By Michelle Drolet

Privacy is one of the most important human rights we cherish. GDPR is essentially an enforcement of our right to privacy in the digital world. The creation of the GDPR regulation demands a conversation focusing on data ownership and control. Who owns the data and who controls it?

The importance of privacy may be best understood by examining the invasion of privacy in our daily lives. Think of invasion of privacy in terms of physical intrusions (i.e. planting secret recording devices) or informational intrusions (i.e. employer reading personal email).

Confidentiality, personal data protection, data encryption, data security, anonymity, and adherence to fair information practices create an informational dimension to privacy.

Other dimensions of privacy include decisional intrusions (i.e. states banning assisted suicide), proprietary intrusions (i.e. advertisers using someone’s photo without consent), associational intrusions (i.e. seeking membership in an exclusive club) and intellectual privacy.

GDPR is the European law that governs how your personal data is protected. The Regulation defines rules relating to the processing of personal data and the free movement of personal data. To quote the law, “It protects fundamental rights and freedoms of natural persons and their right to the protection of personal data.”

If your business deals with personal data from a citizen of the EU, then your business falls under the requirements of GDPR. There are no exemptions for small organizations. If your organization collects or processes data from EU citizens regardless of their location, then GDPR applies to you.

As the enforcement date of GDPR nears (May 25), any company caught in non-compliance may face fines of up $24 million ($20m euro) or 4% of previous year revenues, whichever is higher. The soft cost of reputational damage could be even higher. In the aftermath of British telecom TalkTalk’s data breach, for example, the company lost more than 100,000 customers and was fined $500,000 by U.K. authorities. The news was noteworthy for being one of the steepest fines every levied on any company.

The problem can be so grave that PwC reported how 92% of US multinationals named GDPR as a top priority. Most of these companies surveyed plan to spend $1 million or more on compliance. Nobody can tell you what non-compliance with GDPR will cost a business, but there’s a good chance it will prove more expensive than abiding by its rules. Be smart, reach out to a GDPR consulting firm that can perform a risk assessment and business impact analysis so you can fully understand your exposure.

Privacy concerns among consumers is top of mind like never before, compelling businesses to invest in GDPR. Like all regulations, this is complex. There are 99 GPDR articles that need to be examined for applicability to your business processes.

GDPR requirements formalize a set of principles that you should already be following. If this prompts companies to review the data they collect and assess whether they need to store it, then that’s a good thing. Too many companies neglect to protect customer data so this creates unnecessary risk.

There’s no excuse for neglecting to create privacy policies. Companies should not treat data protection as something optional.

About the Author

Michelle Drolet is founder of Towerwall, a data security services provider in Framingham, MA, with clients such as Smith & Wesson, Middlesex Savings Bank, WGBH, Covenant Healthcare and many mid-size organizations. She can be reached at [email protected].