Updated: August 8, 2018
What in the world is the GDPR?
The General Data Protection Regulation is a law passed by the European Union in 2016 that is being applied as of May 25, 2018, in the EU. The EU is a group of 28 countries in Europe, including Germany, Spain, France, Italy and others.
This new law, which often is referred to as the GDPR, is designed to protect people’s personal data and to give individuals the means of controlling personal information about them. This information can include such things as name, photo, date of birth, religious views, IP address and so on. Essentially, any data that can be used to directly or indirectly identify a person is subject to this law. The law doesn’t refer only to data that’s held online; the GDPR also covers offline personal data.
One way that the GDPR is changing the way data is collected and stored is by tightening the rules of consent. Organizations must use clear, unambiguous methods for getting people’s approval to collect their data, and they must similarly give them clear means of opting out of data collection.
The GDPR also gives people the right to have their information erased, corrected or sent back to them, among other rights.
Why am I receiving GDPR notifications if my business is not in the EU?
There are two main reasons why your Whatcom County small business might be getting notified about the new law. The first is that the services you use are letting you know about their compliance with the GDPR. The second is that, as a business, you might also need to be in compliance with the GDPR. A brief explanation of each:
- Most of the major services that you might use for communication and marketing — Google, Facebook, MailChimp, etc. — are implementing their responses to this law on a global level. If they’ve asked you to review your security or consent settings in the last month or so, it’s probably related to GDPR compliance, as noted in the answer to the first question above.
- In addition to organizations located within the European Union, the GDPR generally applies to all entities, no matter where they’re located, that process and hold the personal data of people within the EU. That means that your Bellingham, Ferndale or Lynden business, if you’re collecting data from people within the EU, is subject to this law. Maybe you sell products online, and you complete a sale to a user in Spain. Or maybe someone in Germany signs up for your email newsletter. To be on the safe side, if you’re collecting information from people, it’s a good idea to be in compliance with the regulation.
What should I, as a small local business, should do to prepare?
Whether or not the new law applies to you, think of this as an opportunity to review your plans and policies regarding the collection, storage, usage and deletion of data. On that note, here are a few things you should do:
- Make sure that you’re collecting the minimum amount of data that you need to process any transaction. If you simply are asking people to sign up for an email newsletter, for example, you don’t need to know their annual income or their place of birth. In general, the less information you collect about a person the better.
- Whenever you’re collecting data, be transparent about why you are collecting that data and what you plan to do with it. The GDPR lists a number of things businesses should be telling people when they share their data.
- Review the data you currently have and create a plan for keeping it safe. Also, think about whether you need it at all.
- Here’s a good list of 12 things to consider doing right away.
How does GDPR impact email marketing?
- For starters, businesses need to be sure that users always have access to clear, unambiguous methods for unsubscribing.
- Businesses also should take a close look at all of the data they’ve already collected and document where it came from and whom they share it with.
- To be extra safe, it would be a good idea to send an email to your subscribers and ask them to opt in again. Then, give them a clear, unambiguous method for doing so. Confused about what consent entails? Here’s some great info.
What are the penalties if I don’t comply?
- Non-compliance can result in some pretty hefty fines (up to EUR 20 million), depending on the seriousness of the infraction or the level of attention the business paid to protecting data. It’s better to focus on making the necessary changes to ensure you’re not mishandling sensitive data.
Where should I go for more info?