NOTE: The information in this document is for guidance only. It’s not meant as a substitute for a consultation with an attorney for your specific business needs and circumstances. See our full breakdown of GDPR for additional information.
What is GDPR?
GDPR (General Data Protection Regulation) is a European Union law governing data protection and privacy. Increasing numbers of companies are passing their own rules to match it. It is critical to note that the scope of GDPR includes all EU citizens and residents, so it can apply to American businesses that have either EU residents in their database or EU citizens living in the United States.
How Does GDPR Affect Your Business?
- Make a list of what Personal Data1 your organization collects, how it is used and by what departments. You can only collect Personal Data that is essential for fulfilling the task they are signing up for, to purchase, etc.
- If you send a physical catalog, asking for a name and address is allowed but a phone number is not.
- If someone makes a purchase from your online store, requesting a phone number with the name and address is fine because you might need to contact them to resolve fulfillment or delivery issues.
- If they’re signing up for an email newsletter, you can’t ask for their mailing address. You can only request a birthdate if you specify that you send you a coupon code, discount, etc. on their birthday, which would make it relevant.
- If your organization allows businesses to become authorized dealers or resellers, you can request for their name, address, phone number, web site, email address, etc. if that information is used in a database the public can consult for authorized dealers. You can also request proof that they are a legitimate business, such as a wholesaler’s license. However, you can’t ask for their client list in order to sign up.
- You can only collect information from those under the age of 16 with parental consent.
- Change any forms on your web site so that opt-in boxes are unchecked. Individuals must take action to opt-in and it must be their choice. Opt-in by default, passive opt-in, etc. are not allowed.
- Set up an easy method that allows individuals to request to see what Personal Data you have on them, request corrections and/or erasure.
- Create a process by which data access, rectification and/or erasure requests can be answered and fulfilled. In most cases, requests must be fulfilled within one calendar month.
- Create a process for handling data breaches. Customers must be notified of a data breach within 72 hours of discovering the breach.
- What specific data is collected and why
- If any third-party services are used to store or process the data, like MailChimp for an email newsletter, a credit card processor, etc.
- How an individual can request a copy of their Personal Data on file
- How to request data rectification in the case of mistakes
- How to request data erasure
- How the company handles data breaches
- Do not sell or trade lists or databases of Personal Data.
Steps to Take for GDPR Compliance:
- Do an inventory of what customer data you collect, how you use it, and who has access to it. Make changes as needed.
- New consent might be needed depending upon how you gathered your list. For example, if you got their name from a third-party – especially if you bought a mailing list – you might need to purge that information or get new consent.
- Plug-ins that track IP addresses are a problem in GDPR so talk to your website developer about updating or changing them.
The United States CONSENT Act
The U.S. is has formulated its own version of GDPR. The Customer Online Notification for Stopping Edge-provider Network Transgressions, or CONSENT Act, a new American regulation for greater privacy formulated in the wake of the Facebook data privacy scandal, was introduced in the United States Senate in April 2018 and is working its way through Congress. The Social Media Privacy Protection and Consumer Rights Act was also introduced in April 2018 to allow users the ability to opt out of data gathering. It is also in the beginning stages of approval.
1 Personal Data is anything that can identify a person including, but not limited to, names, email addresses, phone numbers, birth dates, purchasing behavior, IP addresses, etc.