GDPR and You: What the European Data Law Means for Local Business

Over the last few weeks, inboxes across the country have been flooded with emails similar to the following: “We have updated our privacy and cookie policies.” Sound familiar? You may have received one or two – or even five. Those emails are due to a change in the law surrounding the way companies handle your data. 

Approved by the European Union in April 2017 and going into effect in March, the General Data Protection Regulation (GDPR) is the largest piece of consumer data legislation ever passed, and it impacts businesses both inside and outside the EU. We’re talking some of the world’s largest tech companies, like Facebook and Google. So, what’s the actual law making such a big splash from across the pond?

What is GDPR?

In short, the GDPR aims to put control of personal data back into the hands of the user. After the personal data of some 87 million users was improperly shared by Facebook with the political campaign firm Cambridge Analytica, companies took notice. Facebook even recognized it should have done more to protect its users. 

So, the latest legislation replaces a previous law called the Data Protection Directive. While it applies to organizations located in the EU, its impact will have a much larger reach. 

What Does It Say?

The GDPR can be summed up with three major focal points:

  • Data transparency
  • Data correction
  • Data amnesia

Those are all rights that go back to the user regarding his or her data. The law gives consumers the right to know what information a company has about them and demand a copy of it, the right to change that information if it’s incorrect and the right to be forgotten by that company. In addition, rather than just tell users their data is being collected, companies now must disclose exactly what that data will be used for. As a result, email notices and pop-ups are up on websites. 

Who Does It Impact?

The new regulations impact any business with operations touching Europe or that might touch Europe. If this sound a bit broad, let’s break it down: If you’re a local mechanic with a website meant to show potential customers your services and contact information, you’re probably OK. If you’re a website company with wide reach and multiple forms to fill out on your website, then there’s a chance those forms could be completed by someone in the EU, which means that you need to comply with the new law. 

Many local companies, like SuperWebPros, need to make sure they are informing visitors to their websites of new privacy policies. Jesse Flores, chief web pro at the website development company, said the business updated its privacy policy and made that policy visible to anyone visiting the site. That new policy – combined with the fact that the business uses a trusted third-party software for lead generation and forms on the website – makes the company compliant with the new law and covered if anyone in the EU fills out a form on the site. To make sure a company is covered, Flores recommended using a reputable company for forms and lead generation. 

“They are compliant already,” Flores said. “If something happens, it’s their responsibility.” 

He said that while most local companies won’t be affected, “If you do a lot of business in Europe, you should have a lawyer look over your privacy policy. “If you need a privacy policy, he added that you can download them online and customize it for your business. His biggest piece of advice for companies in that gray area is don’t use low-quality, internally made forms. 

“Consider swapping them out for forms from companies like HubSpot or Salesforce,” he said. 

Given that the law requires businesses to prove they know where their consumer data is stored, software can also be a great way to track and keep that data. Organizations will also be required to notify individuals and authorities of data breaches within 72 hours and address all the resulting issues, so having that contact information readily available is a plus. 

 

The Punishment

Companies that don’t comply with the new law face major implications. An organization in breach could be fined up to €20 million ($24.6 million) or 4 percent of its global annual sales, whichever is bigger. That adds up to a lot of money for companies of any size. 

SuperWebPros urged those who do a lot of web services themselves to be careful. Customer data can hide in the nooks and crannies of your website, and if a stray piece is hiding somewhere you can’t access, you are then not compliant with the law and open to repercussions. 

In Short, It’s Complicated

Flores urged business owners who are unsure of the impact to consult their lawyer or visit the SuperWebPros website to start a conversation about data protection. 

While visitors to the U.S. from the EU are not protected by the law, if your form lands in the hands of someone from across the pond, you are expected to comply under the GDPR. The law’s main focus is simple – to protect the data of consumers – but it’s still one of the most complex pieces of legislation ever written by the EU. 

For consumers, the law means it’s less likely that your data will fall into the wrong hands. For companies, some major vigilance is needed when it comes to protecting those same consumers. 

Share
Allison Spooner

Allison Spooner

Allison Spooner is a writer, storyteller, copywriter, marketing content creator and communicator. She uses her communication and creative writing skills to articulate the stories and messages that businesses can't express themselves. She has been telling the stories of businesses across the state of Michigan for 10 years. You can find both her professional and her creative writing on her website, allisonspoonerwriter.com and follow her musings on Twitter @allyspoon

Advicoach Business Spotlight

Follow Us