The Essentials You Need to Know About GDPR


NOTE: The information in this document is for guidance only. It’s not meant as a substitute for a consultation with an attorney for your specific business needs and circumstances. See our full breakdown of GDPR for additional information.

What is GDPR?

GDPR (General Data Protection Regulation) is a European Union law governing data protection and privacy. Increasing numbers of companies are passing their own rules to match it. It is critical to note that the scope of GDPR includes all EU citizens and residents, so it can apply to American businesses that have either EU residents in their database or EU citizens living in the United States.

How Does GDPR Affect Your Business?

  • Make a list of what Personal Data1 your organization collects, how it is used and by what departments. You can only collect Personal Data that is essential for fulfilling the task they are signing up for, to purchase, etc.
    For example:
    1. If you send a physical catalog, asking for a name and address is allowed but a phone number is not.
    2. If someone makes a purchase from your online store, requesting a phone number with the name and address is fine because you might need to contact them to resolve fulfillment or delivery issues.
    3. If they’re signing up for an email newsletter, you can’t ask for their mailing address. You can only request a birthdate if you specify that you send you a coupon code, discount, etc. on their birthday, which would make it relevant.
    4. If your organization allows businesses to become authorized dealers or resellers, you can request for their name, address, phone number, web site, email address, etc. if that information is used in a database the public can consult for authorized dealers. You can also request proof that they are a legitimate business, such as a wholesaler’s license. However, you can’t ask for their client list in order to sign up.
  • You can only collect information from those under the age of 16 with parental consent.
  • Change any forms on your web site so that opt-in boxes are unchecked. Individuals must take action to opt-in and it must be their choice. Opt-in by default, passive opt-in, etc. are not allowed.
  • Set up an easy method that allows individuals to request to see what Personal Data you have on them, request corrections and/or erasure.
  • Create a process by which data access, rectification and/or erasure requests can be answered and fulfilled. In most cases, requests must be fulfilled within one calendar month.
  • Create a process for handling data breaches. Customers must be notified of a data breach within 72 hours of discovering the breach.
  • Revise your Privacy Policy to clearly state:
    1. What specific data is collected and why
    2. If any third-party services are used to store or process the data, like MailChimp for an email newsletter, a credit card processor, etc.
    3. How an individual can request a copy of their Personal Data on file
    4. How to request data rectification in the case of mistakes
    5. How to request data erasure
    6. How the company handles data breaches
  • Send out a notice about your revised Privacy Policy to your email list. Doing this after May 25 might generate better results because people are being besieged by such notices this week.
  • Do not sell or trade lists or databases of Personal Data.

Steps to Take for GDPR Compliance:

  1. Do an inventory of what customer data you collect, how you use it, and who has access to it. Make changes as needed.
  2. Update your Privacy Policy. See our more thorough breakdown of how GDPR affects you for more information. Also consider getting a cyber liability policy.
  3. New consent might be needed depending upon how you gathered your list. For example, if you got their name from a third-party – especially if you bought a mailing list – you might need to purge that information or get new consent.
  4. Institute a GDPR-compliant Cookie Policy stating how cookies are used. If you don’t have consent for the cookies yet, have a noticeable banner placement on the top of each page giving the link to the cookie policy.
  5. Plug-ins that track IP addresses are a problem in GDPR so talk to your website developer about updating or changing them.

GDPR is a critically important topic and it affects American businesses of all sizes. Because the penalties are so expensive, it’s in your best interest to understand just how it will affect you so we encourage you to read our more thorough GDPR analysis. A consultation with an attorney may also be necessary to update the legal notices on your website, such as your Privacy Policy.

The United States CONSENT Act

The U.S. is has formulated its own version of GDPR. The Customer Online Notification for Stopping Edge-provider Network Transgressions, or CONSENT Act, a new American regulation for greater privacy formulated in the wake of the Facebook data privacy scandal, was introduced in the United States Senate in April 2018 and is working its way through Congress. The Social Media Privacy Protection and Consumer Rights Act was also introduced in April 2018 to allow users the ability to opt out of data gathering. It is also in the beginning stages of approval.

1 Personal Data is anything that can identify a person including, but not limited to, names, email addresses, phone numbers, birth dates, purchasing behavior, IP addresses, etc.