August 19, 2019 5 min read

Opinions expressed by Entrepreneur contributors are their own.

The ever-growing need for businesses to safeguard and manage the sensitive data they collect and use should not be overstated, especially in today’s climate of eroding trust. This sentiment became a mandate overseas late last May, when the EU's General Data Protection Regulations (GDPR) went into effect. GDPR compels organizations to prevent data from getting into the wrong hands and ensure that it's obtained through consent. It also places a strong onus on companies to respect the rights of individuals as data owners, such as adhering to requests for access.

However, more than one year since its introduction, and a further two since the regulations were announced, an alarming number of businesses have yet to comply. Only 35 percent of European companies provided personal data to customers who asked for it according to one recent study. And only 52 percent of American employees are even aware that there are laws that dictate how sensitive information is handled.

The potential consequences of noncompliance are significant, too, with upper-level fines set at a minimum of 20 million euros (or just shy of $22.5 million). As if that weren’t enough motivation, additional data privacy regulations are in the works, and\ catching up will only get more difficult.

Related: Does Customer Data Privacy Actually Matter? It Should.

To wit, the California Consumer Protection Act (CCPA), which goes into effect this January, includes some nuanced departures from GDPR. The extra-stringent New York Privacy Act, meanwhile, is already starting to make its way through the state assembly. Likewise, any company doing business with a global audience must be cognizant of their data collection and storage processes. Russian data privacy law, for example, mandates that personally identifiable data from its citizens be stored on servers within their country.

Even Google, with its massive tech resources, isn’t immune from compliance missteps; they were slapped with a huge $57 million fine by CNIL, France’s data-protection watchdog group. To avoid a similar fate, heed these few bits of guidance.

Compliance Isn't Going to Get Easier

GDPR’s low compliance rates are a bit misleading, as they imply that no one’s trying. One recent report found that more than two-thirds of businesses have dedicated dozens of staff members to spearheading the GDPR conundrum. The same report estimates that this investment has resulted in thousands of hours worth of company time being assigned to a single piece of legislation, with privacy professionals themselves averaging 160 hours preparing for and sustaining GDPR compliance.

Indeed, significant resources have been dedicated towards compliance, but regulatory frameworks are complex It doesn’t bode well that some two-thirds of privacy professionals agree that adoption rates for CCPA are lagging what they were for GDPR. Clearly, it's crucial that your business gets its privacy safeguards into shape before the legal, financial and reputational risks become reality.

Figure Out How to Close Your aps

GDPR, pending U.S. legislation and other nations’ laws are collectively creating potential compliance blind spots. You may think that your systems are secure, yet the interconnectivity of technology can leave serious gaps. For example, consider a U.S.-based company that holds events for international audiences. Their data practices must conform to GDPR requirements across the board, regardless of where attendees reside.

“Data compliance is not sexy, but it is critical to this industry,” explains Adrien Petersen, CTO of event registration solution eventcore. As event tech advances, features like facial recognition create even more concerns and possible gaps in compliance.

Regardless of your industry, an end-to-end approach is critical. The data integration specialists at Talend have outlined a 16-step approach that dovetails with specific articles of GDPR legislation where your company might be falling short. Their process covers potential trouble areas including:

Lawfulness of data processing.

Conditions of user consent.

Handling special categories of personal data including race, ethnicity and political or religious opinions.

Data-masking processing that doesn’t require identification.

Documenting a data lineage to verify compliance processing.

Full compliance is only assured when your company has practices throughout its entire information infrastructure to collect, standardize, reconcile, certify, protect and propagate personal data.

Related: The Fed and the States Are Embracing Privacy Law

SaaS Compliance Is Extra Tricky

An additional complexity facing businesses is how to deal with the ever-growing reliance on SaaS applications. Web apps are used throughout most organizations in finance, sales, marketing, tech and HR departments, with data often held remotely, outside of the organization’s remit. Businesses might utilize hundreds, if not thousands, of applications across the entire employee pool, and overall compliance risk is amplified for two reasons. Firstly, an SaaS vendor may not clearly communicate what data they store on what servers, and how that data is used. By integrating this app into your system, you become liable for their possible oversights. And secondly, since web apps are so easy to adopt, the IT department is often unaware of what SaaS products are being used throughout the enterprise, leaving them unaware of the full extent of their risk exposure.

As Uri Native, cofounder of SaaS management solution Torii, explains, "A single system of records for all your SaaS is the foundation of compliant SaaS management." To ensure full compliance, Nativ cautions that your IT department must take back control of their organization’s tech stacks immediately. And he adds that if an employee quits or is fired, "Obviously, that's a huge risk, since you're exposing your company's sensitive data to a person you no longer have a reason to trust, that shouldn't be able to have access in the first place."

With relentless lawmakers eager to assuage a skittish public, we can expect additional privacy-compliance challenges ahead. The time is now to get a firm handle on data risks and remediation. The liability of non-compliance grows greater every day.