GDPR: The Management Issue Too Few ERP Executives Are Thinking About

Perhaps the most serious issue that few businesses in the U.S. are paying any attention to is the European Union regulation that comes into affect on May 25, 2018. The General Data Protection Regulation, usually referred to as the “GDPR,” affects not just European-based businesses but will have a direct impact on anyone who does business in the E.U., selling systems that are used in collecting identifiable personal information of individuals.

In the U.S., far too many executives remain happily unaware that GDPR can have a direct bearing on their company if it develops, sells and installs EPR systems for companies in the E.U. But if a system is found not to be in compliance with the regulations or gets hacked – and for planning purposes it’s really more a question of when it happens rather than if – the consequences can be draconian:

  • Your system does not have to be hacked with a resulting data leak; steep fines can be imposed for not being in compliance with GDPR. In other words, not proactively protecting the systems you have sold to European customers is considered as bad as an actual hack and leak.
  • Administrative fines for non-compliance can range up to 4% of annual worldwide revenue, with a maximum of €20-million (slightly more than US$26.6-million).
  • The resulting publicity from a non-compliant ruling could do serious damage to the reputation of an EPR or CRM developer, affecting their ability to sell systems in the future which may be as serious as the dollar cost of a fine.

The mistake many companies are making is that they think of the GDPR as a technology problem the IT people can solve. It’s not; it is a business and management concern because it has to do with governance, procedures, policy and rules governing the protection of personal data.

In effect, the GDPR is the next step in rules that the E.U. has had in place for more than 20 years. Key among the requirements is that a vendor has to be able to identify every instance of someone’s data being stored whether in an on-site computer, in the cloud, on backup systems such as tapes, on devices employees may use in their work, and suppliers such as an ad agency that runs direct marketing campaigns. This is totally new ground for the vast majority of companies developing and selling ERP and CRM systems. But under the GDPR, if a customer asks that a business erase their name from the records, it has to be able to do so – and fairly quickly.

Thus, the potential problems posed by the new rules are fairly evident and fairly enormous. In essence, any portion of a product that collects personally identifiable information about an individual has to be retooled.

More than anything else, ensuring compliance with the GDPR requires thinking about how a system collects data and identifies individuals, and then considering how it is stored and protected. The regulations require that customers be informed of how their data is being used; in turn, they need to be able to access, modify or erase the data entirely.

As an ERP company with even just one customer in the E.U., you need to ensure that your system allows it to be in compliance with the GDPR. Failing to do so can damage your reputation as well as damage your bottom line if the system is found to be non-compliant or gets hacked.

Marcus Harris has been advising ERP and CRM software companies on complying with the European Union’s GDPR regulations. If you have a question about GDPR or any ERP-related matter, reach him by email at MHarris@TaftLaw.com, or by phone at 312.840.4320.