GDPR and You: What the European Data Law Means for Local Business
Over the last few weeks, inboxes across the country have been flooded with emails similar to the following: “We have updated our privacy and cookie policies.” Sound familiar? You may have received one or two – or even five. Those emails are due to a change in the law surrounding the way companies handle your data.
Approved by the European Union in April 2017 and going into effect in March, the General Data Protection Regulation (GDPR) is the largest piece of consumer data legislation ever passed, and it impacts businesses both inside and outside the EU. We’re talking some of the world’s largest tech companies, like Facebook and Google. So, what’s the actual law making such a big splash from across the pond?
What is GDPR?
In short, the GDPR aims to put control of personal data back into the hands of the user. After the personal data of some 87 million users was improperly shared by Facebook with the political campaign firm Cambridge Analytica, companies took notice. Facebook even recognized it should have done more to protect its users.
So, the latest legislation replaces a previous law called the Data Protection Directive. While it applies to organizations located in the EU, its impact will have a much larger reach.
What Does It Say?
The GDPR can be summed up with three major focal points:
- Data transparency
- Data correction
- Data amnesia
Those are all rights that go back to the user regarding his or her data. The law gives consumers the right to know what information a company has about them and demand a copy of it, the right to change that information if it’s incorrect and the right to be forgotten by that company. In addition, rather than just tell users their data is being collected, companies now must disclose exactly what that data will be used for. As a result, email notices and pop-ups are up on websites.
Who Does It Impact?
The new regulations impact any business with operations touching Europe or that might touch Europe. If this sound a bit broad, let’s break it down: If you’re a local mechanic with a website meant to show potential customers your services and contact information, you’re probably OK. If you’re a website company with wide reach and multiple forms to fill out on your website, then there’s a chance those forms could be completed by someone in the EU, which means that you need to comply with the new law.
“They are compliant already,” Flores said. “If something happens, it’s their responsibility.”
“Consider swapping them out for forms from companies like HubSpot or Salesforce,” he said.
Given that the law requires businesses to prove they know where their consumer data is stored, software can also be a great way to track and keep that data. Organizations will also be required to notify individuals and authorities of data breaches within 72 hours and address all the resulting issues, so having that contact information readily available is a plus.
Companies that don’t comply with the new law face major implications. An organization in breach could be fined up to €20 million ($24.6 million) or 4 percent of its global annual sales, whichever is bigger. That adds up to a lot of money for companies of any size.
SuperWebPros urged those who do a lot of web services themselves to be careful. Customer data can hide in the nooks and crannies of your website, and if a stray piece is hiding somewhere you can’t access, you are then not compliant with the law and open to repercussions.
In Short, It’s Complicated
Flores urged business owners who are unsure of the impact to consult their lawyer or visit the SuperWebPros website to start a conversation about data protection.
While visitors to the U.S. from the EU are not protected by the law, if your form lands in the hands of someone from across the pond, you are expected to comply under the GDPR. The law’s main focus is simple – to protect the data of consumers – but it’s still one of the most complex pieces of legislation ever written by the EU.
For consumers, the law means it’s less likely that your data will fall into the wrong hands. For companies, some major vigilance is needed when it comes to protecting those same consumers.