GDPR is “General Data Protection Regulation.” It majorly upgrades privacy regulations, it went into effect May 25th, compliance can be complex, and violations can be very expensive (up to 4% of your company annual income).
But this is a regulation for the EU – the European nations which are members of the European Union.
Big sigh of relief. We don’t have to worry about it. It doesn’t affect us.
Not so fast.
The regulation applies to any company located in or which does business in the EU. So at least theoretically, it could apply to a U.S. based company.
That being said, there are MANY questions no one knows the answer to, in how this will apply or be enforced, especially in regards to U.S. based companies.
What are you supposed to do, when even big multi-national corporations are scratching their heads over compliance. You aren’t going to spend tens of thousands of dollars for a legal opinion that is going to be an educated guess anyway.
So with a warning that I am not a lawyer, use at your own risk the following information summary and recommendations.
Does it apply to my company?
If you have customers in Europe, it applies. If you solicit business in Europe, such as by running Facebook Ads in Ireland or have web pages in Danish, it applies. If the occasional European wanders onto your website, it still theoretically applies but almost certainly no one is going to care or do anything about it.
How will compliance be enforced on a U.S. based company that doesn’t have an office in Europe?
No one knows.
Are there ways in which my business will be affected, without my taking action, and even though it doesn’t apply to my business?
Yes. At this point the clearest example is Google, which has changed its data retention policies BY DEFAULT. Unless you opt out of it, Google Analytics will retain your data for 14 months, 26 months, 38 months, or 50 months before being automatically wiped on a monthly basis. Opting out is easy, but you have to do it.
Another example affects our business, though how exactly, we don’t yet know. The Internet has a system called “Whois” that makes it possible to look up information about a website and possibly its owner. The Internet regulations on Whois are in direct conflict with the requirements of the GDPR. No one knows yet how this is going to shake out. It may well make it more difficult, for example, to move a domain from one registrar to another.
There may well be other important examples. Anywhere you are using third parties to supply information about others on the Internet, it may be affected by the GDPR.
What do I need to do to comply?
The GDPR is complex. There are many articles available now online explaining how it works, consequences and how to comply. These articles don’t all agree with each other, but a few basics. GDPR is about privacy of personal information. The Internet term is PII – Personally Identifiable Information. If you collect PII you need to notify site visitors, you need to have positive controls to prevent abuse and to notify in case of a data breach (hack of personal data). You’ve probably seen some of this in notifications on the use of “cookies”. Another application would be in requiring “opt-in” to receive email newsletters, rather than someone having to “opt-out” – since you are retaining at least their email address.
Many companies are avoiding much of the complexities by out-sourcing data collection. For example, if your contact forms go only to a third party marketing automation platform such as Infusion Soft or MailChimp, your exposure is limited. There are also now available WordPress plugins to assist with compliance.
Smaller US based companies, unless they have considerable involvement with European customers, should have little to be concerned about. It’s important to be aware of the potential issues and to deal with them as you need to – but not go overboard.
Will the U.S. adopt similar regulations?
It’s possible, but very unlikely to happen anytime soon. The U.S. has a default business-friendly attitude, unlike the EU. You have plenty of things to worry about, this isn’t one of them.
So there you go – an introduction to GDPR. Again, I remind you I am not a lawyer, and use this info at your own risk. I hope this helps.