May 9, 2023

GDPR: When Should My Business Get Started?

Devon Lane
Founder and CEO
at Flowbase

This article is directed to companies who might be handling data from European citizens, who are looking at getting acquired, or who are selling their services to a company with attachment to the EU.

You might have heard about the General Data Protection Regulation (GDPR), a EU legislation that has the potential to significantly change how businesses of all sizes store and protect their data. It's intended to both strengthen data protection in the European Union, and the export of personal information outside the continent. As such, it's relevant to any SaaS business storing customer data around the globe.

Once GDPR goes into effect this coming spring, the effects of noncompliance could be significant. Relevant organizations who are not in compliance will have to pay up to 4 percent of their annual revenue or 20,000,000 Euro, whichever is highest. The law is set to become active on May 25, 2018, following a two-year transition period that began after it was first adopted in April 2016.

What does GDPR compliance entail?

In its entirety, the regulation is complex. Almost 100 individual articles go into depth about the details, which range from the definitions of data rights to reporting responsibilities on behalf of the organization in question. In fact, that complexity may be why SaaS businesses like yours have stayed away from ensuring compliance to this point.

To get started in the right direction, consider the below a brief examination of the steps needed toward compliance. These include:

  • Understanding your internal data flows. Before even starting to take steps toward data protection, you have to gain an understanding of how data flows in your organization. A formal evaluation can help you understand both daily processes and potential vulnerabilities.
  • Understanding your data access privileges. Who in your organization currently has access to sensitive data, and why? An easy step toward GDPR compliance is limiting access to sensitive information only to those who need it.
  • Building the right policies. Your company should have set written policies in place that are designed to not just limit access, but ensure data privacy and monitor data quality in ways that can be enforced across the organization.
  • Training your employees. Systematic processes are only as secure as the professionals in charge. Anyone who handles sensitive data needs to be trained on how exactly to approach it, along with secure ways to share as necessary (and possible).
  • Building a breach and vulnerability response mechanism. Almost half of all cyber attacks target small businesses. Part of GDPR compliance has to be building a system that helps you not just detect vulnerabilities, but also react to breaches as necessary.

Of course, this is only a generalized list of the various steps needed for compliance. Still, it's a vital first step toward ensuring you are on the right track for the all-important May 25 date.

When should my business take action toward GDPR compliance?

The answer to this question is deceptively simple: the time for GDPR compliance is now. The actual implementation of the new regulation may still be months away, but the complexities involved require a head start to make sure that when May 25 comes around, your company is ready for a changing environment.

Many businesses, especially those in the SaaS space, have already taken action. That's because they are essentially data operations, relying on sensitive subscriber information as a core part of their business model. These businesses have made significant process toward becoming compliant before the deadline next spring.

Take another look at some of the steps required for compliance outlined above. None of these can be implemented within a few days or even weeks. Training and policy building, especially, can take months. That's why taking action now is absolutely crucial to make sure that once the GDPR becomes active legislation, your business is prepared.

Acquisitions in the age of GDPR

Compliance with new data protection regulations becomes especially important for tech startups looking to get acquired by bigger companies. Corporations like Microsoft, Google, and Facebook are already compliant ahead of its implementation date; in fact, they're beginning to offer pathways to compliance for businesses using their services.

When these tech giants look for acquisitions, they have to keep data security in mind. They are naturally inclined to protect their data and minimize their vulnerabilities, which is why they will likely shy away from smaller businesses who are not compliant and will put themselves at risk.

Come 2018, these corporations might think twice about acquiring a startup that is not yet compliant. While some room for adjustment always exists, the need to understand and begin to enforce GDPR regulations only becomes more pressing should your business look or hope for acquisition in 2018 and beyond.

What you can do to get ready for GDPR now

The regulation is right around the corner. In just a few months, every piece of data you hold from a citizen of the European Union will be subject to standards much stricter than we have experienced in the digital age. Is your organization ready for that change? If not, now is the time to get started.

