There’s a lot to GDPR compliance for startups to manage. You may be behind schedule or just generally stressed about it. Here’s why you shouldn’t panic.
As of May 25, 2018, the EU’s General Data Protection Regulation (GDPR) is in effect, affecting businesses and organizations worldwide.
Hopefully you’ve already progressed through the Five Stages of GDPR Grief™ and have arrived at acceptance. But the emotions don’t end there. Chances are you’re behind on your GDPR compliance work and have added panic to the stress you were already feeling. (Arguably these could be two more stages of GDPR grief, but I’ve already trademarked “Five”, so they’re not.)
The following list is here to make you feel a little better about your GDPR compliance status.
9 reasons not to freak out about your current level of GDPR compliance
Understand you should definitely keep moving forward with your GDPR compliance work.
But in the meantime, try to find some comfort in this list.
1. It’s not just you
A significant percentage of companies aren’t yet fully compliant with GDPR. (The Wall Street Journal says 60–85% are not.) Many businesses aren’t even fully aware of how GDPR affects them.
You have lots of company when it comes to lack of preparedness.
2. GDPR is not trying to destroy us
The purpose of GDPR is protecting people’s private data. Its purpose is not to destroy economies or fine companies into oblivion when they were sincerely trying to comply.
And there’s not really a deadline. GDPR isn’t like a nuclear bomb that goes off once and immediately decimates everyone who didn’t fully complete their bomb shelter in time.
May 25, 2018 is the start, not the end. It’s an ongoing process.
3. Regulators aren’t ready, either
The regulators who will be policing the GDPR rules aren’t ready yet either.
There is no single entity that enforces GDPR. Instead, it will be managed by a bunch of national and regional regulatory authorities. A recent Reuters report stated that “seventeen of 24 authorities who responded to a Reuters survey said they did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties.”
4. There won’t be a lot of proactive investigating by regulators
In part because of their lack of readiness, authorities will be more reactive than proactive when it comes to identifying non-compliance.
From that same Reuters report: “Most respondents said they would react to complaints and investigate them on merit. A minority said they would proactively investigate whether companies were complying and sanction the most glaring violations.”
5. You’re one fish in a big ocean
There are tens of millions of businesses in the US and the EU alone. That’s not even counting charities and other organizations that may also be subject to GDPR.
Point is, there are tons of companies doing tons of business with EU residents. Yours isn’t likely to get more attention than any other.
6. Some of what you’ve heard is just fear mongering
Much of the reporting on GDPR is well-meaning but overly dramatic. But some groups, from security firms to sensationalist click-bait news sites, have a profit motive in scaring you about GDPR.
Don’t let those jerks freak you out.
7. There are other deterrents besides fines
Regulators aren’t likely to immediately jump to monetary fines in any infraction case.
UK Information Commissioner Elizabeth Denham says:
And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.
[…] GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.
8. Actual fines will not be the maximum fine
That terrifying fine of 20 million euros or 4% of your yearly revenue? That’s the maximum possible fine by law for the worst abuses, not the blanket cost for any non-compliance.
In practice, when fines do happen, they’ll be proportionate to the actual infraction. The guidelines for how regulators should impose administrative fines state that, all things considered, the fine should be “effective, proportionate and dissuasive” to the offender. That doesn’t mean put the offender out of business.
9. If you’re actually trying to comply, you’ll be in less trouble
If you ever actually ran afoul of GDPR to the point of monetary fines, your prior efforts to comply with the law and take data privacy seriously will work in your favor.
Regulators are instructed to look at each case individually and consider the circumstances. This includes your past and present behavior. If you were intentionally flaunting the rules, you’ll receive a bigger fine. If you’ve been earnest in your attempts at compliance and you cooperate with regulators, you’ll be treated with more lenience.
All your efforts a not for nothing. Stop freaking out and get back to work.
Learn about how BetaTesting can help your company launch better products with our beta testing platform and huge community of global testers.