What Do US Based Business Owners Need to Know About GDPR?
There has been, and will likely continue to be, a lot of news about the GDPR. This article serves as a starting point for US based small business owners. Our hope is that you will find some useful information and seek direction from your legal team on what actions, if any, you need to take to be compliant.
First, what is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation that went into effect on May 25, 2018. This is a very broad regulation, put into effect by the European Union, which requires businesses to protect the personal data and privacy of EU citizens. The regulation has significant ramifications for non-compliance.
Second, what data does the GDPR protect?
The GDPR protects personal information. Many businesses are familiar with standard PII (Personally Identifiable Information), but the GDPR takes PII to a new level. Examples of privacy data GDPR aims to protect are:
- Name, address, and ID numbers (think social security numbers, driver’s license, etc.)
- IP address, cookie data, and RFID tags
- Health and genetic data
- Biometric data
- Racial/ethnic data
- Political opinions
- Sexual orientation
Even small companies doing basic internet marketing and re-marketing, email campaigns, and encouraging visitors to their websites collect some, if not all, of this data. If you have never seen it, ask your marketing director to show you your company’s Google Analytics page.
Third, which companies have to comply?
This is perhaps the most perplexing issue facing most small, US based, local businesses. The GDPR requires the following types of companies to comply:
- Have a presence in an EU country
- Does not have a presence in an EU country, but processes personal data of EU residents
- Has more than 250 employees
- Has less than 250 employees, but its data-processing has an impact on EU residents, is not occasional, or it includes sensitive personal data
If that last bullet point sent a chill up your spine, then you have likely seen the hefty fines this new law imposes on those companies that fail to comply. Max penalty, $20 million euros (about $23.3 million USD) or 4% of the company’s worldwide revenue, whichever is bigger. Keep in mind, the max penalty is designed for serious offenders.
Fourth, what if my company does not impact EU residents?
Many of my clients, small businesses and their owners, have commented that they do not process EU residents data so they do not see any concern. The potential problem with this outlook is two-fold.
You may, and not even realize it.
If you own a website, anyone in the world with internet access can visit your company’s “store”. Perhaps you have an e-newsletter? Perhaps you use Google Analytics, cookies, or other “pixels” embedded in your website that collects personal data protected under the GDPR. There are many variables in play with this new law, it is critical to review the data you collect and from whom that data is collected.
The GDPR is very broad in scope and we know how it is affecting large companies. However, there are movements in the US to create similar data protection laws as you read this. While it may be 1, 2, or 5 years in the future, it is clear that the US will eventually pass a similar type of law that WILL impact your US based small business.
Whether the GDPR directly affects your business or not, there are some basic ‘best practices’ you can implement with a little time and effort.
- Audit your data. Review the data you currently have on customers, clients, and others. Is the data you have necessary? If not, stop collecting it and consider (talk to your attorney) destroying it.
- Review your service providers and the data they store. If you have an e-newsletter, what data is stored on your service provider’s system? Is it necessary?
- Update your website security and privacy disclaimers. If you are a US based small business, with no sales or solicitation in the EU, update your website security and privacy disclaimers to state this. Let your site visitors know what type of data you collect (either directly or indirectly) and why you collect that data.
- Pop ups. Do you have a “subscribe here” button or action on your website? If so, consider adding an additional button or pop-up that requires users to acknowledge and consent to your collection of their personal data. Also, make sure you are only sending them the information they requested. For example, if I request a white paper on GDPR compliance and the company starts sending me emails about some new fidget spinner they are selling, they are likely in violation of the GDPR.
- Remember the “OPT OUT”. A big chunk of the GDPR is aimed at ensuring EU residents have the ability to be forgotten by your company and request the info your company has on them. If someone requests to be forgotten, comply with that request (even if they are not an EU resident… that is just good business).
If you are still not sure what all the fuss is about, we encourage you to visit https://gdpr-info.eu/to learn more about the scope and breadth of the GDPR. If you need additional guidance or have specific questions, please feel free to give us a call at (636) 385-1222.