What you need to know about GDPR

Top view of the office desk with coffee cup, Curriculum vitae paper with pen, computer monitor and keyboard. Hand is touching keyboard with inscription GDPR (General Data Protection Regulation)

(Yes, you do need to understand GDPR)

The question was simple enough, and yet, it was endlessly difficult to answer in a way that would make sense.

Just before Memorial Day, at a pool party, a social acquaintance asked me why he had been receiving so many emails from companies about updating their privacy policies.

“It’s just been endless. Why is everyone updating their policy and telling me about it?”

Privacy emails? Join the club

Chances are pretty high that you received a lot of emails, too. The reason all those companies updated their privacy policy? A new European law took effect on May 25, 2018. But it doesn’t affect just Europe. It’s the most far-reaching global privacy law to go into effect.

The European General Data Protection Regulation (GDPR) gives citizens and residents far more control over their personal data. It means tougher fines and regulations across all industries. Large, multinational companies are the most visibly affected and the ones we tend to think of most, especially if you’re only doing business in the United States. But thanks to the internet, every business — even small ones operating in Austin — need to be aware of how it might affect them.

Here’s something to think about  — do you run an online store? Do you run a newsletter? European visitors to your website or subscribers to your newsletter are covered under GDPR. And if you aren’t following it, you could face some serious fines

Here’s an overview of the GDPR:

  1. If you process EU consumer data — this includes third-parties involved in data processing (like newsletter services and payment processing) — you can be found liable for a breach.
  2. If someone doesn’t want you to process your data anymore, you MUST delete the data.
  3. If you are involved in large scale collection of customer or processing of sensitive data, you must appoint a data protection officer.
  4. You have 72 hours to notify national authorities about serious data breaches after you have detected a breach.
  5. Parental consent is required for children under a certain age accessing social media.
  6. Individuals also have the right to transfer their data from one service to another — easily.

Read the full set of GDPR rules

If you don’t collect of sell data in your business and have mostly US-based customers, you’re not likely to be examined right now. Regulators are looking at the big, global companies first — hence all of the emails.

But it would be a good idea to educate yourself and start taking steps now. We’ve pulled together some resources for you to read so you can evaluate and take action.

Here of some things you should consider:

  1. Talk to your business attorney.
    Nothing I recommend here is a substitute for sound legal advice. My attorney is a wealth of knowledge and I have her on speed dial. I would prefer to spend the money on her advice — it’s FAR less expense than fines down the road.
  2. Consider asking EU visitors to opt-in to use your site.
    You can subscribe to a GDPR-compliant cookie permission tool to do this. If you use analytics, marketing automation or digital re-targeting on your site, then you already have cookies.
  3. Make sure your newsletter subscription tool is GDPR complaint.
    Mailchimp has changed its platform to help companies be GDPR compliant. They already have opt-in permission available. Make sure the newsletter tool you use is GDPR compliant. EU members have to give you explicit permission to add them to your list, so you need to make sure you are doing things right.
  4. Update your privacy policy.
    This is where your attorney comes in. The GDPR states that your privacy policy must be easy to understand and transparent. Here’s what it needs to include:

    • Who you are and how you don’t share your customer’s data with anyone else.
    • Analytics and cookies that you use and what you generally use them for.
    • Why you send out emails, what tools you use, and how to unsubscribe.
    • Who to contact if they want to view, amend or delete data.
    • The date when the privacy policy was updated.

Resources

Now for the resources we promised. This is not an exhaustive list, but it should get you started:

Ecommerce platforms

Payment processors

Newsletters

CMS platforms

CRM platforms