As a business owner, you’ve probably heard the buzz around “GDPR”, the new European Union (EU) privacy law and the reasons why it has been brought into effect. If not, let’s catch you up!
On May 25, 2018, a new EU privacy law came into effect. The rule, called General Data Protection Regulation or GDPR was designed to protect the personal data of EU citizens (in all 28-member countries of the European Union, even if the data is processed elsewhere) and has been called the most important piece of legislation of the last 20 years.
The law focuses on ensuring that users know, understand, and consent to the data collected about them and requires companies to limit their data collection to only what they need to accomplish the task for which it is being collected, and to delete it as soon as it isn’t needed. Companies also need to give individuals clear, understandable explanations about their collection and use of personal data, what they do with data and why – Basically, under GDPR, pages of fine print won’t suffice and neither will be forcing users to click yes in order to sign up. Moreover, consumers now have the right to access data companies store about them, the right to correct inaccurate information, the right to limit the use of decisions made by algorithms, and the right to delete personal information, among others.
But I’m in the US, GDPR won’t affect me?
Ah, well, not exactly. Even if your entire business is based in the US, you will be affected by the GDPR if:
- You collect personal data or behavioral information from someone located in an EU country.
- You’re based outside of the EU but provide goods or services to the EU, including free services.
So, for example, if your restaurant has a website and you market yourself online to EU audiences and/or if any EU citizen books a table at your restaurant from their home in anticipation of a holiday you will be affected in some way by the legislation.
Will the US introduce something like GDPR in the near future? At the moment, the general consensus is no. One of reasons as to why is the country’s political landscape. Politicians from all sides have hesitations about it. Some worry that regulations will only aid the big businesses in getting bigger, while others fear strict regulations can inhibit tech growth. There is also fear that even if something like GDPR was enacted, it’d be hard to enforce because there isn’t a government agency whose primary focus is privacy, which differs from the European political landscape.
However, GDPR has already spurred, or contributed to, changes in data-collection and -handling practice by some major companies such as Google, Microsoft, Twitter, among others. Though the law applies only in Europe, some larger business and big tech companies have disclosed that they plan to extend similar GDPR protections to all of their users globally, not just those in European countries, because it’s simpler than creating different systems.
So, what does it all mean?
While there aren’t strict regulations as of yet in the U.S., that doesn’t mean you shouldn’t be focused on keeping your consumer data safe. Here are some things to consider:
- Ask for consent to join your mailing list – Consumers should always be asked to opt-in before receiving any marketing material.
- Enact data protection measures – Ensure that consumer data is appropriately protected (we’re talking encryption and security!).
- Allow data deletion – Customers should be provided the option to delete any user account(s) or personal information held by your business.
- Don’t hide a breach – If your consumer data is somehow accessed by a third party, don’t hide it. Notify the appropriate authorities and communicate to the affected parties.
Now that the facts have been established, it is time to start thinking about compliance and if your business will be one of those affected.