Over the past few months, every local business we help has asked us, “do I need GDPR compliance in the United States?” Before we dive into GDPR for US companies, let’s take a look at what exactly these new regulations are.
The General Data Protection Regulation (GDPR) is a comprehensive set of new laws is intended to regulate personal data collected from people within the European Union.
If you’re an American business, like Goodman Creatives, you may also have wondered “what does GDPR mean for US companies like mine?” I know we struggled with this question, which is why we’ve put together this simple guide to GDPR compliance for US companies.
What are the key areas of GDPR?
It would be impossible to cover all aspects of GDPR compliance in a simple blog post. The full set of laws is thousands of pages long and would probably put anyone on earth to sleep reading it. That’s why we’ve narrowed it down to a few key points.
In a nutshell, GDPR:
- Expands the definition of personal data, which now includes anything that points to a person’s professional or personal life, such as names, photos, emails IDs, bank details, social networking posts, medical information, or computer IP address.
- Defines data controllers and processors and holds them responsible for complying with its regulations.
- Gives individuals more rights regarding the control of personal data—what can be done with it, and how long it can be kept. For example, if someone in the EU wants you to remove all of his or her personal data from your database, you must do so.
- Requires businesses to inform regulatory agencies within 72 hours if there is a data breach.
- States that businesses that collect data must have lawful grounds to have it. There are six altogether, but the three main ones are consent (I agree to let you have my information i.e. checkboxes,) contractual (information is needed to give a quote,) and legal (employees.)
GDPR for US Companies
Due to the global nature of the Internet, businesses operating in the United States are not exempt from GDPR. Even if you blocked every single European IP address, you would still be liable if a European citizen visited your site during a vacation in America.
If you collect, transmit, or otherwise use or store the personal data of citizens of the EU you’ll need to comply with the GDPR or face severe penalties (up to 20M Euro or 4% of global revenue).
I know that sounds pretty scary, but keep in mind that small businesses (having fewer than 250 employees) and those who hold no data from people within the EU are exempt. But that doesn’t mean you should ignore this sea change in data regulation.
Online businesses can sell to anyone anywhere, and you probably want to have that capacity. And, regardless of GDPR for US companies, it’s a good idea to up your data handling and storage game anyway because consumers are becoming ever savvier (and concerned) about what is done with their information (can you say Cambridge Analytics?)
. . . . . . . .
Your Business Apps are Already GDPR Compliant
GDPR compliance for US companies goes beyond your website. It also includes the apps you use – both on your local computers and in the cloud. That’s why cloud computing and storage platforms like Google Suite, Dropbox, and CRM systems like SalesForce are already working feverishly toward full compliance (if they haven’t already achieved it).
US Businesses and GDPR Compliance
Looking at this significant legislation through the lens of the spirit of the law, rather than the letter, is probably the best (anxiety-inducing) way to go.
Use it as an opportunity to encrypt your data (or improve its encryption), strengthen your passwords, and cull your contact lists. Done well, the entire process can help build greater trust with your customers by being transparent about your data collection and use. Use this as an opportunity to demonstrate that you care about your customers and their data by clarifying and strengthening your privacy policies and consent forms.
. . . . . . . .
GDPR for US companies means that your business needs to:
- Be open about how you collect data and what you do with it.
- Know how and where that data is stored, and who is responsible for securing it, and how it is protected, e.g., data protection services.
- Have clear and informed consent—no using business cards collected from here and there to build an email list, or bundling consent forms (using one opt-in for consent to multiple uses of data.)
Parting thoughts on GDPR and US Companies
It’s important to remember that the internet police are not going to come and break down your door if you inadvertently collect some data on a random citizen of the EU.
The substantial fines are meant more for big companies, with deep pockets, who collect massive amounts of data. Your company will only draw the attention of regulators if a EU citizen makes a complaint, which is highly unlikely if your business adheres to the principles of the law.
So don’t see this as a panic-inducing nightmare, or something to just ignore altogether. Instead, look at the big picture, and see it as a paradigm shift with regard to personal data, which is something quite valuable and worthy of care. Here’s an awesome infographic to help guide you a bit more.
* Please note, we are not lawyers and are nothing in this post is offered as legal advice or a complete solution for GDPR for US companies. Goodman Creatives assumes no legal responsibility for the use of this information or the templates offered above.