What Is GDPR? 7-Step Compliance Guide.

Over the last few weeks, you have probably been getting lots of emails with privacy policy updates.  You may have heard stories in the news about “GDPR,” the European Union’s new General Data Protection Regulation.

GDPR is a new set of rules that went into effect May 25, 2018 and will change the law in every EU country (including the UK).  The regulations are meant to give EU residents more control over their data, as well as update and standardize privacy laws across the EU.

GDPR also requires changes for most U.S. companies with a website. Even if you don’t think you or your clients have EU website visitors or customers, the new law probably still applies.

Yes, most U.S. companies with a website have to comply with GDPR!

Are you collecting or receiving personally identifying information from customers or visitors to your website, whether through an e-mail newsletter sign up, order form, “contact us” form, survey, contest entry, or other way of submitting data?  (Personally identifying information includes information you may not consider private such as a name and email address, a photo, a social media post, or an IP address, and also highly sensitive information such as health or financial information.)

Then you are likely collecting information from EU residents, and you may need to comply with GDPR.

There are no good technological solutions at this time to “opt out” of complying with GDPR.  It is actually against GDPR to try to opt out of GDPR by blocking EU residents from your website. And the rules are so new that it is unclear who will be considered an EU resident (a U.S. citizen on vacation in Paris? A Mexican resident with an email address from their EU employer?), so asking people where they live is not reliable.

Failure to comply with GDPR could potentially result in steep fines, penalties, and monetary damages against you or your business – up to 20 million Euros or 4% of a business’ gross annual worldwide income, whichever is higher!

So, what steps do you need to take to comply with these new regulations?  Here are my top recommendations for most small U.S. businesses.

1) MAKE A LIST OF ALL APPS, PLUGINS, AND OTHER TOOLS AND VENDORS THAT YOU USE TO HANDLE OTHER PEOPLE’S DATA:  The new rules are different for different kinds of businesses, depending on what tools you use in your business and how you process or store other people’s data.

The first step is a tech audit to see how your business is using data, so you can figure out what else you need to do.

2) CHANGE YOUR WEBSITE CONTACT, CHECKOUT, AND EMAIL MARKETING FORMS: If you have any forms on your website, landing pages, “Contact Us”, or as part of checkout for your products or services that collect e-mail addresses or other personally identifying data, you must tell visitors exactly what you will do with their data AND get their affirmative consent to do each of those things.

This requires one of the following:

  • a checkbox (not pre-checked!) that they agree to receive your newsletter, marketing emails, or any other way you will use their email; OR
  • a clear notice their email address will be added to your newsletter list (or marketing list, etc.); OR
  • a second opt-in email (“double opt-in”) through your email marketing provider, confirming they would like to receive your newsletter, or marketing emails, etc.
  • You should also link to your new updated privacy policy (see below) on or very near the form collecting data.

3) SET UP A COOKIE NOTICE ON YOUR WEBSITE: If you use cookies at all in your business – that includes the Facebook ad pixel and Google analytics among many others –  you will need to get affirmative consent from visitors.  This can’t be hidden in your privacy policy or terms of use.  Many tech solutions are available for this; common methods include requiring visitors to:

  • Navigate beyond a banner, notice, or pop-up saying you use cookies and how you’ll use their information (with link to privacy policy); OR
  • Dismiss a banner, notice, or pop-up
  • Click on an “I agree” button

4) UPDATE YOUR WEBSITE PRIVACY POLICY:  If you collect any personally identifiable information through your website, even just an e-mail address through an opt-in or contact form, from anyone in the EU, you are required by U.S. laws and GDPR to post a policy on your website telling your users what you will do with this information.  Here are some important items to include (This list is not exhaustive! What you must include depends on your particular business):

  • List of the data you collect, why you collect it, how you’ll use it, how long you keep it, and whether you require that it be provided
  • List of the third parties with whom you share or from whom you receive individuals’ data
  • How the visitor can request their data, review and request corrections to their data, or ask that you erase their data
  • How the visitor can withdraw consent for you to use or store their data
  • How you notify visitors of changes to your privacy policy
  • How the website responds to Do Not Track signals from web browsers
  • Choices a consumer has regarding the collection, use and sharing of his or her personal information
  • The effective date of the privacy policy
  • Whom to contact with questions about the privacy policy
  • Disclose visitors’ rights under GDPR, including the right to lodge complaints with a supervisory authority

5) STORE OTHER PEOPLE’S DATA SECURELY: Do your best to store data in a secure way; how you do this will depend on your business and the law allows your efforts to be proportionate to your size and the amount and nature of the data you collect.  It’s best practice to limit access to other people’s data only to those employees, contractors, or vendors in your business who really need it.

6) REPORT ANY DATA BREACH TO THE AUTHORITIES WITHIN 72 HOURS:  If you discover a data breach, you must report it within 72 hours, no exceptions.

7) MAKE SURE YOUR VENDORS ARE GDPR-COMPLIANT: You can be held responsible if you store other people’s data with a vendor that’s not GDPR compliant.  You should vet your vendors (e-mail, apps, and anyone else that handles data that’s not yours) carefully and include terms in your contracts that they bear any liability and indemnify you for non-compliance with the law.

Learn more about GDPR and find my full video training on these new regulations, GDPR compliance checklist, and GDPR-compliant privacy policy template here: www.awbfirm.com/gdpr

*This article is informational, not legal advice and does not establish an attorney-client relationship, which is only formed when you have signed an engagement agreement. GDPR is a complex regulation. This list is not all inclusive, and you should consult a licensed attorney to determine how these regulations will impact your business.