction. But here’s the catch: The client in this case not only had an international presence but also employed a Data Privacy Officer based in Europe. This shows that any business working with international clients could be subject to GDPR regulations—even if it’s not immediately obvious.
If you're in a similar position—doing business across borders—this article is for you. It’s essential for businesses, especially in Sales and Marketing, to understand the GDPR requirements and how they impact client relationships and data management.
GDPR: A Quick Overview
You might be familiar with the EU Data Protection Act of 1998, which was a precursor to the GDPR. But GDPR is more comprehensive and robust. It gives individuals more control over their personal data and outlines strict rules about how businesses can use, store, and share that data.
The key changes brought by GDPR include:
- Increased rights for individuals over their personal data.
- The right to decide how third parties can use their information.
- The ability to request, update, restrict, and even stop the processing of personal data.
For small businesses, understanding these rights is the first step in making sure you’re compliant and transparent with your customers.
The Challenge: Implementing GDPR Rules
The challenge for many businesses, especially small ones, is figuring out how to comply with these rules. It’s not just about understanding the law—it’s about putting the right practices in place to handle data responsibly and in compliance with the law.
Exhibit A (see below) outlines some of the key GDPR rules that businesses need to follow. Understanding these will help you start putting the right processes in place for compliance. The Securetain advisor conducted a three-day assessment of the client’s GDPR readiness, delivering a gap analysis and suggested actions within five days.
If your team is spending more than three days deciding on what needs to be done, it might not just be a GDPR issue—it could be a broader information security and data privacy problem. The objective here is to quickly understand what needs to be done and how to implement it.
Educate Your Team—Especially Sales & Marketing
Securetain will dive deeper into these sales-related issues in our next post, so stay tuned!
Exhibit A – Key GDPR Rules
Below is a summary of some of the essential GDPR rules and read about processors vs. controllers
| Scope, Timetable and New Concepts | Data Transfers |
|---|---|
| Material and territorial scope | Transfers of personal data |
| New and significantly changed concepts | |
| Registration | |
| Lawfulness, fairness, and transparency | Regulators |
| Data protection principles | Appointment of supervisory authorities |
| Lawfulness bases for processing and further processing personal data Legitimate interests | Competence, tasks, and powers |
| Consent | Co-operation and consistency between supervisory authorities |
| Consent to process children's personal data | European Data Protection Board |
| Sensitive data and lawful processing | |
| Individual rights | Special cases |
| Right to be informed | Derogations and special conditions |
| Subject access, rectification, and portability | |
| Rights to object | |
| Right to rectification and data quality | |
| Right to erasure including retention and disposal | |
| Right to restriction of processing | |
| Rights related to automated decision-making including profiling | |
| Accountability, security, and breach notification | Delegated acts and implementing the act |
| Data governance obligation | Delegated acts, implementing acts and final provisions |
| Data processor contracts | Data Privacy Officer |
| Data Protection | |
| Personal data breaches and notification | |
| Codes of conduct and certifications |
Leave a comment
Related Posts
Is Your Business Prepared? Key Steps for Disaster Recovery & Continuity Certification
But how does it relate to Disaster Recovery (DR), and why are they often misunderstood or misaligned? Let's break it down:
Artificial Intelligence Governance Part I
It's becoming increasingly clear that most new cybersecurity products involve some form of machine learning (ML) or artificial intelligence (AI).
How Can We Prevent, Detect, and Recover from Cyberattacks?
A thorough investigation of cyberattacks underscores the considerable damage these incidents can cause. Below are several key points that can help organizations identify potential threat actors.
