On May 25, 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR). GDPR is a legal set of principles regarding protection, privacy, and management of EU citizens’ personal data.

Though GDPR may come with many caveats, one thing is certain: small businesses in the U.S. must comply to GDPR to continue smooth business operations with EU nations.

So how can your small business become compliant?

The amount of work towards full GDPR compliance may vary amongst businesses and may depend on policies and procedures already (or not yet) in place.

From changing business practices to educating employees on data protection, as a business owner, you should know where to start. Below are four ways to begin GDPR compliance.

1) Assess data location.

Today’s cloud computing era has data constantly moving through various locations around the world. This stresses the importance of auditing and taking inventory. Knowledge of data storage is key. Keeping data centers local and physically secure may also result in more control and lower risks.

2) Refine your data classification.

GDPR requires proper identification, documentation, and organization of EU user data. Data encryption, pseudonymization, and anonymization are three techniques that can effectively safeguard personal data, as GDPR suggests. Explore automation, encryption products, database vendors, and data-masking specialists to find appropriate classification methods.

3) Attain consent and accessibility.

Under GDPR, companies must seek, record, and manage consent of personal data. Attain consent and additional information as necessary. GDPR includes the right to access and the right to be forgotten, so your company must be able to access and erase data as needed. Make sure your company has quick and efficient responses to data requests.

4) Prove data privacy, usage, and management.

Installing reliable cybersecurity merely scratches the surface of GDPR compliance. Though your company does need firewalls and backup strategies, you must possess clear documentation of personal data and why it’s used. Determine privacy rules and set up breach notifications. Exercise data minimization by keeping only data that your business needs.

To avoid the steep fines and penalties of non-compliance, small businesses must make the necessary moves as soon as possible. GDPR’s prime concern is the handling of personal data. Once you take control of your data, achieving GDPR compliance should become a much less overwhelming feat.