Data breach knows no borders: What small businesses need to know about international privacy law

For National Small Business Week, Shred-it is reminding small business owners they could face strict new international privacy rules next year – and many don't even know it.

OAKVILLE, ON, Oct. 12, 2017 /CNW/ - As the Internet makes it easier than ever to do business around the world, Canadian small businesses may find themselves increasingly subject to privacy laws in other countries. Yet only one in seven (14 per cent) Canadian small business owners know about the impending General Data Protection Regulation (GDPR), according to Shred-it's 2017 Security Tracker conducted by Ipsos.

In May 2018, the GDPR will introduce sweeping new data protection requirements for businesses that process European Union (EU) citizens' personal data. The GDPR comes with heavy penalties for businesses of any size and in any country – including Canada – that are non-compliant.

Not only are most Canadian small business owners unaware of the GDPR, but many are far from meeting the GDPR's data protection standards. The Security Tracker revealed over a third (37 per cent) of small business owners never audit their company's information security procedures and less than half (45 per cent) claim to have a strong understanding of their legal requirements to protect data.

"In today's globalized business environment, the GDPR will affect not only multi-nationals but also small businesses that have transactions with EU citizens," says Paul Saabas, Vice President at Shred-it. "Even if you're not subject to the GDPR, your small business will benefit from strengthening its information security practices. As more and more personal data is transferred across borders, consumers may start to seek out businesses that meet both local and international privacy standards."

Throughout National Small Business Week, running October 15 – 21, 2017, Shred-it is encouraging small business owners to consider these three tips to help them strengthen their information security practices and prepare for the GDPR:

1. Know what you don't know
   The first step in becoming compliant with any legislation is to know what data your business processes, where it's stored and what the risks are. Audit both the data your business keeps – whether on hard drives, premise servers or paper files – as well as the data processed by third parties, such as your cloud storage providers. The GDPR mandates regular Privacy Impact Assessments (PIAs) to identify privacy risks in projects or initiatives. Carry out PIAs in the early stages of any project so that data protection is part of your thinking from the beginning.
   
   
2. Educate, inform, coach
   All employees share the responsibility to protect sensitive data and keep your business compliant. The GDPR mandates 'privacy by design' in some cases, which requires businesses to build data protection measures into staff training and human resource policies. Get ahead of the curve and start teaching your employees about data protection and information security now. As the saying goes, 'knowledge is power' – and knowledge can save your business from the significant legal consequences or reputational damage of a data breach.
   
   
3. Ask an expert
   When it comes to changes in legislation, don't take your chances – especially with something as important as privacy compliance. Speak to an external legal expert who can help you understand if or how the GDPR affects your business, as well as your requirements for privacy protection in Canada.            

For more information about preparing for the GDPR, visit Shred-it's blog. Also, download the 2017 State of the Industry report to learn more about common information security trends and emerging challenges.

About Shred-it 

Shred-it is a world-leading information security company providing information destruction services that ensure the security and integrity of our clients' private information. Shred-it, a Stericycle solution, operates in 170 markets throughout 18 countries worldwide, servicing more than 400,000 global, national and local businesses. For more information, please visit www.shredit.com.

SOURCE Shred-it

Sarah McNeil, NATIONAL Public Relations (for Shred-it), T: 416-848-1464, E: [email protected]; Albert Lee, Director, PR & Communications, Shred-it, T: 905-491-2250, E: [email protected]