AABP EP Awards 728x90

McLellan: You need to care about GDPR

/wp-content/uploads/2022/11/BR_web_311x311.jpeg

Have you noticed the barrage of emails you received in the last week about changes in privacy policies? That’s no coincidence. GDPR officially went into effect across the European Union on May 25, and it has sent companies big and small into a flurry of updates and notifications. The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.

Many U.S.-based companies that only do work with U.S.-based customers are assuming they can disregard this law because it doesn’t apply to them. In theory, that may be true. But in today’s global economy, can you really be confident that no one from outside the U.S. ever visits your website?

The regulations were written to protect European citizens by giving them more control over the data that’s collected about their online activities and personal information.

The new policies, which will be enforced by the Information Commissioner’s Office, require companies to be explicit in their efforts to seek consent from consumers before collecting their personal information. Companies also have to give consumers easy access to their own data and to delete that data if the customer requests it. The policy also requires that companies notify users of data breaches within 72 hours of when they occur.

Failure to comply with GDPR comes with the risk of hefty fines of up to 4 percent of a company’s annual global revenue, or 20 million euros (about $23 million), whichever is higher.

So why does any of this matter to you, if your entire client base is in the U.S.? In practical terms, there are some things you should definitely do and some others you should strongly consider, not necessarily because you’re going to be fined but because they’re going to be the norm very soon.

• You can’t control who visits your website and signs up for your e-newsletter, downloads an e-book or does something else that has you collecting their email address.

• The GDPR rules are not unreasonable. Many of them are really just best practices that are worth implementing.

• The changes aren’t dramatic. For most of you, it’s simply updating your privacy policy on your website and making sure your email collection process is using double opt-ins, asks permission to send them email or contact them outside of email (Facebook, for example).

Understand that the May 25 deadline was not a do-or-die deadline. You have plenty of time to get your ducks in a row, but it’s not something you should ignore.

Here’s how to get started:
• Allow your web visitors to see what data you have collected and delete it if they ask you.

• Make it clear what data you are collecting.

• Commit to providing notice of any data breaches within 72 hours.

• Don’t send anyone an email if they haven’t signed up for it or given you permission.

• If you use software (Constant Contact, MailChimp, Hubspot, etc.) to send out email, you’ll want to check with them to see if they require you to do anything specific to demonstrate that you are GDPR-compliant.

You don’t have to reinvent the wheel here. If you do a lot of business outside the U.S., you may want to check with an attorney to make sure you are compliant. But if the lion’s share of your customer base is inside the U.S., you can probably do this on your own. There are plenty of examples of privacy statements that comply with GDPR standards online. A Google search will give you templates you can use to make sure you’ve covered your bases.