In the wake of the Cambridge Analytica scandal, there has been a great deal of focus on data protection and consumer rights regarding the use of collected data. What you may not be aware of, is that this conversation has been going on for well over two years in Europe since the General Data Protection Regulation (GDPR) passed. So how does the GDPR impact U.S. businesses? Well, if your business has a website or if you send emails for marketing purposes, then the new GDPR rules may apply to you.
GDPR in a nutshell:
There are three key points that all U.S. businesses need to be aware of regarding the GDPR.
First and foremost, GDPR stresses consent to data collection– in other words, businesses must be transparent about their collection of data and they must have documented consent from users to do so. In addition:
Business cannot bundle consent for several things together into one long form. Users must be able to consent or opt out of each use of their data individually.
It must be easy to withdraw consent if the user chooses to do so
Children under 16 cannot opt-in to data collection (but a person with parental responsibility can.)
Secondly, businesses are now required to notify their data protection authority within 72 hours of discovery of a data breach.
Thirdly, individuals have the right to request that their personal data be “forgotten” or erased.
You may be asking, how does an EU regulation apply to a U.S. company? It isn’t at all unusual for a stateside company to have EU citizens on their email list, or accessing their website, or purchasing their products online. But more than that, as consumers here in the U.S. become fully aware of GDPR-compliance they will certainly expect that same level of protection for their data. As Lorcan Malone writes in a recent Business.com article, “Customers like to be associated with companies that care about them and take their privacy and security seriously. What better way to make them feel cared for than by prioritizing their privacy interests over everything else?” He encourages U.S. businesses to embrace GDPR and plan for compliance immediately rather than “risk legal headaches down the road”.
The GDPR goes into effect May 25th, so if you have not taken a look at your data collection & security practices or updated your email opt-in policies recently, you have a little over 3 weeks to do so. This GDPR Compliance checklist for U.S. companies compiled by HubSpot can help.
Need more guidance understanding your obligations under GDPR? The staff at the Small Business Development Center are here to help and can be reached at 716-338-1339.