Originally posted on CIODIVE by Bethan Moorcraft.

The following is a guest article from Kent Graziano, chief technical evangelist and strategic advisor at Snowflake Inc. 

It’s been a year since the European Union’s General Data Protection Regulations (GDPR) went into effect. In the wake of its implementation, GDPR has garnered increasingly higher levels of global attention, thanks to headline-grabbing fines levied against popular business-to-consumer (B2C) companies that collect individuals’ data.

However, these early examples don’t represent what lies ahead. Business-to-business (B2B) entities have good reason to be concerned as well — and not merely in regards to their own compliance.

Any company that relies upon vendors and partnerships, or that shares data with outside organizations, should be wary.

This warning holds true especially for small- and medium-sized businesses. They depend on revenue generated from partnerships with enterprise customers, and those customers require their vendors to remain GDPR compliant.

However, the SMB path to compliance may be harder to achieve with limited resources, which in turn may cost businesses early contractual agreements that are so crucial for growth.

Because liability no longer sits within the four walls of an organization, the question every company must ask is: Are all current vendors and partners adhering to the EU law? 

The far-reaching implications of GDPR

GDPR set in motion a maelstrom of scrutiny around data management and governance practices in global companies. Early compliance violations and fines have been targeted mainly at four dominant U.S.-based companies, which the French colloquially describe as “les GAFA” (Google, Apple, Facebook, and Amazon).

In the first three months of 2019, a $57 million fine was issued to Google over its ads, and GDPR complaints were filed against Amazon, Apple, and YouTube (a Google entity). Each of these organizations faces fines up to 4% of their worldwide annual revenue. For a company like Apple, that could equate to a $9 billion fine.

There’s little doubt that enormous potential fines against Goliath companies create awareness (and fear) around GDPR.

However, it would be foolish to believe that regulators will only go after B2C companies. If the first year of implementation delivered the loudest barks, the real bite of GDPR is still to come.

B2B organizations, by definition, sell to other companies and provide services or products that are often meant for that company’s customers. It’s not a huge leap to imagine that personally identifiable information (PII) is included when data passes between these companies.

This is where the dark underside of the EU law starts to come into focus.

Think about how many vendors companies work with to enhance offerings. Or consider the number of software solutions integrated into products to speed up development. What data gets passed back and forth or stored with these vendors?

Now contemplate how many companies share customer data as a natural course of business, or how much sensitive data is stored on behalf of other companies.

All of these partnerships, all of these vendors, and all of these relationships put companies at risk. Less than half the international companies worth $100 million or more are fully compliant with GDPR.

While large companies have been targeted so far, that doesn’t mean SMBs are safe. In fact, startups or mid-sized business attempting to sell to established organizations or work with seasoned vendors may find themselves getting turned down if they haven’t done the hard compliance work.

Simply put, any company governed by the EU law (which is basically all global organizations) will insist on including contractual clauses that verify your GDPR compliance.

If a business can’t unequivocally say “yes,” that contract is lost. Given that SMBs may not have the resources or funding to bring their data practices into compliance quickly or easily, the long-term impact could be even more pronounced for smaller players.

Don’t lose business on account of data

Most organizations today can’t trace with accuracy all the sources and locations of their data, let alone easily obfuscate or delete individuals in order to comply with GDPR. Companies need to stay ahead of the regulatory storm with good old-fashioned data management principles.

Consider the following questions:

  • How does a company handle data?
  • Is the company treating data as an important and valuable asset?
  • Does the business do with data as it pleases, or does it act as an entrusted steward of data?
  • Do you recognize the legal and ethical considerations of handling someone else’s information?
  • Do you have the processes in place to be able to swiftly trace and delete an individual’s PII, if requested?

Now think about current interactions with partners and vendors. Does your business have the right data policies and procedures (data governance) in place to protect individuals’ data? Do they?

It’s critical to establish strong data policies and procedures around the information shared with outside companies. And, if a company stores PII data for B2B customers, it should know exactly what it’s storing and where it’s located.

Businesses need the ability to easily trace the lineage of data if organizations hope to survive any kind of audit.

Given the labyrinth of data marts that develop in most organizations, these responsibilities are no small feat.

The key is to centralize your data, have end-to-end encryption for modern data sharing, and keep an inventory of data and its locations. 

Today’s regulations are only the beginning

GDPR may be the current trailblazer, but data privacy and protection is hardly a new topic, especially in the U.S.

Since 2016, the number of states with data laws has doubled. To date, 24 state legislatures have passed laws that govern data practices in the private sector. Of particular note is last year’s California Consumer Privacy Act of 2018 (CCPA), which will govern many of the software companies currently getting hammered by GDPR.

A recent Janrain survey of over 1,000 U.S. consumers demonstrates Americans are aware and concerned about data privacy.

In fact, 78% of respondents knew about the Facebook/Cambridge Analytica scandal, and 57% stated they are more concerned about their own data privacy as a result.

Another survey indicated that 46% of respondents had no familiarity with GDPR, which suggests that while Americans are concerned about privacy, there is a lack of understanding about the true implications of GDPR.

There is little doubt regulations like these will continue to pop up in the near future, and the scope of those laws is anyone’s guess.

So, what’s the best course of action? Adhere to the strongest regulations that exist. Today, that’s GDPR. If a business can work toward getting its data ducks in a row now, it will make things infinitely easier when regulations become more stringent.

Businesses want to reach the point where they can tell outside organizations they are GDPR compliant (or have an actionable plan to get there). It’s the only way an organization can ensure the company doesn’t miss out on deals or partnerships, or worse, risk massive fines.