I sent the following email to my clients a message to catch them up on some major changes coming on May 25th, 2018 to how data and privacy on the Internet is changing thanks to the European Union(EU) that will affect US businesses. I hope it is helpful for you as well.
Over the past few months, you have been seeing a bunch of emails coming out about updates to privacy policies and the General Data Protection Regulation(GDPR) in Europe, but have probably wondered how this affects your business here in the US. You may have even thought “I don’t do business in the EU, I don’t need to do anything.” I am telling you, YES this will affect your business and you have some work to do.
DISCLAIMER! I am NOT a lawyer and the information below is just to inform you of things that are happening and what I am doing to be compliant myself. Some of the scenarios will help you, some won’t. Seek the advice of a professional for your exact situation!
What is GDPR?
GDPR is the General Data Protection Regulation instituted by EU that goes into effect on May 25th, 2018. It’s a major new piece of European regulation that addresses how EU user data can be used by businesses and introduces strict new rules around gaining people’s consent to process their data.
Who does it affect?
Any organization that is handling Europeans’ data is affected, regardless of where it is in the world. Even if a company has no offices in Europe, and its employees have never set foot on the continent — if they’ve got EU data, they’ve got to play by EU rules.
What happens if a company doesn’t comply with GDPR?
Organizations in violation of the GDPR won’t just get a slap on the wrist — there are some serious potential penalties. A company in breach of GDPR can be fined up to 4% of their annual global turnover (i.e. not just revenues generated in Europe) or €20 million, whichever is higher.
The basics of the regulation as I understand it (Again, I am not a lawyer!):
- The regulation is in place for any website accessed in the EU. It is not just for EU residents or citizens. If you target someone from the States who travels to Europe and they open your website from a newsletter while in Europe, they and you fall under EU laws.
“Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.”
- The Regulation is about helping EU users aware of how their data is used through transparent data collections, processing, storage, and usage of Personally Identifiable Information(PII). If you collect data on your site(think analytics, forms, signups, credit cards), you need to tell people what you are collecting, and what you are using it for, and you can only use that data for that purpose for people who access the data in Europe.
- You must be granular, clear and forthcoming with how you intend on using the collected data. No smoke and mirrors here. If someone signs up for one mailing list, you can’t add them to another list, if they are in the EU. If you want to add them to multiple lists, when they sign up, they must positively opt-in to each list individually.
“…when a customer signs up for a service or buys something…the vendor will need to obtain explicit permission for each type of processing done on the personal data (i.e., email promotions or sharing with third-party affiliates will have separate opt-ins/checkboxes).”
- Data breaches now must be reported to EU Regulators within 72-hours if it affects EU users. If the data breach involves passwords or credit card numbers, you must also notify users.
- Users must be able to move, copy(data portability) or remove(right to be forgotten) their data from your systems.
- Nurture Sequenquence and Lead magnets – the regulation is not super clear here. We do know there is no bait and switch. If you offer a free White Paper on your site and you want to email that white paper to them, and that is what they requested, if they are an EU user, that is the only way you can use their email. You cannot add that email to your email list because that was not the intent of usage of the user who provided you that email. You must give them the free white paper offered, then ask them to add themselves to the email list explicitly.
- If you only have one email list and subscription is don’t through your website only, you should be covered. They did the work to add themselves to the email list and that is what you told them it was for. You are likely covered.
Steps to take to get ready for GDPR
Your web development team should be able to help in many ways to do some of these items, but some of these items are out of their control and you will need to work with your team to determine how you will handle the regulation going forward.
- Audit your data! Identify data coming/going from/to EU users and make sure to reach out to them to get permission before May 25 to keep sending them correspondence, if they were not the one to add them to the list.
- Determine who is going to be in charge of your GDPR compliance. A Lawyer, you, someone else?
- Review and redesign your opt-in forms and lead capture items to include a Yes/No drop-down or checkbox for every single use case of data you have (general emails, white papers, sales special, etc.)
- Review your 3rd party vendors (Mailchimp, Constant Contact, Aweber, Google Analytics, etc) and review your third-party agreements. If they can’t prove their compliance with GDPR, the work they do for you in the EU is illegal!
As an example, many SeeMe Media (our parent company) hosted sites use one or more of the following (this is not a comprehensive list) that track or collect:
- Google Analytics
- GoSquare Analytics
- Google Search Console
- Bing Webmaster Tools
- Facebook Pixel
- Google Tag Manager
- AppSumo List builders
- WordPress Jetpack
- MailChimp Opt-In Forms
- Constant Contact Opt-In Forms
- Gravity Forms
Must do hit list for GDPR
- Make sure your forms, signups and any box you collect data on and process offline you have permission to do so.
- Review your Email Marketing lists for EU based clients/opens. If you have ever added people to a list without their explicit permission to be added to that list, go back and ask them for permission, or remove them before May 25th.
- If you manage your own Google Analytics Accounts, be sure to go in and set your data retention times, and update your Analytics Code on your site to Anonymize user IP Addresses
“In a GDPR world, you gain compliance by anonymizing user IP addresses. You don’t lose all that much.”
For those of you with Hosting through SeeMe Media, Anonymization in Google Analytics has already been completed for you! Thanks for trusting us with your hosting!
Now I have just touched the surface and there is a lot of work to do in a short amount of time. Please feel free to reach out if you need any help or have any other questions.
- Forbes – Yes the GDPR will Affect your US based Business
- CNBC: GDPR Data Privacy Rules in Europe and How They Apply to US Companies
- Business Insider: What is GDPR Regulation Explained
- Information Week: 7 Steps to GDPR for US Companies
- Jeffalytics: GDPR, IP Addresses, and Personal Data in Google Analytics
- The GDPR EU-Regulation full text