Understanding the Law: GDPR
Full disclosure: We are not attorneys or experts in the law and this is not legal advice. Please consult your attorney and do your own due diligence if you have questions or issues.
The affairs of the rest of the world used to seem distant. What was happening in your hometown was far more important, and unless there was a war or an earthquake or maybe a plague of locusts in some far-flung corner of the globe, most people probably didn’t pay much attention. Those days are long gone. Markets are more connected than ever before, which is why in the last of our series on Understanding the Law, we’ll look at how the European Union’s adoption of their new GDPR standards may affect you.
If your business is based exclusively in the United States, you may be unaware of what GDPR is. Put simply, it’s a European thing. GDPR or the General Data Protection Regulation is a legal framework that sets standards for the collection and usage of personal data for people in the European Union (EU) beginning in 2018. It doesn’t just affect Europe though. You’re bound by these standards if you have an establishment in the EU or if you offer goods and services in the EU. More importantly, even if you don’t meet any of the above criteria, you’re still bound by those laws if you have customers who are EU citizens.
Among other things, these laws regulate all sorts of ways personal data can be used, including names, and government ID numbers. It may also include information about a person’s online activity, location and IP address— exactly the type of information that businesses collect with seemingly innocuous cookies.
In general, the regulations are similar to those in the US, such as the SMS requirements and the CAN-SPAM Act that was mentioned earlier in our series. The biggest differences are that the standards are stricter and the penalties for non-compliance are higher. For example, under the GDPR framework an individual can withdraw consent to receive messages at any time and you must obtain consent for each separate activity you wish to message them about. It is the responsibility of the company to prove that someone agreed to each and every marketing action you take. You would need one consent to send them a newsletter, another separate consent to send them offers, etc. You can’t simply add a disclaimer buried in a bunch of legalese or provide an opt-out after the fact.
You must also allow customers to see and delete any data that concerns them, provide notice within 3 days if you suffer a data breach and make your data privacy policy clear and obvious to the average person. For a more detailed look at how the GDPR may affect you and what you need to do in order to comply, here is a GDPR compliance checklist for US companies.
Complying with the requirements of the GDPR may seem like a pain, and you may be tempted to look for ways to get around it. Many experts believe that approach is a mistake. For one thing, it makes life harder for you because you have two similar sets of criteria you have to deal with instead of just one. Generally, if you meet the GDPR standards for protection of your customer’s personal information, you will also meet US standards. For another, those same experts believe the US will eventually adopt the same standards included in the GDPR, meaning if you work to meet those standards now, you’ll be ahead of the curve later.
As we’ve seen with the interconnected nature of global markets as well as a pandemic that started on the other side of the world, what happens in the rest of the world can affect us. Become familiar with GDPR standards and work to meet them. It’s a great way to future-proof your business.