File this story under "I thought I'd seen it all in this business."
A distributor recently approached us about moving their software into our Cloud. Naturally, I was pleased to take the conversation, and my eyes were opened when he explained why:
One of his customers, a Fortune 500 manufacturer, was insisting that all its vendors comply with the new EU privacy laws under GDPR. The distributor's on-premises system couldn't provide the stringent, required security assurances—so to keep the customer, he's moving to the Cloud.
No doubt you've heard of GDPR (it was certainly the hot topic in my email inbox in May). But how much should you care about it? Does GDPR apply to your distribution business? Let's have a quick discussion of GDPR: what it is, how it affects your business, and what steps (if any) you should be taking.
What is GDPR?
The General Data Protection Act took effect on May 25th in the 28-nation European Union. In simple terms, GDPR gives individuals greater leverage over how businesses can use their personal information. As defined in the legislation, "personal information" includes many of the data points that US privacy laws cover as "personally identifiable information (PII)," including (but not limited to):
- Social Security numbers (and any other government ID numbers)
- Home phone and personal cell phone numbers
- Home address
- Personal mailing address
- Personal email address
- Place and date of birth
- Financial information
- Website login name
GDPR defines "personal information" much more broadly. According to the EU,
Personal data is any information relating to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer's IP address.
Personal information can find its way into your distribution ERP system via forms on your website, your order-taking process, or when one of your salespeople enters notes from a conversation into your CRM. Under GDPR, it’s all protected.
Companies that fail to comply with GDPR face penalties as high as $24.6 million or 4% of annual revenue. (Google and Facebook were immediately hit with privacy complaints that could amount to $9.3 billion in liability.) That's one heavy hit for a small distribution business. Should YOU worry?
Most of the criteria for adherence to GDPR involve having customers or employees from the EU—which may not be of concern to most small-to-medium-sized North American distributors. However, if you attract website traffic from the EU or if your data is stored in the EU, then you should sit up and take notice. Your IT, marketing, finance, sales, and operations functions may all need to tighten up their data-handling practices.
Here’s what your distribution business should do.
CSO, Information Management, and Business News Daily provide informative deep dives into GDPR compliance for small-to-medium-sized businesses—I recommend that you review them and discuss them with your IT vendors. Here are my top takeaways for North American distributors:
- Designate an individual in your organization to drive any needed GDPR compliance actions.
- Determine your need for GDPR compliance. Two critical questions are:
- "Do we ever market to customers who have an EU connection?"
- "Are we (like the distributor I mentioned at the top of this post) doing business with customers who have an EU connection?"
- Audit your database and CRM for EU-based email addresses.
- Find out if your website tracks and collects visitor IP addresses. Search carefully for IP addresses originating in the EU.
- If you're operating software in the Cloud:
- Ask your Cloud hosting provider about their GDPR readiness. (Any reputable vendor has been on the GDPR compliance case for many, many months.)
- Obtain assurances that your data is not housed in the EU (another area of potential liability).
From "across the pond," GDPR probably feels like a non-issue for small-to-medium-size distribution businesses. All the same, it's sound business practice to be aware of any risk exposure and to take steps to mitigate it now, rather than be surprised by penalties later.
And one more thing to keep in mind: The EU is doing far more than any other government to protect its citizens and the consumers within its jurisdiction. Don't be surprised to see the rest of the world catching up within five years or so.
This article should not be considered a comprehensive guide to GDPR compliance. You should address any GDPR compliance or data security questions directly to your business IT services provider.