A thorough data audit should be followed by an assessment of current vulnerabilities, which includes access of key personnel to your various sensitive data files. Reporting structures may need to be revised, as do security policies designed for previous regulations. Training and automated or standardized response mechanisms can minimize vulnerabilities moving forward.

The key is to start paying attention. Even before the Holidays, begin to assess your needs, and work your way toward GDPR compliance. The earlier that process can start, the more likely you will become to not just set yourself up for success, but also keep all avenues open to growing your business.

We’re here to help.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt.

Get Started
LEARN MORE!
Responsive Components
Responsive Components
Responsive Components
Hey! Have any questions?

Frequently Asked
Questions

What type of compliance standard can you help with?

We help our clients based on their needs. The majority of our contracts involve SOC-2, HIPAA, and most recently GDPR. Feel free to ask us if we can help with your particular case. If we aren't able to, we can most likely recommend you to someone who can.

How long does a SOC 2 engagement usually take?

We move as fast as our clients are able to make progress. Our fastest client to date got their SOC-2 Type I four months after signing our engagement letter. That record is up for grab if you are up for it.

In our experience however, it takes 6-9 months to achieve a SOC-2 Type I,  and 3-6 additional months to obtain a SOC-2 Type II report.

Which standard do you follow for your security policies?

All of our security policies follow the ISO-27001 standard. The Confidentiality, Integrity, and Availability standards cover the range of standards we like to work with for SOC 2.

Why do we have to become SOC 2 compliant if we are relying on AWS which is already compliant?

SOC 2 stands for Service Organization Control, meaning your clients are interested in understanding your controls, not your hosting provider’s control. As part of your vendor assessment we recommend reviewing AWS’ SOC 2 report, but relying on their report is not enough to become SOC 2 compliant.

Who is behind SOC 2?

The American Institute of CPAs. The AICPA is an established and respected organization that provides two forms of audits to companies that demonstrate evidence of a secure data-protection infrastructure. A Type I is a point in time audit that addresses the company’s description of its system, the suitability of the system’s design, and the effectiveness of its internal data controls. A Type II report happens over a period of time and emphasizes design and also focuses on the validity of the company’s controls.

Are SOC 2 reports a legal obligation?

No, but most enterprise level organizations that engage with sensitive data (again, almost all of them) have an obligation to their stakeholders to prove due diligence regarding data security, which means they’ll want to vet their service providers using this tool. SOC 2 can help these prospective service providers set themselves apart from the competition. Just as important, a SOC 2 report represents a meaningful and respected signifier of trust.

What can happen to a company without a SOC 2 report?

A lack of a SOC 2 report won’t result in legal problems, but it can and will limit outside assessments of the company’s commitment to data security. When large-scale clients look for providers, or large-scale backers look for a likely return on their investment, they don’t want concerns about security to stand in the way. Trust is a chain made of links that have each been put the test and have proven their ability to withstand pressure and scrutiny. Company leaders are wise to let SOC 2 auditors apply this pressure so their clients and backers don’t have to.

When is it too late for a SOC 2 audit?

Never. Even companies that have been in business for years but have never obtained a SOC 2 report can—and should—take steps in this direction now. Being compliant with SOC 2 can open the door to a broader base of more significant clients and larger contract opportunities. That being said, startups in the threshold of the marketplace, and new business owners who hope for an eventual public offering, should obtain a SOC 2 report during the development and financing process. By the time the company approaches Series B and C fundraising rounds, a report should be in hand.

How complicated is the auditing process?

The auditing process can be easy, or complicated depending on your level of preparation.

Preparing for the audit can take some time, attention, and the guidance of reliable data security experts. Don’t leave any part of this process to chance. Approach SOC 2 compliance one step at a time, and start by contacting a consulting firm with track record of experience in your area of the marketplace.

Home
Resources
Contact
Raze™ All Rights Reserved, 2022.
Style Guide
Licence
Changelog