Unless you’ve been in a coma for the past month, you’ve probably heard about the GDPR, even if you didn’t necessarily realize it. Have you been getting a flood of emails about updated privacy policies? Have you seen new pop ups on some websites asking you to review and update your cookie settings? Have your marketing managers been walking around in a huff? Well, that’s the GDPR in action.
The new regulation has been talked about often, not to mention that the effects of it can be felt pretty heavily. Even so, there is a lot of mystery about what the regulation will involve.
Multi-million dollar publications like Huffpost certainly have the extra capital to expend on becoming compliant. But what if you’re a small business over here in the US? What do you need to do? Do you need to do anything? We’re going to answer all your questions (and maybe even answer some you didn’t know you had).
What is It?
First thing’s first, the GDPR (which stands for General Data Protection Regulation) is an overhaul of the European Union’s data laws. It effectively replaces the Data Protection Directive (also called Directive 95/46/EC) from 1995, which was the last major law that addressed data processing in the EU. Being over 20 years old, the Data Protection Directive was horribly ill equipped to handle the challenges of modern-day data processing.
The GDPR is a regulation that aims to crack down on the improper use of personal data (defined as any data that can be used to directly identify a person).
The GDPR officially went into effect on May 25, 2018, but it was approved about two years earlier, on April 14 2016, by the EU Parliament.
Note that it affects controllers and processors alike. A controller is the company who collects the data. If you’re a store that sells watches online, it’s likely that you’re the controller. A processor is the system that stores and processes this data. If you use Google Analytics on your site, Google is the processor for that information. Both of these are liable under the new law. Both of them.
What are the points of the regulation?
Note that there are a few others besides these, but these are the most pressing ones.
The GDPR applies not only to companies located within the EU but also to companies that do business with (or track data of) EU citizens. This means if you’re an American company that sells exclusively to French citizens, you’re subject to the regulation in exactly the same way a French company would be.
One of the biggest changes introduced by the GDPR is that consent to process data must come from the user on an opt-in basis. For example, take a look at the screenshot below. It shows a list of advertising partners that collect data from HuffPost’s site. Notice how the bars are unchecked by default. If, in response to the cookie notice above in the article, you simply clicked “done,” the default action would be that no cookies would be placed on your system. If, instead, the bars were checked by default, HuffPost would be violating the GDPR.
This also means that any and all tracking/cookies should not be able to work until the user has specifically opted in to them.
Businesses are legally required to notify their users if any data breech occurs that is likely to “result in a risk for the rights and freedoms of individuals” within 72 hours.
Data processors are also required to notify their controllers if they discover a data breech. An example of this situation would be if Google discovered a data breech in their Google Analytics platform, they would be required to notify all EU companies who used that technology immediately.
Users’ Right to Access
All users have the right to request a copy of all personal data a business has collected on them, as well as what that data was used for. This copy must be comprehensive, free, and provided in an electronic format.
Right to be Forgotten
This is perhaps the murkiest point of all. Right to be forgotten allows someone to request that the data controller (business) erase all of their personal data, immediately stop processing it, and force any and all third parties to stop processing it as well.
One GDPR interpretation website mentions that “this right requires controllers to compare the subjects’ rights ‘to the public interest in the availability of data’ when considering such requests.” As of now, the legal meaning of that phrase is yet to be determined.
To put into perspective just how massive this is, let’s propose a hypothetical scenario. Let’s say you run a massive social media site, and that you package up your users’ data and sell it to advertisers (as most do). Let’s also say that one company who buys the data uses it to determine whether or not you often view pages about electronics. If you do, they use that data to target you with electronics ads.
Under the new regulation, if a user of your social media platform requests to be forgotten, you must immediately stop collecting and distributing their data, and you must force the company who uses that data for advertisements to stop using that data as well.
Data Protection Officers
This almost certainly won’t apply to your business, but large businesses and public officials will be required to hire data protection officers who will be in charge of handling all GDPR-compliance-related tasks.
How Will it Affect My Business?
The first thing you should know is that, unless you collect and sell user information to third parties, which basically no small business does, the GDPR will have little to no effect on you. If you do collect and sell user information to third parties, you should contact a GDPR-compliance consultant immediately, because nothing in this article will be of much use to you.
Small US-only Business
The regulation itself will not affect your business in any way. It’s possible that the shifting worldwide view on privacy will cause your customers to demand more transparency about your data-processing practices, but that remains to be seen.
Small US Business with EU Customers
The regulation will require that you put into place systems that will allow your customers to have better control of their data. You will almost certainly need to hire an outside firm or developer to help you achieve compliance.
Should you fail to comply and are discovered, you will be fined 4% of annual turnover or €20 million, whichever is greater.
How Do I Become Compliant?
Small US-only Business
You don’t have to do anything. But if you decide you’re afraid a similar regulation will come to the US, follow the steps listed for small US businesses with EU customers to get a rough sense of what you’ll need to do.
Small US Business with EU Customers
As a US company that does business in the EU, you’ll probably have two major obstacles to overcome: Google Analytics and user accounts.
You will also need to turn on Google Analytics’ IP anonymization feature. For instructions on how to do so, head here.
Next, you must put processes in place to handle data deletion. Remember, any username, email address, etc. Counts as personally identifiable information. You’ll need to be able to provide users with a copy of their data and delete it all from your system if necessary. You can do this either manually or set up systems to do it automatically, depending on how many requests you expect to get.
Follow webFEAT Complete for More
If you want more information about how the world of digital marketing affects your small business, you’ve come to the right place. Each week we post blogs about marketing techniques and industry news. But most importantly, we make sure our work always goes out to help business owners. Subscribe to our newsletter today.