Like everyone else, you’ve probably been getting a ton of emails and online notices announcing that companies are updating their privacy policies and/or website tracking tools.
Although businesses do this from time to time as part of routine updates, practically all of the latest notices are aimed at complying with a new European Union (EU) law known as the General Data Privacy Regulation (GDPR).
Some of you probably don’t even know what GDPR is, and for those of you who do, I’m betting only a fraction of you have made serious efforts to comply with the new law.
The good news is—you’re not alone.
Surveys have shown that up to 90% of U.S. business owners are currently not in compliance with GDPR, which went into effect on Friday, May 25th. But just because only a few people are following the law doesn’t mean it’s something you should ignore.
With the maximum fines for non-compliance as high as 4% of your annual revenue or $24.6 million (whichever is higher), doing nothing could potentially devastate your business. But before you go into panic mode, realize that a lot of the hype surrounding the law has been overblown, particularly for small US-based companies.
The GDPR’s vague language, conflicting media reports, and fear-mongering from newly minted “GDPR consultants” have all fanned the flames of anxiety. Fortunately, we’ve thoroughly researched the GDPR, and we’re going to highlight our findings here to clarify what the new law is, who it applies to, and what—if anything—you should do to comply.
Should I be worried?
The first thing you should do is stop stressing! First of all, the EU regulatory bodies charged with enforcement have made it clear that excessive fines and other penalties will be a last resort, not the norm.
That said, if your company does business within the EU—even just collecting names and addresses—then you should become familiar with GDPR and possibly take some basic actions to ensure your company is in reasonable compliance.
What is GDPR?
In a nutshell, GDPR is aimed at enhancing EU citizens’ data protection and privacy rights. While the law is primarily designed to protect people’s personal data found online, it impacts all of the ways businesses collect and store customer data.
At its core, GDPR gives EU citizens the right to decide how their personal information is collected, stored, processed, and destroyed. According to GDPR, if you collect personal data from people living in the EU, your company must ensure that these customers:
- can easily request access to their personal data
- can easily update their own personal information to keep it accurate
- can easily request deletion of their personal data
- can easily request that you stop processing their data
- can easily request that their data be delivered to themselves or a third party
- can easily object to profiling or automated decision-making that might impact them
Given its vast scope, GDPR is being touted as the world’s most sweeping privacy law. At the same time, because the law just recently went into effect, it remains to be seen how it will actually work when it’s put into practice and enforced.
Does GDPR apply to my business?
Whether a small US business needs to comply is based on whether or not the company stores and processes personal data from EU citizens. What’s considered personal data covers a wide range of identifiers, including:
- Names, addresses, phone numbers, and ID numbers
- Web tracking (“cookies” and other tools that record who visits your website)
- Social media posts
- Health and genetic data
- Race or ethnicity data
If you collect and use this kind of information from EU residents, your company is technically required to comply with GDPR. If you don’t store such data on EU residents and don’t plan to in the future, the law doesn’t apply to your business.
How do I comply?
At the very least, you may want to perform a basic data audit to see how much personal information your company is storing from EU residents. If EU residents don’t make up a significant portion of your customer base, you might simply choose to delete that data and stop doing business in the EU. Or you may decide to take the risk of non-compliance.
If you decide that you want to keep working with and/or marketing to customers in the EU, the level of your company’s compliance will need to be determined on an individual basis. One simple way this can be done is to complete a risk/reward analysis that looks at the costs of compliance, the risks your business faces from non-compliance, and the potential rewards compliance might offer. If you’d like our help with such a risk/reward analysis, call us to help you weigh the pros and cons for your particular business and discuss your compliance options.
It’s possible that small businesses with few EU residents in their database will not be targeted at all, and even if they are, they might simply receive a warning letter about future compliance. At this stage, however, it’s impossible to know for certain how GDPR will be enforced and whether such minimal collections of data will create a serious liability for US business owners.
What does the future hold?
Ultimately, GDPR is not intended to stop companies from marketing or processing personal data for aboveboard business reasons—it’s aimed at stopping companies from collecting and using individual data for shady purposes, a la Cambridge Analytica.
In the end, GDPR may turn out to be much ado about nothing, or it could transform the way countries, including our own, handle the privacy rights of their citizens—only time will tell. Until then, you should call us as your Creative Business Lawyer® to set up an appointment to discuss the law’s potential impact on your business. Armed with that knowledge, if and when the GDPR does impact your business, you won’t be caught unaware.