Back to List

10 Actions Mid-Sized Businesses Should Take Because of GDPR and CCPA

Jeremiah Robinson Jeremiah Robinson  |  
Apr 11, 2019
 
six actions mid-sized businesses should take because of gdpr and ccpa

If you own a business or manage an IT or marketing department with an online presence or a mailing list, the new privacy laws passed in Europe and California will almost certainly affect you, and sooner than you may think.

Following is a brief summary of our understanding of the laws, along with recommended actions. For a more detailed overview, click here.

In 2017-18 two major pieces of legislation passed around data privacy and security, one in Europe and one in California:  
Both laws:
  • Address consumer data privacy and security
  • Regulate companies which reside outside their borders
  • Require significant investments for compliance and penalties for noncompliance
  • Regulate children differently from adults
 

10 Actions You May Consider Taking

 

7 Technical Steps (IT)

  1. Determine if any of your consumer customers reside in or might move to Europe or California. If not, you may be able to buy yourself some time until other states introduce legislation.
  2. Identify what information you collected or stored about your customers' identity, household, or electronic devices in any of your business systems. You'll need to know where you got it, what you used it for, and who you gave it to.
    1. Microsoft has tools to help search your cloud and on-premises data to help categorize personal information, including Microsoft Information Protection and Advanced Data Governance.
  3. Determine whether your website has any components (including third-party widgets or ads) that collect your customers' IP addresses. If so, you are a seller of customer information because you're receiving something of value in exchange for sharing the personal information. 
  4. Look into how securely your customers' sensitive personal information (SS#, Birthdate, CC#, etc.) is stored and transferred. Your liability around these items will grow as a result of these laws.
  5. Then ensure the level of security is commensurate with your updated risk profile under the new laws. This may require changes to both your technology and your business processes.
  6. Catalog and organize all the personal information you have in your databases, ERP systems, and other tools in such a way that you can provide it back to customers and/or delete it quickly and efficiently, preferably in an automated manner.
  7. Set up a section on your homepage and a toll-free number where customers can:
    • Opt out of the collection and sale of their personal information (California)
    • Request that you delete their personal information
    • Request to know what information you have about them, where you got it, who you've given it to, and what you used it for
    • Opt in to the collection and sale of their personal information (Europe)
 

3 Organizational Steps (Management)

  1. Understand and document the business reasons behind compliance. Compliance is usually a response designed to mitigate the risk of lost business, fines, litigation, etc. Understanding these risks and their costs will make the conversations regarding investment easier.
  2. Gain executive leadership commitment in terms of involvement, messaging, budget, and oversight. Clarity on expectations is essential. Changing culture will not be possible without this commitment.  
  3. Establish a governance structure to oversee the organization’s information security program (security leader, red team, blue team, etc.). The governance team should report directly into the executive leadership team and will implement programs such as the following:
    • Risk management: How do you assess and respond to ongoing risks?
    • Incident response: How do you respond if the unthinkable happens?
    • Business continuity: How do you recover as a business?
 

What's Next

GDPR is already in effect, and CCPA goes into effect January 1, 2020. That's not a lot of time – considering how much needs to happen.
 
Skyline is GDPR-compliant through our participation with the in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and we’re familiar with the Microsoft tools mentioned. If you're interested in further discussion about privacy or data security compliance, or you would like to set up a risk management program, contact us today.
 
Security

 

Love our Blogs?

Sign up to get notified of new Skyline posts.

 


Related Content


Blog Article
Best Practices for Online Security
John PtacekJohn Ptacek  |  
Jan 05, 2017
With the news full of journalist, politicians, celebrities and other people having their email and phone accounts hacked, it is a constant reminder that we should be vigilant about protecting ourselves online.   While no one can ensure you are 100% safe from online hacking, we have a bunch...
Blog Article
​Viewing Application Roles from Azure Active Directory
Steven NelsonSteven Nelson  |  
Jun 07, 2016
If you have used the Azure Active Directory service in your application, then you have probably realized that it lacks the ability to see application roles assigned to users.  At the present time, the Azure Active Directory service must be configured using the classic Azure portal (https...
Blog Article
Walkthrough: Email Message Encryption Using Office 365 and Exchange Online
Andrew SchwalbeAndrew Schwalbe  |  
Aug 24, 2015
Updated: 8/9/18 Microsoft recently updated Microsoft Office to their Office 365 Message Encryption (OME), specifically with how it relates to Azure RMS. This greatly simplifies the ability to send an encrypted email from within the Outlook desktop application. If you implemented a process like...
Blog Article
That Conference – Day 2 Takeaways
Chris PlateChris Plate  |  
Aug 13, 2015
I was fortunate to be able to fit That Conference in the Wisconsin Dells into my summer schedule this year.  There were a lot of sessions to choose from, and it was often difficult to pick which session to attend.  Fortunately, I came away from most sessions with something to think...
Blog Article
More Efficiently and Safely Manage Password- KeePass
Eric VanRoyEric VanRoy  |  
Oct 10, 2014
As a consultant I work with many clients (upwards of 100) and their systems. Some of my clients grant me access into their environment in order to troubleshoot issues without requiring direct interaction with them. A typical SharePoint installation can consist of a number of accounts for a secure...