Back to List

10 Actions Mid-Sized Businesses Should Take Because of GDPR and CCPA

Jeremiah Robinson Jeremiah Robinson  |  
Apr 11, 2019
six actions mid-sized businesses should take because of gdpr and ccpa

If you own a business or manage an IT or marketing department with an online presence or a mailing list, the new privacy laws passed in Europe and California will almost certainly affect you, and sooner than you may think.

Following is a brief summary of our understanding of the laws, along with recommended actions. For a more detailed overview, click here.

In 2017-18 two major pieces of legislation passed around data privacy and security, one in Europe and one in California:  
Both laws:
  • Address consumer data privacy and security
  • Regulate companies which reside outside their borders
  • Require significant investments for compliance and penalties for noncompliance
  • Regulate children differently from adults

10 Actions You May Consider Taking


7 Technical Steps (IT)

  1. Determine if any of your consumer customers reside in or might move to Europe or California. If not, you may be able to buy yourself some time until other states introduce legislation.
  2. Identify what information you collected or stored about your customers' identity, household, or electronic devices in any of your business systems. You'll need to know where you got it, what you used it for, and who you gave it to.
    1. Microsoft has tools to help search your cloud and on-premises data to help categorize personal information, including Microsoft Information Protection and Advanced Data Governance.
  3. Determine whether your website has any components (including third-party widgets or ads) that collect your customers' IP addresses. If so, you are a seller of customer information because you're receiving something of value in exchange for sharing the personal information. 
  4. Look into how securely your customers' sensitive personal information (SS#, Birthdate, CC#, etc.) is stored and transferred. Your liability around these items will grow as a result of these laws.
  5. Then ensure the level of security is commensurate with your updated risk profile under the new laws. This may require changes to both your technology and your business processes.
  6. Catalog and organize all the personal information you have in your databases, ERP systems, and other tools in such a way that you can provide it back to customers and/or delete it quickly and efficiently, preferably in an automated manner.
  7. Set up a section on your homepage and a toll-free number where customers can:
    • Opt out of the collection and sale of their personal information (California)
    • Request that you delete their personal information
    • Request to know what information you have about them, where you got it, who you've given it to, and what you used it for
    • Opt in to the collection and sale of their personal information (Europe)

3 Organizational Steps (Management)

  1. Understand and document the business reasons behind compliance. Compliance is usually a response designed to mitigate the risk of lost business, fines, litigation, etc. Understanding these risks and their costs will make the conversations regarding investment easier.
  2. Gain executive leadership commitment in terms of involvement, messaging, budget, and oversight. Clarity on expectations is essential. Changing culture will not be possible without this commitment.  
  3. Establish a governance structure to oversee the organization’s information security program (security leader, red team, blue team, etc.). The governance team should report directly into the executive leadership team and will implement programs such as the following:
    • Risk management: How do you assess and respond to ongoing risks?
    • Incident response: How do you respond if the unthinkable happens?
    • Business continuity: How do you recover as a business?

What's Next

GDPR is already in effect, and CCPA goes into effect January 1, 2020. That's not a lot of time – considering how much needs to happen.
Skyline is GDPR-compliant through our participation with the in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and we’re familiar with the Microsoft tools mentioned. If you're interested in further discussion about privacy or data security compliance, or you would like to set up a risk management program, contact us today.


Love our Blogs?

Sign up to get notified of new Skyline posts.


Related Content

Blog Article
Mitigating Security Challenges in the Professional Services Supply Chain
Brian MorganBrian Morgan  |  
Jun 02, 2020
In this blog, Brian Morgan, Director of Security at Skyline Technologies, explores how to protect your business from cybersecurity threats in the professional services supply chain. Click here to view the full webinar.   Cybersecurity threats are a mounting concern for the professional...
Blog Article
“Bye, Bye, Bye” to AES in ECB Mode
Tony RopsonTony Ropson  |  
May 05, 2020
Early last month, a group operating out of the University of Toronto released a report highlighting some of the security flaws found in the popular online meeting app Zoom. Their report highlighted a few concerning things. However, the one area I want to highlight is the type of encryption...
Blog Article
Website Security: 3 Steps to Protect Your Users’ Data from Attack
Nick KwiecienNick Kwiecien  |  
Jul 23, 2019
As consumers increasingly care about keeping their information safe and secure, we developers need to make security our mission. Especially in today’s world where there seems to be a new content management system out every five minutes, it’s important to make sure your site and its...
Blog Article
Best Practices for Online Security to Keep Yourself Secure
John PtacekJohn Ptacek  |  
Jan 05, 2017
With the news full of journalist, politicians, celebrities and other people having their email and phone accounts hacked, it is a constant reminder that we should be vigilant about protecting ourselves online.   While no one can ensure you are 100% safe from online hacking, we have a bunch...
Blog Article
​Viewing Application Roles from Azure Active Directory
Steven NelsonSteven Nelson  |  
Jun 07, 2016
If you have used the Azure Active Directory service in your application, then you have probably realized that it lacks the ability to see application roles assigned to users.  At the present time, the Azure Active Directory service must be configured using the classic Azure portal (https...