Having completed a two-year transition period, new data privacy regulations went into effect on May 25, 2018, across the European Union. They affect every business that handles consumer data for people in any of the 28 member countries—including small businesses that sell goods or services in Europe.
The new General Data Protection Regulation, or GDPR, is more comprehensive than current U.S. or European privacy laws, and it has stricter penalties for businesses that don't comply.
What is the GDPR?
The GDPR is intended to give individuals in the 28-nation EU greater control over their personal data, and to standardize and simplify data protection across Europe. The reach of the GDPR extends beyond European countries, though—every business, worldwide, that has customers in Europe or collects personal information about Europeans must comply.
For small businesses, some of the most important things to know about the GDPR are:
- It applies to all kinds of personal data, including credit card numbers, addresses, phone numbers, email addresses, and even IP addresses. It also applies to data that's not digital, such as information on a business card you pick up at a conference.
- You will likely need to obtain consent in a clear and unambiguous way if you want to use an individual's data for any reason, including marketing purposes. That means you have to spell out what you'll use the data for, and not bury it in fine print or legalese. It must be as easy to opt-out as it is to opt-in.
- You must store and process data in a way that safeguards the customer's privacy.
- If someone no longer wants their data used by your company, they can request that it be deleted. However, that right is not absolute; you may find that you'll need to delete certain information—for example, that is not relevant to your business need—while retaining information that is pertinent.
- Violations can bring big penalties—up to four percent of annual global turnover [revenue] (or up to 20 million euros, whichever is greater) for serious infractions and up to two percent (or up to 10 million euros) for lesser offenses.
Tips for complying with the law
The GDPR applies to all businesses with European customers and data, and this means you must comply even if you're just a one-person e-commerce store that sometimes sells goods overseas. The good news is that many small businesses outsource a lot of their data collection and retention to third-party services and, in many cases, those service providers will have done a lot of the work for you.
Here are some steps to follow to make sure your business is compliant:
- Analyze the data you have. Data involving EU persons may be found in a variety of places, including email lists, your CRM system, contracts, financial records, employment records, and purchase orders. Once you understand the data you have, you can begin to develop GDPR-compliant policies for data collection, storage, and retention.
- Put someone in charge of GDPR compliance efforts, and make sure your team is educated about the importance of data security.
- Only collect the data you actually need. Review email opt-ins, online account creation procedures, and shopping checkout procedures, and eliminate requests for unnecessary information.
- Whether or not you have obtained an individual's consent to use their data, make sure that you fully disclose the ways the data may be used. If you use an e-commerce or email newsletter provider, many of them have tools to help you with GDPR-compliant permissions and notices. Be aware that if you collect information for one purpose, you can't use it for another purpose without obtaining additional consent.
- You can potentially be held liable if third-party services that collect and store data for you are not using GDPR-compliant data privacy methods. This includes email list services, e-commerce platforms, cloud storage, and any other third-party that collects personal data. The good news is that major providers—from Google to MailChimp to Shopify—have been working for months to develop GDPR-compliant policies. Check to see if your providers have published online guides to staying compliant with GDPR while using their services.
- If you need extra help, consider hiring a consultant to manage your data security.
GDPR compliance will take time and attention, but it also will demonstrate that you take your customers' privacy and data security seriously. This can increase your customers' trust in you, helping create loyalty for a long time to come.
