GDPR Explained: Does GDPR Apply to U.S. Companies?

If you’re a marketing executive, you have probably felt inundated with recent notifications and information surrounding compliance for the European Union’s new General Data Protection Regulation (GDPR). Although the regulation passed in April of 2016, for many people GDPR has quickly risen to awareness over the last few weeks or months. On May 25, 2018, GDPR took effect and changed the way personal data is collected and used online for millions of Internet users around the world. While GDPR is specifically a European Union (EU) requirement, it significantly impacts nearly every business and individual who uses the Internet around the world.

Global marketers, business owners, and brand leaders have begun to urgently seek compliance with GDPR guidelines, which includes updating and/or re-issuing their online forms and marketing communications, ensuring consent to continue to services, or disabling services for those who fail to consent. These notices are appearing not only across desktop and mobile Internet platforms but also via email communications.  Updated policies written in “plain English” and detailing the specific use, collection, and privacy implications of acquired personal data have been issued from Internet behemoths including Google, Facebook, LinkedIn, Microsoft, Apple, Amazon and other global platforms.

You must have many questions about GDPR.

  • What about the local or U.S.-based businesses?
  • Should your business be taking any action?
  • What are the risks of your company being flagged for non-compliance and what are ways to mitigate those risks?

The answers are not straightforward, yet to understand how GDPR impacts you, you first need to understand what GDPR is designed to do and how your business could be involved in collecting and/or storing user data.

What is GDPR and Why Does it Matter to U.S-Based Businesses?

The General Data Protection Regulation (GDPR) is new legislation that applies to all people, organizations, and businesses that are involved in processing personal data about individuals within the European Union (EU) and the UK. The law is designed to hold businesses more accountable for keeping personal data secure and outlines new procedures for how businesses collect, store, and use data. In addition, it details the rights individuals have to protect, access and modify the data that has been collected on them.

If you think that because this legislation relates to EU and UK residents, GDPR doesn’t impact a locally run business in the United States, think again. Even if you primarily target U.S. residents, you could unknowingly have EU residents in your email, CRM, or other marketing databases. In fact, just one stray email subscriber could be enough for you to receive a hefty fine of up to €20 million or 4% of annual revenue (whichever is higher).

This means regardless of where your business is based or which audiences you primarily serve, you could have liability. If you are doing business anywhere in the world on the Internet, you could be liable for any data collected or processed without the proper steps to acquire and maintain it.

Who are Data Processors and Data Controllers?

GDPR applies to both data processors and data controllers. Here’s how GDPR defines these roles:

  • Data Processor: an organization that processes data on behalf of a Data Controller.
  • Data Controller: an organization that collects data from EU citizens.

If you have a website and do any online or email marketing, you could be at risk. Here’s why: If you are collecting any personal data from EU or UK residents, which includes names, email addresses, or even IP addresses, through digital retargeting initiatives, you become a controller of that data under GDPR. If your business or any of your data partners (e.g. Google, Microsoft, MailChimp, Facebook, etc.) stores that data in any way on your behalf, then you are being a processor of data to use with your marketing campaigns. Many businesses serve both roles, processor and collector or often could serve one role for a particular data flow process.

Both data controllers and data processors need to take precautions to ensure that the personal data they collect is well protected. This includes both new or incoming data as well as existing data. It is critical to ensure that you have active consent from EU and UK persons in your database. For existing data, this might involve acquiring or re-acquiring consent from contacts. For new data, you will want to ensure that you acquire new subscribers and leads in a GDPR-compliant way. Data controllers and data processors must keep track of when and how EU persons issued consent.

If your business sends mass emails, relies on Google Analytics, or utilizes CRM tools for marketing you could be affected by GDPR. Do you use Facebook advertising for your business? Do you use measurements and analytics to set up or analyze your Facebook campaigns? Do you create audiences in Facebook and potentially market to people who may residency or citizenship in the EU or the UK?

While Facebook acts as the data controller for the majority of its services, there are also instances where they act as the data processor. If you are having Facebook provide insights about the people who saw and interacted with your ads, then Facebook is the data processor. In that case, your business must have the legal basis for Facebook to process that data.

GDPR Gives EU Persons Rights to Control Their Data

The GDPR allows EU persons the opportunity to consent to specific uses of their data. These uses must be clear, specific, and explained in an easy-to-understand and accessible format. Consent cannot be provided in a pre-checked box and cannot be a requirement for completing another process. For example, consent cannot be a requirement to obtain a whitepaper or case study. Beyond being clear and specific, consent must also have an expiration date. After that date, consent has to be re-attained. Data subjects, EU persons who have consented to have their data collected, also have the right to reverse the consent at any time.

In addition to consent, there are several other rights that EU persons are granted under GDPR:

  • Breach Notification: Data subjects must be notified of any data breach within 72 hours of discovery.
  • Data Requests: Data subjects must be able to request and obtain copies of their data, as well as information about how it is being used.
  • Data Erasure: Data subjects have the right to have their data forgotten or erased. These requests can be made either verbally or in writing. Data controllers have 30 days to respond to these requests.

Mitigating Risk of GDPR Non-Compliance

A Data Protection Officer (DPO) can monitor and advise your business on data collection and processing procedures. While hiring a DPO is only required for global businesses processing a large amount of EU data, it could be worth considering.

Complete a full audit of your data collection and processing methods and procedures. You may need to hire a qualified third party that can help you complete the audit and evaluate your results. Find someone who can help you create a plan to comply with GDPR regulations. Check out this checklist for more suggestions on becoming GDPR compliant.

Here are a few items to include on your GDPR compliance list:

  • Research which tools you should invest in, for example, a cookie consent manager software solution.
  • Make sure your third-party data partners are GDPR compliant.
  • And get sound legal advice. Consult with a legal firm that specializes in cyber law and data privacy. Verify that they are well-versed in GDPR.

There are many reasons to become compliant with GDPR — from protecting the data security of your contacts to avoiding hefty fines. Intended to better align with advances in technology, the GDPR is the most important change in data privacy laws in the last 20 years.

 

Vende Social is providing a website and marketing audit with recommendations for businesses wishing to mitigate their risks. Contact us or email us to learn more.

 


GDPR Resources

Looking for more information on GDPR? Here are several additional GDPR resource links:

 


 

**Disclaimer: This blog is not intended to be a definitive source for GDPR information, legal advice, or instruction. To understand the implications for your individual business and online activity, you should contact an attorney with specialization in GDPR legislation.