As cybersecurity incidents continue to increase globally, governments are starting to step in to protect their citizen’s personally identifiable information (PII). GDPR went into effect in the EU last year and the California Consumer Privacy Act (CCPA), which is set to launch on January 1, 2020, will soon follow.
These are just a few examples. Today, there are dozens of similar privacy regulations around the world in some stage of development.
As your client’s managed service provider, you should educate your customers on how these laws impact them. If you’re thinking that small businesses are sheltered from these laws, you are wrong. If your customers have at least 250 employees, and are engaged in targeted marketing campaigns or deal directly with customer data as part of doing business, then you need to be aware of these laws and the implications for these businesses.
A recent survey sponsored by international law firm McDermott Will & Emery, and carried out by the Ponemon Institute, found that most businesses, regardless of their size, are ill-prepared for privacy regulations like GDPR.
In fact, the survey of 1,263 organizations in the US, Europe, China, and Japan found that just 18 percent of respondents were highly confident that they could communicate a data breach to authorities within 72 hours of being aware of a problem. Meanwhile, almost half had reported at least one breach.
Getting started
This data is bad news, because these laws are strict and violations can result in stiff fines if regulators believe a company was careless with data or failed to fully comply with the law. According to Mark Schreiber, partner and co-leader of McDermott’s Global Privacy and Cybersecurity Practice, one way to get started is by conducting a risk assessment.
“Companies would benefit from conducting risk assessments and engaging forensic professionals who can identify vulnerabilities and recommend improved processes and remediation. If done under litigation or attorney privilege, organizations can further safeguard themselves,” he said in a statement.
Of course, this approach might be too costly for some SMBs. However, if your client does business in the EU and deals with personal data, you may want to consider at least hiring a consultant to make sure they are compliant. As other laws like CCPA come online, it will only get more complicated, so having someone you can rely on to help you sort this out could prove useful in the long run.
You also might want to look at software solutions to help your clients comply. Whatever you do, you can’t simply bury your head in the sand and pretend these regulations don’t exist. It’s better to be proactive, and should you run afoul with regulators, you can at least show you were making an effort.
Photo: create jobs 51 / Shutterstock