GDPR Compliance For US Businesses: Who It Applies to, and What Actions to Take
In the last few weeks you’ve no doubt seen emails flooding your inbox with companies notifying you of updates to their privacy policies to comply with GDPR. If you’re unclear what GDPR is, whether it applies to you, and what you need to do, you’re in good company. According to Hubspot, only 36% of marketers have heard of GDPR, and 15% of companies have done nothing to prepare. Fortunately, it’s not too late to start working toward compliance.
This blog will provide a brief background on what GDPR is, who it applies to, and step-by-step action items on what you need to do to start working towards GDPR compliance.
What Exactly is the GDPR?
The General Data Protection Regulation (GDPR) is a data and privacy protection regulation passed by the European Union (EU). Also known as “the right to be forgotten,” GDPR was enacted with the intent to give individuals more control over their personal data, and increase the obligations and restrictions on organizations that collect or process personal data.
As a US Business, Does GDPR Apply to Me?
Every business—whether large or small, inside or outside the EU—is subject to the GDPR. If you have customers, business partners, or anyone you make contact with that is an EU resident or does business in the EU, you can be subject.
Here’s an example of how US businesses without EU customers can still be impacted: Most businesses today having tracking cookies on their website (think Google Analytics). Cookies track IP addresses, which GDPR views as personally identifiable information. If someone from the EU visits your website, you will be tracking and storing their IP address data. So pretty much anyone with a modern website is subject to GDPR.
What Does GDPR Mean for Marketing Efforts?
As a business owner or marketing professional, your head must be spinning with these new GDPR rules and requirements. Whether or not it intended to do so, the GDPR will restrict the use of marketing tactics like purchasing lead lists, cold email marketing, and collecting/storing prospect data without express permission. It will instead shift focus towards inbound marketing practices like content marketing, social media marketing, branding, and search engine optimization (SEO).
This isn’t necessarily a negative aspect of the GDPR; inbound marketing tends to attract more viable customers due to providing content that is interesting to them, hence drawing more valuable prospects.
What Steps Should I Take to Make Sure I Comply With GDPR?
The road to GDPR compliance is long and will take a while to fully implement, however, there are a few important steps you should take immediately. I have outlined these steps below.
1. Come up with an inventory of all the types of personally identifiable data you collect. This could be email addresses, phone numbers, website IP addresses, etc. Please note, you do not need to collect the actual individual data, just the type. For example, you don’t need to collect a list of all actual email addresses you have in your database at this time, you just need to list “email addresses” or “IP addresses” as the type of data you collect.
2. Document Data Usage. Document what you use that the collected data for, and where/how you store it. (For example, your business might collect email addresses to send weekly blogs to your customers.)
4. Notify your customers, business partners and anyone you email. The message you send can be different based on whether you are sending it to people in the US or the EU.
5. Collect Opt-In Records of EU Resident Contacts. You’ll want to have a list set up in your email marketing software to collect opt-ins of the people who are EU residents and want to continue receiving your communications. They can stay in your mailing list.
6. Data Storage and Removal. After one week, people from the EU resident list who have not opted-in, will need to be removed from your database. Note: The fact that someone is your customer or client does not count as them having “opted-in.” Under GDPR, EU residents must actually expressly opt-in, regardless of customer status.
So What Happens if I am Not in Compliance?
If an organization doesn’t process an individual’s data correctly or follow GDPR compliance requirements, the fines can be steep. Very steep. Though the numbers look scary, UK information commissioner Elizabeth Denham stated, “We’re not going to be looking at perfection, we’re going to be looking for commitment.” They do not intend to make examples of organizations by issuing hefty fines when they are not deserving of it. The best course of action is to prepare your business to be GDPR compliant and ensure you have all the appropriate data and security policies in place as soon as possible.
Without a doubt, a higher bar for marketing professionals has been set as a result of the GDPR. Marketing tactics which aren’t designed with GDPR compliance in mind will hastily meet their demise. This will require marketers and business owners to be more innovative with their marketing strategies but will also result in more creative and conscientious marketing practices.
Next week we will be releasing a follow-up blog on how to properly collect, store and process data in a way that is GDPR compliant. Very important for anyone with marketing lists or customer databases (so basically, everyone.)
Disclaimer: This blog post is not intended to provide legal advice to help your company comply with the GDPR. We are providing background and information on the GDPR only. Any legal information mentioned above is solely for the purpose of supplying facts and details regarding the GDPR. You may not rely on this blog as legal advice nor as a recommendation of any particular legal understanding.
- Outsourcing vs. Offshoring: The Benefits of US-Based Virtual Assistants
- You Too Can YouTube: Scripting, Filming and Distributing Your Video Marketing Content
- Holding on to your Stars: Retaining Top Talent in Today’s Changing Workplace
- What’s an SSL Certificate and Why Do I Need One? (Or, What’s That Little Green Padlock On My Browser?)
- Show Me The Data: Collecting, Storing and Keeping Your Data in Compliance with GDPR
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015