There are few things any business or website owner should know.
Who is subject to GDPR? In general, if you control or process personal data, then there are parts to the GDPR law that you must comply with. While this is a European Union law, it still applies to non-EU companies when the personal data being controlled or processed is that of a person residing in the EU. Yes, if somebody from the EU visits your website, and you gather personally identifiable information from them, then you must comply. Here is a good checklist to help you comply and navigate through your responsibilities.
How to Comply with GDPR
Next, as an American small business, you probably wonder how to comply with GDPR. We’re not going to summarize the entire law here, as there’s plenty of resources on the web for that. But, there are a few things you can do to comply:
- Take the time to know what data you are collecting, storing and processing. This is the baseline for understanding how you’ll need to protect data.
- Update your security measures to be GDPR compliant, including using encryption.
- Train your team to react to and report breaches within 72 hours.
When it comes to typical digital marketing and your website, keep these in mind:
- Make opting into your newsletters default to ‘opt out’ -- uncheck that box.
- Separate accepting terms and conditions from opting into a newsletter.
- Separate different channels to be contacted: SMS, Phone, Email, etc.
- Make unsubscribing and subscriptions super easy to opt in/out of.
- If your contact forms include multiple parties on your end, make sure those are obvious.
- If you track cookies that are linked to personally identifiable information, provide an opt-in warning on your site with an acceptance button. You’ve likely been seeing more and more of these since May 28th.
What if I Have Fewer than 250 Employees?
Many small businesses with fewer than 250 employees may think they’re exempt, due to exemptions spelled out in the law regarding record keeping. However, any business that holds personally identifiable information must:
- Enact the privacy protection measures listed above
- React to individual data requests (for EU residents)
- Keep proper records
Data Rights for Individuals
Your site visitors under GDPR have the following rights:
- The Right to know if you have stored their data and, if so, the right to know what that data is.
- The Right to know if data is being transferred to a third-party party.
- The Right to a copy of all data being processed, including the right to request it be transferred to another party.
- The Right to have all data erased without delay or to have data processing cease.
GDPR and Cybersecurity
The importance of cybersecurity for your business, in general, cannot be overstated. With GDPR, there is now one more layer of responsibility. Should your company incur a data breach and NOT have taken the proper security measures or NOT react properly, you could be in for some European heat. Until GDPR, businesses were likely most concerned with sensitive data, such as social security numbers and financial information. Now, the scope of data that must be protected has broadened. The consent and the reaction to a data breach mentioned above need to be part of your cybersecurity plan. Finally, you’ll need to look at your physical network as well as your data storage and processing. If you don’t have one on staff, get an IT expert in to analyze your network to ensure you have proper protection. A simple firewall is no longer adequate.
Summary: Our Recommendations
Allocating time on your calendar towards getting compliant will be far easier and take less time that figuring out how to avoid it. Companies with less than 250 employees will be less likely to have a breach and will also be less likely to be targeted for audit or legal action by the EU authority. That said, it is good business to be transparent with your users/customers about their data, keep good records, encrypt the data, and reply to their requests around their individual data.
Questions about your website?