Disclaimer: This article is not meant to replace legal advice for GDPR compliance. Instead, Skaled’s expertise in Sales and Marketing is used to provide a better understanding of how the new EU privacy laws might impact your business. We ask that you do not rely on this as legal advice, or as a recommendation of any particular legal understanding.
GDPR marks the biggest change to European data privacy and security in the last 20 years.
And enforcement of the law is only two months away.
While the General Data Protection Regulation (GDPR) will most strongly reflect on the work of your sales and marketing teams, coming into compliance should be an executive-led effort; ultimately, an organization’s CEO and board of directors are responsible for compliance.
Even so, a recent survey found that 42% of marketing professionals cite a lack of executive support as a significant roadblock in preparing for GDPR.
As an executive leader of your company, you will want to keep in mind how non-compliance can impact your business’ finances, reputation, and productivity.
But first, read on to find out whether GDPR applies to you — and it probably does unless you do absolutely zero business with anyone in the EU.
Who Does GDPR Apply To?
Even if your company is US-Based and you have no direct operations in the EU, it doesn’t mean you’ll be exempt. In fact, Article 3 states that businesses fall under the law if they process personal data of an individual residing in the EU. For example, if you market products to EU residents or conduct surveys – you will need to be GDPR compliant even if no financial transactions occur.
Now you might be wondering, how likely are EU authorities to go after US companies… and how?
Considering the EU is specifically aiming to expand the territorial scope of enforcement, US companies won’t receive any free passes.
Even for a company without an EU presence, EU regulators will be able to use the authority and help of international law to carry out enforcement. In truth, even though there is no law analogous to GDPR in the US, there are already systems in place for the EU to issue fines against US companies.
Here’s the bottom line: EU regulators will fine US companies for violating GDPR with the help of US authorities.
How Ready Are Most Executives for GDPR?
As it turns out, not very:
Gartner recently reported that over 50% of companies will not be compliant by the end of 2018. Moreover, 46% lack a formal governance strategy, and 39% percent do not yet have a budget in place for data governance.
Now, let’s turn to the big question of what authorities will view as non-compliance and the type of consequences you could expect to face.
What Qualifies as Non-Compliance?
Article 83 outlines factors authorities will consider most carefully to determine whether your company is compliant. These include:
- Nature, severity, and duration of the violation
- Categories of affected personal data
- Reporting of violation
- Previous violations
- Real harm done and efforts to mitigate damage
- The degree of responsibility of controller or processor
- Certifications and adherence to codes of conduct
- Cooperation (or lack thereof) with authorities
Keep in mind, authorities will also take into account whether the violation was intentional or accidental and if you reported any breaches within the required 72 hours.
Now, let’s take a closer look at the implications of non-compliance.
Consequences of Non-Compliance
Let’s break it down into 3 key areas, beginning with the financial penalties.
Most significantly, your company would receive a heavy fine.
The penalty would amount to 4% of your company’s global annual turnover (of the preceding financial year) or €20 million, whichever is bigger. Less serious violations can lead to a fine of 2% of annual turnover, or €10 million, whichever is greater.
For example, if a data breach occurs but your company fails to report it to a data regulator within the 72-hour window, depending on the severity of the data breach and reason for failing to report it, authorities would then calculate the amount of the fine.
The best way to prevent this worst-case scenario is to appoint a Data Processing Officer, stay informed on the regulation, and to the extent possible, check in with your leadership team for updates on preparedness. Ideally, a clear process for reporting data breaches and violations should also be established across all teams.
Needless to say, if your business is found non-compliant or experiences a security breach, your customers and the general public will find out.
This means your reputation and credibility will take a hit, as will your clients’ trust in your ability to keep their information safe.
Clearly, the best way to avoid damage to your company’s reputation is to ensure compliance.
Aside from investing in the necessary resources to prepare your IT, sales and marketing teams, it’s a good idea to keep track of changes, when they were implemented and how much was invested.
This way, you would have information that backs up your efforts at ensuring compliance which could potentially reduce fines and minimize loss of trust.
3. Productivity Loss
Following the consequences outlined above, non-compliance will inevitably lead to a drop in your customer base.
For your sales VP, this will present a significant blow to existing funnels, leads and sales outcomes. As you can imagine, alongside the fines and loss of trust, it will take significant time and money to rebuild them.
Common Barriers to Compliance and How To Avoid Them
Even though human error and blind spots are always a possibility, there are ways to mitigate risk.
With this in mind, here are the biggest barriers to US non-compliance:
- The law’s complexity
- Shortage of tech tools
- Too little time
- Inadequate budget
- Lack of qualified staff
What can you do to overcome these barriers and make sure they don’t lead to non-compliance?
First and foremost, make sure your staff is informed. Whether it’s reading up on the official website of the regulation or checking out Skaled’s blog posts on GDPR risks and implications it’s important for everyone to know the basic elements of the law.
What’s more, if your company processes large amounts of EU citizen’s personal data, GDPR requires you to appoint a data protection officer (DPO). Among their main functions, DPOs will educate your employees on compliance, train staff, conduct audits, monitor performance and serve as a point of contact with authorities.
As previously mentioned, this article does not replace legal advice for GDPR compliance, so it’s always a good idea to obtain advice from a qualified legal expert. However, Skaled can help you make sure you implement and optimize the right technology for your business to make sure you’re prepared for GDPR.
For more information on how you can prepare your sales and marketing teams for the GDPR, download your copy of the eBook: The GDPR Guide for B2B Executives and Sales Leaders.