Many U.S. businesses are not taking the new GDPR law seriously because it’s an EU regulation but if your business is not in compliance by May 25, 2018, get prepared for serious fines! General Data Protection Regulation (GDPR) is a strict set of new rules out of the EU controlling citizen data privacy, which replaces their 1998 UK Data Protection Act and goes into effect May 25, 2018. The ruling, which originally passed in EU Parliament on April 14, 2016, will have a major impact on US-based business and you have a short window to get prepared within your organizations. While this is out of the EU, it affects any business regardless of geographic location, as long as you do business with people based in the EU, and given the global nature of online and tech businesses, this could mean big changes for almost every business.
If your company provides goods and services, or data collection and monitoring of EU residents, it now must be in compliance with these new regulations. Failure to comply can mean big dollars in fines up to 4% of your company’s total global revenue, or as high as 20 million euros, whichever one is larger for serious violators of the law, which includes infractions such as proper opt-in consent, responsible data transfer outside of the EU, and cyberbreach notifications. This new sweeping law will permanently affect the way data is used, collected, and stored for consumer protection.
Even companies like Salesforce recently appointed Lindsey Finch their SVP of Global Privacy and Product Legal to now head their compliance of GDPR.
So what can you do to prepare your business or organization for the May 25th deadline?
5 Ways to Prepare for GDPR
1. Don’t freak out
Jenni Brown, co-founder of Lyrical Host, has a tip—don’t panic. A lot of people are scaremongering or overcomplicating it, but take a deep breath and start by making a list of all the tools and services you use in your business and you’ll instantly feel a lot better for getting started—I know I did!
2. Segment your email list communication and get consent
Ticora Davis, owner and managing attorney of The Creator’s Law Firm says: “I recommend small business owners segment their email list to determine whether they have someone from the European Union on their mailing list. If so, they should send a re-engagement campaign immediately to those prospects ONLY. There’s no need to obtain permission from non-European Union individuals. Ensure that you’re able to document that the individual from the EU has given you affirmative permission to opt into your mailing list. According to the GDPR, adding someone to your mailing list because they’ve opted into receiving a freebie, lead magnet, or attended a webinar is not affirmative consent to be added to your email marketing list. Consent from someone in the EU must be legal, clear, and affirmative. Pre-ticked boxes are not affirmative consent. Finally, ensure all the software you use is compliant with the GDPR, especially if they will be storing your clients or customers personal identifying information.”
3. Do you have security breach procedures? Get some!
Under the new law, you are expected to have a comprehensive plan just in case your EU customers are affected by a security breach at your company.
4. You might be good, but what about third-party risk?
It’s not if a breach is going to happen but really when. GDPR requires your company to now perform Impact Assessments for any new procedures and changes to processes that are high risk to consumer privacy. Data security breaches that happen to your third-party affiliates could make your company liable as well. Check on your contractors, strategic partners, joint venture partners, and affiliates ASAP!
5. When is the last time you reviewed your data consent request?