The GDPR is at our door, whether we’re ready or not—and an April poll showed a whopping 90 percent of businesses weren’t ready at the time.
If you’re part of that 90 percent—or just plain wondering, “What the heck is GDPR?”—read on.
Start running payroll and benefits with Gusto
What is GDPR?
GDPR stands for General Data Protection Regulation. It’s a new set of privacy laws in the European Union (EU) made to protect its citizens’ and residents’ data. The regulation vastly expands people’s rights over their personal information and how it’s used.
The deadline for businesses to make sure their data practices comply was May 25, 2018.
So why should you care about GDPR if your business isn’t in Europe? Because if you have European customers of any sort, your business needs to follow the laws.
The GDPR website states the laws “will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.” In other words, any company that deals with “EU data subjects” has to abide by the new rules, regardless of where they are based. Those data subjects can include EU citizens and residents, but it could also could be interpreted to include non-residents visiting the EU.
Which types of American small businesses will be most affected by GDPR?
Online goods providers
All I wanted to do was buy some candy for my mother-in-law for Mother’s Day, but living in Europe complicated that. See’s Candies are her favorite, so I went to their website, and I was met with the following message: “Our website is not available to any of the European Union Member States including the European Single Market. We are unable to collect orders or deliver to your area at this time.”
While See’s hasn’t responded to a request for more information, I suspect that GDPR played a distinct role in my inability to order their candy—even candy to be shipped within the United States.
If your business sells goods online that are available to European customers, you may already have contact and financial information, or other personal data that falls under the new protections.
Businesses that send customer newsletters
If you have a newsletter, you’ve probably collected email addresses from some people in Europe, but it’s difficult to know where customers are located based solely on their emails.
Digiday’s Max Willens suggests asking your subscribers to re-opt in to your newsletter (and to be prepared for a drop off in readers, as some won’t). Or you can cross your fingers and hope that no one enforces this part of the law.
You can certainly take the risk—if you run a local plumbing business, you probably don’t have European customers receiving your emails. But content and marketing providers with larger digital audiences are more likely to run into compliance issues.
Tech and data firms
“The largest impact will be on firms whose business models rely on acquiring and exploiting consumer data at scale,” the Guardian reports. From a niche communication service to a small data analytics consultancy, small businesses that collect, store, or share global customer information in any way will have the most adjustments to make.
Business-to-business service providers
Third-party vendors also face GDPR requirements when they work with any company that handles the data of EU residents. So, for example, if you’re an accountant working with a US business that has EU clients, you are likely required to follow GDPR protocol when handling the clients’ data.
How can my business comply?
In the months leading up to GDPR, you may have noticed companies emailing you about updates to their terms and services. In many cases, this was because they reset how they collect and process customer data.
Businesses now have to honor EU data subjects’ right to:
- Be informed when their information is collected and about how their information is being used.
- Access their personal data. Companies must provide requested data within a month free of charge and correct any inaccuracies.
- Have their information erased or restricted, meaning even if companies keep the data, they can’t use it.
- Transfer or copy personal information from one source to another.
- Object to certain uses of their data, like for profiling, when companies use data to make assumptions about a person for marketing purposes.
- Be notified of a data breach within 72 hours of discovery.
To meet the standards, companies have to:
- Map their data, or take stock of the customer information they’ve collected to date—from names to email addresses to bank or medical information. This process could range from building a spreadsheet to using more sophisticated tools.
- Implement a process to provide access to that information and details about how it is being used—as well as the opportunity to request deletions.
- Revise their data collection processes to notify people when and what information is being collected and give them the opportunity to opt in.
And that’s just the basics. For businesses with limited resources, this could be a major—not to mention costly—overhaul.
Fines for not treating your customer data properly can be up to €20 million (roughly $23.5 million) or 4 percent of your company’s global revenue. That’s nothing to sneeze at. If you’re actively collecting information from European customers, the EU can come down on you, and international law will likely support their quest to fine you for violations.
Why you should prepare for GDPR even if you don’t think you’re affected
Data protection is big business in Europe, and recent congressional hearings with Facebook and other big companies indicate that data privacy is gaining momentum in the US as well.
There’s a strong possibility that existing US privacy laws will expand. In fact, GDPR has already inspired a bill in California to regulate technology companies’ use of personal data on the internet. Bringing your business up to European standards can help ease the transition if any US privacy standards come out.
Plus, with data misuse under the spotlight, your customers want their information to be protected. You can build trust with a transparent data process.
GDPR compliance can be a huge headache, but it’s not as painful as a multi-million-dollar fine. Keep your data secure, and double check with a lawyer to make sure you’re compliant. And use the following tools to help you along the way: