Have you been bombarded with emails about updated privacy policies? Are you wondering why? It all comes down to a new law in Europe. Here’s a GDPR overview to explain how this new regulation can impact your small business:
Earlier this year, Facebook came under great scrutiny for how it gathered, used, and disseminated the personal data of its users, leaking the personal data of upwards of 87 million users to political campaign firms.
Everyone wants to feel secure online. Concerns like this, and the widespread nature of identity theft, have put issues like data privacy in the public discourse. It’s becoming an issue that more and more internet users have to engage with on a daily basis, and the same goes for the online businesses that collect such data. And in Europe, it’s brought about a new law: GDPR.
It’s been in the works for a while, but it’s officially active on May 25th, 2018. And it has far-reaching impacts on businesses… not just in the EU, but all over the globe.
What is GDPR, and why was it passed?
The GDPR, or General Data Protection Regulation, is a law geared to protect the data of the European Economic Area. (Basically the EU, with a dash of Iceland, Lichtenstein, and Norway for flavor.) The goal of the GDPR is to give users more and more control of their personal data.
The basics? For starters, any online firm that wants to collect personal data must have the unambiguous consent of its users to use their personal data for “specific” purposes. So if a firm collects data, they need permission, and they need to disclose why.
GDPR also gives EU residents the right to know and determine how their personal data is being used, stored, protected, transferred, and deleted. Users should be able to gain access to any information you’re holding about them… and even transfer it to another organization if they so choose.
The regulation gives EU residents 3 rights when it comes to their data privacy:
- The Right To Data Portability
- This gives the user the right to demand a copy of any personal data being held about them.
- The Right To Rectification
- This allows the user to correct any inaccurate information that may be being held.
- The Right To Be Forgotten
- If the user requests that an organization deletes any pertinent personal data, the organization must comply and delete it.
What is personal data? Simply put, it’s any data that allows an individual to be identified. This includes names, addresses, birthdates, identification numbers, IP addresses, and location data. Even pseudonymous data can be covered under this legislation if it can be tied back to the original user. (Though there is some dispute about whether this is actually allowed.)
So European citizens now have a wider scope of rights when it comes to avoiding security risks to their data privacy. But American companies won’t be impacted by this, will they?
Yes, American companies have to follow GDPR too.
At least, they do if their online operations touch Europe. Or even have the potential to touch Europe.
The EU’s new law is meant to protect the rights of Europeans in Europe. While this means that a European user is NOT protected under GDPR when they are filling out a contact form when they’re here visiting in the States, it also means that any US company that may interact with a European user in Europe must abide by the new law.
It doesn’t matter if you’re targeting Europe or not. If someone in Europe can fill out a contact form on your website, you qualify. If you’re doing business in Europe with Europeans, they don’t frankly much care where your company is based.
If you collect, store, or process data of individuals who reside in the EEA, (and by “individuals” here we mean customers, prospects, and even employees,) you’ll need to have a rigorous set of personal data protection policies and practices in place to be in compliance with GDPR.
What will be expected of companies under GDPR?
You’ll need to abide by all the rights we laid out above.
This means that your business will be required to prove that they know where consumer data is across all their systems and all their businesses. We’re talking CRM and CMS systems, databases, and software providers too.
You’ll be required to demonstrate who can access this data as well as when and how they are allowed to do so.
Your organization will be required to notify individuals and authorities of data breaches w/in 72 hours and address all the resulting issues.
If you do a lot of your web services yourself, using legacy systems, be careful. Be sure you know how your website works, and to check the following for elusive bits of customer data:
- Hard-to-search free-text fields
- Network files where employees have saved spreadsheets
- Backup drives
- Unstructured data
Do US companies REALLY need to take GDPR seriously?
Short answer: yes.
Longer answer: this legislation has steep financial penalties for non-compliance. You can expect a fine of 20 million Euro, or 4% of your global revenue… whichever is greater!
Even longer answer: our environment here in the US is currently self-regulatory when it comes to personal data, but it’s likely just a matter of time before we see similar legislation on this side of the pond. Complying with GDPR standards will help set you up for an environment of more regulations in the future.
And, if nothing else, many companies are adapting to the standards of Europe and it’s impacting their global operations, thus setting a new market standard for data protection.
What should business owners do?
First off, as with any official regulation, we recommend seeking legal counsel for the specifics for your company. (We’re the SuperWebPros, not the SuperLegalPros.)
That being said, there are a few things that any company can do to ready for GDPR compliance.
First off, update your privacy policies. Make sure that the way you collect, store, and manage personal data falls in line with GDPR regulations in case somebody in the EEA decides to sign up for your newsletter or fill in a contact form.
Second, if you use a 3rd party web service, make sure they are taking GDPR seriously and know how to keep your site compliant. Services like Squarespace, WordPress, and SuperWebPros, (shameless plug,) should be on the ball and have you covered as far as these regulations are concerned. But in all things: better safe than sorry!
Related, Google should be making sure that it’s ads are GDPR compliant. Even if you publish a Google Ad on your own site, and that ad collects data, Google should ensure that the ad is compliant. But the onus lies on you to make sure that your site’s features are following proper GDPR protocol.
As for what else small business owners can do:
Seize the opportunity!
GDPR gives American companies a unique opportunity to innovate! In an online marketplace that places a high premium on strict data privacy policies, your small business has the opportunity to present itself as a data privacy pioneer!
Offering services or products that prioritize privacy by design will enhance your marketing efforts and make your site a welcome contrast from companies that drag their heels on privacy or seem out of touch with what their users want.
If you’re interested in a website that makes the best use of the data privacy principles that GDPR is designed to protect, rely on the Pros. At SuperWebPros, we don’t just make beautiful websites- we build websites designed to drive meaningful traffic to your growing business, no matter what side of the pond they’re on.
Sign up for a free website audit today and see whether you’re GDPR compliant!