Over the past few months, every local business we help has asked us, “do I need GDPR compliance in the United States?” Before we dive into GDPR for US companies, let’s take a look at what exactly these new regulations are.
The General Data Protection Regulation (GDPR) is a comprehensive set of new laws is intended to regulate personal data collected from people within the European Union.
Odds are, GDPR first came on your radar back in May, 2018, when every company on Earth seemed to be sending an email with updated privacy policy information. Or, perhaps it was after you clicked your hundredth “I accept these cookies” popup on a website you like.
If you’re an American business, like Goodman Creatives, you may also have wondered “what does GDPR mean for US companies like mine?” I know we struggled with this question, which is why we’ve put together this simple guide to GDPR compliance for US companies.
What are the key areas of GDPR?
It would be impossible to cover all aspects of GDPR compliance in a simple blog post. The full set of laws is thousands of pages long and would probably put anyone on earth to sleep reading it. That’s why we’ve narrowed it down to a few key points.
In a nutshell, GDPR:
- Expands the definition of personal data, which now includes anything that points to a person’s professional or personal life, such as names, photos, emails IDs, bank details, social networking posts, medical information, or computer IP address.
- Defines data controllers and processors and holds them responsible for complying with its regulations.
- Gives individuals more rights regarding the control of personal data—what can be done with it, and how long it can be kept. For example, if someone in the EU wants you to remove all of his or her personal data from your database, you must do so.
- Requires businesses to inform regulatory agencies within 72 hours if there is a data breach.
- States that businesses that collect data must have lawful grounds to have it. There are six altogether, but the three main ones are consent (I agree to let you have my information i.e. checkboxes,) contractual (information is needed to give a quote,) and legal (employees.)
GDPR for US Companies
Due to the global nature of the Internet, businesses operating in the United States are not exempt from GDPR. Even if you blocked every single European IP address, you would still be liable if a European citizen visited your site during a vacation in America.
If you collect, transmit, or otherwise use or store the personal data of citizens of the EU you’ll need to comply with the GDPR or face severe penalties (up to 20M Euro or 4% of global revenue).
I know that sounds pretty scary, but keep in mind that small businesses (having fewer than 250 employees) and those who hold no data from people within the EU are exempt. But that doesn’t mean you should ignore this sea change in data regulation.
Online businesses can sell to anyone anywhere, and you probably want to have that capacity. And, regardless of GDPR for US companies, it’s a good idea to up your data handling and storage game anyway because consumers are becoming ever savvier (and concerned) about what is done with their information (can you say Cambridge Analytics?)
. . . . . . . .
Your Business Apps are Already GDPR Compliant
GDPR compliance for US companies goes beyond your website. It also includes the apps you use – both on your local computers and in the cloud. That’s why cloud computing and storage platforms like Google Suite, Dropbox, and CRM systems like SalesForce are already working feverishly toward full compliance (if they haven’t already achieved it).
Email marketing services like MailChimp and Constant Contact have guides, and WordPress has plugins and other tools to help you manage GDPR for US Companies.
Therapy Companies and GDPR
For USA-based therapy companies aiming to make their websites GDPR compliant, several crucial steps should be taken. While GDPR primarily applies to EU businesses, if your website collects data from EU residents, compliance may be necessary. Begin by conducting a thorough data audit to identify the data you collect and assess whether it involves EU individuals. Create or update your privacy policy, ensuring it clearly outlines data collection purposes, retention periods, and individual rights under GDPR.
Your therapist website design company should implement explicit consent mechanisms, such as checkboxes, to obtain user consent for data processing, allowing them the option to withdraw consent. Address cookie usage by informing users and obtaining their consent before setting cookies. Prioritize data security with robust measures, including encryption and access controls. Develop procedures for data portability and deletion, allowing individuals to request their data or its removal. Ensure third-party services you use comply with GDPR and sign GDPR-compliant data processing agreements when necessary.
Appoint a Data Protection Officer if required and provide staff training on GDPR compliance. Regular audits and updates to policies and practices are vital to maintain compliance, and clear contact information should be available for GDPR-related inquiries. Consider seeking legal or privacy professional consultation to navigate the complexities of GDPR effectively. Compliance is an ongoing process that demands vigilance and adaptation to evolving data protection regulations.
US Businesses and GDPR Compliance
Looking at this significant legislation through the lens of the spirit of the law, rather than the letter, is probably the best (anxiety-inducing) way to go.
Use it as an opportunity to encrypt your data (or improve its encryption), strengthen your passwords, and cull your contact lists. Done well, the entire process can help build greater trust with your customers by being transparent about your data collection and use. Use this as an opportunity to demonstrate that you care about your customers and their data by clarifying and strengthening your privacy policies and consent forms.
. . . . . . . .
GDPR for US companies means that your business needs to:
- Be open about how you collect data and what you do with it.
- Know how and where that data is stored, and who is responsible for securing it, and how it is protected, e.g., data protection services.
- Have clear and informed consent—no using business cards collected from here and there to build an email list, or bundling consent forms (using one opt-in for consent to multiple uses of data.)
Parting thoughts on GDPR and US Companies
It’s important to remember that the internet police are not going to come and break down your door if you inadvertently collect some data on a random citizen of the EU.
The substantial fines are meant more for big companies, with deep pockets, who collect massive amounts of data. Your company will only draw the attention of regulators if a EU citizen makes a complaint, which is highly unlikely if your business adheres to the principles of the law.
So don’t see this as a panic-inducing nightmare, or something to just ignore altogether. Instead, look at the big picture, and see it as a paradigm shift with regard to personal data, which is something quite valuable and worthy of care. Here’s an awesome infographic to help guide you a bit more.
* Please note, we are not lawyers and nothing in this post is offered as legal advice or a complete solution for GDPR for US companies. Goodman Creatives assumes no legal responsibility for the use of this information or the templates offered above.
