It’s Not Time To Panic But GDPR Should Be Taken Seriously
Well much like the Year 2000’s Dooms Day prediction, May 25, the GDPR’s deadline has come and gone. While its effects are being seen across the Internet via updated permission policies and news outlet stories, many businesses are wrestling with exactly what the GDPR is and what steps their business should take to address it. So at The Mauldin Group, we thought we would share some of our own insights into this mysterious acronym and how we will be addressing it on own terms.
What is GDPR?
Based out of the European Union (EU), the General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law that specifies in detail the restrictions and standards that must be followed for data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the European Union on a global scale.
While it is based more in the EU, it has considerable implications for companies and enterprises that are involved with eCommerce, trade and Internet transactions on an international level. A few of which are already feeling the sting of GDPR in the way of filed lawsuits.
Help, GDPR Has Arrived And We Have No Idea What To Do!
So many of our clients have contacted us with this very dilemma. After all, GDPR is a European Union thing only right? Wrong! In fact the GDPR has some pieces that thanks to the Internet, all companies (United States, as well as other countries) need to adhere to.
Here is the curve ball in easy to understand words, Article 3 of the GDPR states that if you collect personal data or marketing behavior information from a person in a European Union country, your business must meet GDPR requirements. So if you are gaining info, which we imagine to include Google Analytics on your website and targeting sales nationally and internationally where a EU visitor can interact, then yes you must comply.
What this means:
- The data subject (consumer) must be in a country of the EU when the data is collected. For “data subjects” or EU citizens outside of the EU citizens when the data is captured, the GDPR requirements would not apply. The rub however, is how do YOU as a business owner track or decipher this and feel comfortable?
- A purchase or financial transaction doesn’t have to take place for the law to be in affect. If your business just collects what the EU deems “personal data” or what we in the U.S. call personally identifiable information (PII), which could simply be a marketing survey ore newsletter signup CTA, then you are held to the GDPR’s laws; even worse, if your business is found guilty of breaking these laws, your company could be facing very stiff penalties.
- Okay, there are some areas of gray in the GDPR that fall in favor of U.S. business owners. A EU visitor can’t just simply happen onto a U.S. company website that is meant for American consumers and businesses. A company must be “purposefully” targeting the EU consumer.
This would include:
- By creating a website targeting the EU Consumer or Internet content that is written in the language of an EU consumer.
- By transacting with an EU consumer via eCommerce.
- By accepting currency of an EU consumer (ex. Euros).
- By collecting marketing and personal data on the EU consumer.
- By using Internet Domain Suffixes from other EU countries. EXAMPLES: .at – Austria, .be – Belgium, .se – Sweden, .uk – United Kingdom,
Does That Mean My U.S. Company Is Off The Hook? No!
Here is where most U.S. companies are going to feel the GDPR pinch. We have had a long marketing tradition of sharing info freely when acquired via the Internet. U.S. consumers know all to well the small, very-detailed language that unfortunately, many of us just “check” the box and ignore, giving businesses that freedom to collect our personal data and share information (names, email addresses, purchasing details, etc.) with third-party companies. Those days are gone.
Thanks to the GDPR, in their own words, consumer data permissions must be, “freely given, specific, informed, and unambiguous.” In other words, the permission data should be clear, easily understandable and detailed to reflect EXACTLY what the person is allowing in the way of data collection, use, sharing and storing.
In addition, to assure strict adherence the GDPR has built in very harsh fines for not meeting these guidelines. However, of most concern to businesses, is the GDPR’s 72-hour breach notification rule.
“Controllers must also notify EU citizens of a data breach if there is a high risk to the rights and freedoms of natural persons,” The National Law Review.
This new breach rule puts a much more stringent deadline for addressing and reporting data information leaks, breaches and hacking. This means many U.S. companies will need to overhaul their Internet security and data collection practices.
So What Does GDPR Really Mean For My Business?
For any business that has a website or transacts business via the Internet, it is just more feasible to address GDPR now. Waiting until companies beginning facing failures and fines is just going to add complications and create emergency headaches when you least expect them. In addition, as history has proven, there will undoubtedly be fly-by-night organizations springing up to challenge companies that are vulnerable to GDPR.
Companies Most Affected Are:
- Companies Operating on A Global or International Scale
- Marketing Agencies
- Online Schools Offering International Studies
- Travel Agencies
- Tech Companies
- eCommerce Companies
The Mauldin Group Cares About Your Business and GDPR
As always if your company is seeking to take your digital marketing from the bottom to the top, we invite you to contact us now or call 678-846-2306. The Mauldin Group can provide you with customized, strategic online marketing solutions that will make your business, small, local or global stand out from the crowd. We invite you to follow us on Facebook, Twitter or Instagram to learn more about our services.