By now you’ve probably had a chance to review some information about the new European General Data Protection Regulation (GDPR) that went into effect in May. This new regulation applies to any company that interacts with European Union citizens, which makes it applicable even to small businesses in the U.S. who have a website or collect personal information from customers.
The provisions of the policy for keeping the personal data of customers secure and regarding the legal collection and use of that data by businesses are straightforward and easy to understand, but the penalties laid out for violations are significant. Businesses found to be in violation of the provisions of the GDPR can be fined up to 4% of annual global turnover or 20 million Euros, whichever is greater.
We have put together a checklist for small businesses to follow to be in compliance with GDPR. When in doubt, please check with your business attorney. There are no exceptions for enterprise size or scope, which means any business with an internet presence is potentially subject to this law. Here’s our list:
- Review your data handling procedures—Review your current mailing lists and check for contacts in EU countries. Make sure you have records of consent from these individuals.
- Keep track of your data collection channels—Make sure you know where your contacts’ data came from, such as events, web forms, sales, etc. Make sure you have consent from the people in these lists.
- Provide clear consent wording—Avoid confusing legalese wording in your terms of use. Make sure the wording is clear and concise enough for anyone (no matter what level of education) to understand how you’ll use their information.
- Make sure all of your forms are GDPR compliant—Include consent verbiage in every single form – both in electronic and print formats. Add country of residence to your forms.
- Verify the age of your web visitors—GDPR requires parental consent to collect or process personal data of children under the age of 16. If you offer products targeting youth, this step is very important to you.
- Send a double opt-in email—This step will definitely trim down your email lists, but it will also safeguard your business with the assurance that you’re only contacting customers who have given consent to be contacted. Make sure you’re not emailing individuals who have previously asked to be unsubscribed.
- Create (or update) a privacy policy for your website—Offer clear directions on your website as to what information is being collected, how data is being stored, and how to contact the organization. Please note that Facebook pixels and Google remarketing cookies should be disclosed on your privacy policy, if you use them for marketing purposes.
- Make sure you have a data breach plan—GDPR requires businesses to report a data breach no later than 72 hours after the organization becomes aware of the breach. In other words, be proactive and make sure that you are safeguarding the data you’re collecting.
Please keep in mind that your business may have other areas that may need to be analyzed to maintain compliance. When in doubt, consult your business attorney. We can help your business with the following steps:
- Develop your website terms of use.
- Disclose how your contacts’ information will be used and request permission to continue to use their data.
- Make sure your website contact forms are GDPR compliant.
- Disclose information about re-marketing practices – what your business does with data being collected by Google or Facebook on your website.
What to learn more? Give us a call at (800) 980-7962.