There’s been a lot of buzz around the May 25th, 2018 enforcement date for the General Data Protection Regulation, but there’s also been a lot of confusion and misinformation swirling around the topic. This article aims to give you some plain language clarification regarding what the GDPR demands of small to mid-size companies in San Francisco, and the steps your business needs to take to ensure compliance.
The GDPR or the General Data Protection Regulation is a set of standards set in place by legislation enacted in the European Union. In total, these regulations add up to more than 250 pages of legal documents.
The GDPR has been designed to protect the personal information of citizens of the EU from being misused and abused. It has been written to cover all commercial transactions in which an individual’s data is accessed, handled, stored, or otherwise “processed.” To cover this wide swath of commercial interactions, the GDPR had to be written in a way that applied to every company from the technology giants like Microsoft and Facebook all the way down to the small business.
As a result, the language used can be confusing, and the application to small and mid-size business can get lost in the mix.
If your business advertises to, collects information from, or makes products and services (even free products and services) available to anyone living in the EU, your company must comply with the GDPR.
In today’s internet connected, e-commerce world, the GDPR impacts a vast majority of companies.
A simpler way to state this is: “The GDPR is not simply a regulation for the EU and EU businesses. If someone from the EU could end up as a client or on your monthly newsletter email blast, you have to become compliant with GDPR.”
If your business only advertises to, sells to, and operates within North America AND your website forms and landing pages are set up to reject opt-ins from EU IP addresses, you don’t have to worry about meeting GDPR compliance. But if you make only one sale or accept one newsletter subscriber from the EU, you trip the wire and become subject to GDPR.
The GDPR has been written to curb the abuse of the personal information of citizens and residents of the European Union. (It’s important to note that after Brexit, the UK has chosen to enact its own data privacy regulations, but they will be very similar to GDPR.) The personal data protected by GDPR includes, but is not limited to:
“Process” is the word that the GDPR uses to encapsulate everything that a company does with the personal information of an individual. Processing includes the collection of data, the deletion of data, and everything that takes place between those two points relating to that data.
What Are The 6 Main Provisions Of The GDPR That Apply to Small to Mid-Size Business?
Each of these six main provisions should be explored by your lawyer to ensure that you and your data collection/use processes are in alignment with the nuances of each provision. Intivix specializes in the data protection aspect of GDPR compliance.
Step #1 – Don’t Panic!
If you have already been moving toward caring about your clients, using their information in an ethical manner, and protecting their data while it’s in your possession, GDPR compliance is the next logical step. The UK Information Commissioner, Elizabeth Denham was quoted by Matt Burgess of WIRED.CO.UK as saying, “The GDPR is a step change for data protection. It’s still an evolution, not a revolution.”
Step #2 – Deal With Your Current Data
The data that you now have – names, email addresses, phone numbers – is NOT grandfathered into the GDPR. To use that data gathered from people in the EU for anything outside of the strict confines of what they originally agreed to, you have to get them to opt into your new “purpose” for their information.
For example, if you sold a product or service to someone in the EU, you cannot then use their name and email address to market new products or services to them. To do so, you must get them to “opt-in” to your newsletter/marketing emails now.
You need to make an effort to get your EU contacts opted into your newsletter or marketing emails now before GDPR begins to be enforced. Use of their data after May 25th, 2018 for anything outside the original intended purpose they gave you their information is a violation of GDPR.
Note: This ONLY applies to individuals in the EU. It’s important to segment your data – such as email lists – into EU and “not EU” going forward as they fall under different rules. Strictly following EU/GDPR rules for your USA and Canadian clients may limit your marketing effectiveness in those markets. — It is likely, however, that Canadian and USA law will follow suit over time.
Step #3 – Delete Old EU-Sourced Data
After you have made an effort to get your EU contacts to “opt-in” to whatever “purpose” for which you currently want to use their information, you have to delete all those that have not responded or have responded negatively to your attempts to get them to “opt-in”. Again, this only applies to the EU contacts, not North American sourced data.
Step #4 – Get the Right Consent on Future Data Collected
As we move past the May 25th, 2018 enforcement deadline of GDPR and you begin to collect data from prospects and clients within the EU, it’s essential that you get consent for each “process” that you intend to perform with their data. For example, processing a sale and processing (sending) monthly sales emails would require two separate consents.
Note: Under GDPR you cannot make one consent (the permission to send sales emails) a mandatory condition of the consent to purchase (or receive for free) a product from you. The consent for each “process” must be voluntary.
The Intivix team specializes in ensuring that your San Francisco Bay Area business IT systems meet the high standards set by GDPR for security, transparency, and compliance. We’d be happy to talk with you about how to get and stay GDPR compliant.
Want to read more outstanding helpful articles from Intivix? We have them for you HERE.