A distributor recently approached us about moving their software into our Cloud. Naturally, I was pleased to take the conversation, and my eyes were opened when he explained why:
One of his customers, a Fortune 500 manufacturer, was insisting that all its vendors comply with the new EU privacy laws under GDPR. The distributor's on-premises system couldn't provide the stringent, required security assurances—so to keep the customer, he's moving to the Cloud.
No doubt you've heard of GDPR (it was certainly the hot topic in my email inbox in May). But how much should you care about it? Does GDPR apply to your distribution business? Let's have a quick discussion of GDPR: what it is, how it affects your business, and what steps (if any) you should be taking.
The General Data Protection Act took effect on May 25th in the 28-nation European Union. In simple terms, GDPR gives individuals greater leverage over how businesses can use their personal information. As defined in the legislation, "personal information" includes many of the data points that US privacy laws cover as "personally identifiable information (PII)," including (but not limited to):
GDPR defines "personal information" much more broadly. According to the EU,
Personal data is any information relating to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer's IP address.
Personal information can find its way into your distribution ERP system via forms on your website, your order-taking process, or when one of your salespeople enters notes from a conversation into your CRM. Under GDPR, it’s all protected.
Companies that fail to comply with GDPR face penalties as high as $24.6 million or 4% of annual revenue. (Google and Facebook were immediately hit with privacy complaints that could amount to $9.3 billion in liability.) That's one heavy hit for a small distribution business. Should YOU worry?
Most of the criteria for adherence to GDPR involve having customers or employees from the EU—which may not be of concern to most small-to-medium-sized North American distributors. However, if you attract website traffic from the EU or if your data is stored in the EU, then you should sit up and take notice. Your IT, marketing, finance, sales, and operations functions may all need to tighten up their data-handling practices.
CSO, Information Management, and Business News Daily provide informative deep dives into GDPR compliance for small-to-medium-sized businesses—I recommend that you review them and discuss them with your IT vendors. Here are my top takeaways for North American distributors:
From "across the pond," GDPR probably feels like a non-issue for small-to-medium-size distribution businesses. All the same, it's sound business practice to be aware of any risk exposure and to take steps to mitigate it now, rather than be surprised by penalties later.
And one more thing to keep in mind: The EU is doing far more than any other government to protect its citizens and the consumers within its jurisdiction. Don't be surprised to see the rest of the world catching up within five years or so.
This article should not be considered a comprehensive guide to GDPR compliance. You should address any GDPR compliance or data security questions directly to your business IT services provider.