GDPR for American Businesses
The first thing to cover is this is not legal advice. This is a culmination of over thirty blog articles and our take on GDPR from our friends at the European Union (EU). First, let’s cover what GDPR stands for. GDPR stands for General Data Protection Regulation and ultimately is designed to protect consumers. Personally, I feel this is a very good thing and if the United States legislature get’s it right they will copy it as it’s forcing businesses to be more transparent, honest (our rule #1), and helps make the internet a place people will want to be. In American we might think that these rules might not apply to us. We would be completely wrong with the age of the internet. The internet makes even a brand new, just opened today, one man/woman shop into an international business whether intended or not. Let’s look at what businesses need to do at a high-level to comply with GDPR.
Article 3 of the GDPR clearly states that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements and rules of GDPR. If someone provides information and is a resident of the EU at the time of collection. This means that if they currently reside in the EU this applies to your data collection efforts. The second part of this article is that money doesn’t have to transfer hands. This means collecting information for a mailing list (electronic or snail mail) or identifies a consumer in any way that is personally identifiable information (PII). This could be part of a marketing survey, then the data would have to be protected GDPR-style.
With GDPR being a hot topic and coming with huge fines that could put a business, even a large business, out of business for non-compliance making certain that you comply is important. Below are the high-level items we have implemented over the last 24 months for our clients and are not in any order other than these are the items we have implemented.
- Create an implementation team – this is the team that will be responsible for making certain your organization stays in compliance with the latest laws. This would be for GDPR as well as any future laws in this manner.
- Locate and understand your data – You need to understand your data and how it relates to your consumers. As part of this law you need to be able to effectively handle notification of any data breaches (in as littles as 72 hours of being breached).
- Training – Educating and training your staff on what GDPR is, how it effects your company, and what you need to do for compliance. Understanding what information is collected, how it is used, and why you have that information.
- Personal data is not all the same. You need to be able to inform the consumer, if requested, what information you have on them. This covers not only their name and email, but physical address information, personal identifiable information (sexual orientation, sex life, jobs, job titles, etc.). Although the law went into effect on May 25, 2018 it applies to all data you have ever collected regarding the consumer.
- It is your job to make certain your information is protected. If you use a cloud provider, you cannot “assume” you are safe. Yes, you might pay to protect your data with a firewall, etc. but you are ultimately the one responsible for the data you collect and save.
- Ask for permission for everything you do on your site. This is registering for a mailing list, collecting information, etc. It is no longer pre-checked boxes that say “yes I agree” but boxes that are unchecked where the person needs to opt-in. If there is information you don’t need don’t ask for it. Keep yourself protected by only getting what you need.
- Be prepared to provide consumers that ask for information of what you have on them in a quick and timely manner. If you are asked you need to provide everything that you have from cookies, to their information, to order history, etc. This would be in both the real and virtual world as well. Providing this information requires, in most cases, to be done in less than a month.
- If you have a physical store and nothing online this still applies to you if you take credit cards from someone that lives in the virtual world.
- Review your current privacy notices of what you collect and keep. Be as clear as possible and do not use any legalese when writing your privacy policies. All too often we see lawyers adding so much lawyer mumble-jumbo it would take a team of lawyers to guess what you are implying. Keeping it as simple, and short, as possible is a requirement of GDPR.
- If you have a age requirement make certain your system is as foolproof as possible.
- Have a secure way, outside of email, for people to provide you anything that they feel is sensitive. A good way would be on your website that accepts the information, does NOT then forward it via email but kept securely on your website, your website having SSL (green pad lock) on every page, and you make all appropriate steps to limit who has access to information.
When it comes to complying with GDPR you need to take on full responsibility for making certain your company is in compliance. GDPR is something that will not only protect the consumers you do business with but in the long run will make your business ready to grow and comply with the latest laws. We know the United States will start with the current GDPR and will look for ways to extend it as that’s what governmental units do.