Many US small businesses may not have heard of the EU’s new General Data Protection Regulation (GDPR), let alone realize that it is something that can affect them even though they’re based outside of Europe. But later this month, major changes in data protection will be affecting organizations all over the world, including yours.
What is GDPR?
Coming into effect on May 25, 2018, GDPR is a new set of rules that overhaul how businesses and organizations handle and process the private information of EU citizens. If an organization collects or holds any data on EU citizens – from personal information such as credit card numbers to even a simple email of the citizen – they are subject to GDPR rules regardless of where they are based.
Any organization that doesn’t comply with GDPR risks facing a hefty fine, and small businesses in the US are no exception. To help you navigate through the ins and outs of GDPR, I’ve laid out what you need to know about GDPR and steps to take to make sure you’re in line with it.
But….this is for Europe….
You may be thinking at this point, “I’m not sure it’s worth the trouble. Maybe I’ll just delete all my EU contacts and be done with it.” That’s certainly an option. However, bear in mind that, historically, Europe’s privacy laws have tended to influence laws around the world. GDPR not only works in the best interests of protecting personal data, but taking action now will put you in a much better position should the US adopt similar legislation.
A quick note before we get started – this is for general informational purposes only and should not be taken as legal analysis or legal advice. You should contact a lawyer if you have questions about your particular obligations under GDPR.
What GDPR means for US businesses and non-profits
Getting specific, affirmative consent – No more pre-ticked checkboxes!
For starters, a general ‘are you happy for us to stay in touch’ or a simple act of receiving someone’s business card will no longer be enough. You will need to have proof of specific, affirmative consent to use a person’s personal details in any way including if, and how, you can contact them.
That means that when it comes to networking, if you receive someone’s business card or connect with them on LinkedIn, you can’t just add them to your contact list and start sending them communications without first having gotten their direct consent to be contacted.
For email marketing, the person needs to actively opt in to receive communications from you, and specifically consent to each individual way they are happy for you to contact them by (ie. you’ll need separate tick boxes for email, phone, SMS and mail).
Documenting your data
How you store and manage your data is another area you’ll need to address – you’ll need to know what data is being stored, where it’s being stored, why it’s being stored, and what consent has been granted and when it was given. Data has a time limit as well; it must be deleted once its purpose no longer exists. Likewise, consent is not indefinite and must be refreshed regularly. While it’s up to each organization to determine what’s appropriate, it’s recommended that you refresh consent every two years.
An individual also has the right to request a copy of their data, make changes to it, move it to another organization/service, or ask that it be deleted permanently so be sure your database or CRM enables you to accommodate these requests quickly and easily.
For your convenience, we’ve created a GDPR Data Mapping Checklist for you. You can copy it to your own Google Drive and start editing right away!
Having data breach procedures
Keeping personal data safe is one of the biggest responsibilities we have to our customers and we must do all we can to ensure its security. Have procedures in place that help you mitigate worst case scenarios such as the ability to detect, report, and investigate any data breaches. Under GDPR, data breaches that risk the privacy rights of individuals must be reported within 72 hours.
Ensuring third party providers’ compliance
As a small business, you probably use third-party solutions; make a list of all the ones you use (including website tracking cookies, i.e. Google Analytics and Facebook tracking pixel) that have access to or process data subjects’ personal data.
Then make sure they all comply with these:
- Right to be forgotten.
- Right to object (no data science/tracking).
- Right to rectification (users can update their info).
- Right of portability (the user can move/export their info to another company).
If you want more specific steps you can take, Mailjet has a handy guide to help you make sure third party providers are GDPR compliant.
Existing EU contacts are also subject to GDPR
Another important thing to note about GDPR is that it applies to data gathered prior to May 25, 2018 as well as going forward, so make sure that any EU contacts you have are GDPR compliant. If you don’t have record showing that you have clear authorization to send communications to those contacts, you’ll need to get renewed new consent from them.
What to do now
Overall GDPR is a good thing for safeguarding people’s personal information and it’s likely that it’ll only be a matter of time before privacy laws in the US follow suit. So if your business deals with EU citizens, and even if it doesn’t, here are some specific actions you should do now:
- Turn on double opt-in for email subscriptions.
- Turn on GDPR forms in MailChimp.
- Set up a campaign to the EU segment of your users and confirm their consent on the list.
- no more pre-ticked boxes to sign up for your e-newsletter!
If you have any questions about how to get your website or e-newsletter list ready for GDPR, contact us.