For most local American business owners, the EU’s General Protection Data Regulation (GDPR) was probably nothing more than a passing headline. That is… if you even registered the information at all.
However, the regulations could affect how you conduct business online, regardless of where you set up shop.
What is GDPR?
According to the new regulation, it’s your responsibility to detail to website visitors, what types of data you collect from them, and why you are collecting it. In addition to the explanation, you must request and receive explicit consent from those visitors and give them the opportunity to withdraw their consent at any time.
Unfortunately for website owners, the new regulation utilizes a pretty broad definition of “personal data.” In a nutshell, it refers to all identifying information.
Here are just a few.
- IP Address
- Web Browsing Cookies
Please notice that we only called out some of the most basic information that most websites collect. In reality, all sorts of data points apply (e.g. financial, political, gender identification, etc.)
The point we want to make is that almost every site collects email addresses and therefore, GDPR applies to almost every online business.
Who Must Comply?
Basically, the General Protection Data Regulation applies to everyone.
The regulation says that if you happen to collect personal data (email, address, phone number, etc.) from someone in an EU country, you must comply with the new rules regardless of where you are located.
That’s right. GDPR is global and if you store data from someone living in any of these countries, you need to understand the finer nuances of compliance.
- Republic of Cyprus
- Czech Republic
Obviously, if you market to these countries, then GDPR definitely applies to you. But what if that’s not the case? What if you have never actively sought clients from the EU?
You have an out… kind of.
The regulations state that you must actively market to one of these countries for GDPR to apply. In other words, if someone in Portugal stumbles across your American website and you have never targeted Portugal for business, there is no issue.
But, you need to be careful.
How GDPR Applies to Your Company
Let’s assume that you are a soccer trainer in Indiana and 99% of your clients are local. Never in your wildest dreams has it ever occurred to you to market your skills to Swedish soccer players.
However, you do offer counseling sessions via Skype and on your website, it says something to the effect of:
“Available for consultation via Skype. Serving the local community and soccer players in any location.”
And then, one day…
A young man in Sweden happens across your site and decides he wants some input on his soccer game. He fills out your contact form and his name, email, and phone number end up in your database.
Oops! Sweden belongs to the EU and is covered by the General Protection Data Regulation. It is now your responsibility to make sure you comply with their regulations regarding his data. Did you get the necessary consent forms? After all, you DID say you serviced “any location.”
It’s true that the above example is a bit extreme and even if you did collect the data, it’s highly improbable that you would ever suffer a fine.
Unless you lose his data.
Over half of the reported data breaches, this past year, were from small businesses and not all were due to cybercrime. According to the Ponemon Institute, 24% of data loss in 2017 was caused by negligent employees and another 24% were caused by system glitches.
If you lose the Swedish soccer player’s personal information, for whatever reason, then technically you could face fines of up to 4% of your global sales.
The Reality of GDPR
We are not trying to scare you, just to get your attention. For most American companies, especially smaller local ones, GDPR will never be an issue. However, you really should know about the regulation and determine if it might affect your company.
At the very least, you can take some precautions.
- Remove any broad-sweeping statements such as “serving local markets and around the world” from your website.
- Check with third-party email marketing services, such as MailChimp, for their best practices regarding GDPR. There are some new, and pretty strict, email regulations. If someone does end up on your mailing list from one of these countries, you want to make sure you are compliant.
You should also keep in mind that data handling is presently a very hot topic in the United States. (Think of the great Facebook scandal of 2018). There is a good chance that U.S. lawmakers will take a look at the EU’s General Protection Data Regulation and develop their own version. As a consumer, this is not necessarily a bad thing, but it does place a burden of responsibility on website owners.
If you want more information on the General Protection Data Regulation (GDPR) compliance or insights into web marketing, contact Effect Web Agency. We have locations in Granger, Indiana, and Indianapolis to better serve businesses like yours.