The regulation has existed since 1995, but in less than a month it begins affecting American companies that do business with European organizations. European data protection rules are extraterritorial. They apply to all personal data mined, processed, and kept about persons within the European Union (EU) regardless of citizenship or nationality.
That means any company that processes data from someone residing in the EU without adhering strictly to the GDPR can receive fines of up to 4 percent of a company’s gross or €20 million—whichever is greater, according to EUGDPR.org. The regulation takes effect on May 25.
In regards to websites, it comes down to collecting lead and customer information of EU residents as well as data in transit such as cookies, telemetry, metadata, and consent for marketing. Furthermore, if that information is only stored in third-party software it does not exonerate you.
5 Ways to Protect Yourself & Your Clients
One of the biggest shifts is the rights for users to obtain the data you might have stored about them. Here are some simple rules you can implement right now.
2. Add a Cookie Disclosure
The majority of websites will need a “Cookie Disclosure,” showing users what cookies you are using and for what purpose. If you utilize Google Analytics, Hotjar, Pardot, Hubspot, SharpSpring, SalesForce be prepared. Essentially, you need to explain how third-party software interacts with their data, and at a bare minimum, list all your third-party data providers—and be sure to record (database entries) when you do share customer info with third parties.
3. Remove Predating Personal Data
4. Prove Consent
You must prove consent on all data entry points through data collection systems such as contact forms, estimate requests, and statistics. Thus, a simple solution is providing a form for consent where users can select, “Yes, you can store my info,” or “No, you can’t store my info.”
5. Share Timely Hack Alerts
If you are unfortunately hacked you must tell all your customers within 72 hours.
A Quick Reference To-Do List
For the sake of brevity, here’s a recap of action items that should be addressed before May 25:
- Provide a way for consent
- Prove individual consent
- Establish and re-establish consent
- Provide a way for consent to be withdrawn as easily as it was given
- Check to see that all third-party services are compliant
- List the contact information of associated third-party data providers
- List all the data you collect inclusive of third-party services
- List how you process and use their info
- List how their info and third-party data interact
- Allow individuals to request that their data be permanently erased
- In your e-newsletters, create “unsubscribe” footers visible and accessible