Do businesses in the US need to be GDPR compliant

Do businesses in the US need to be GDPR compliant

Is your company GDPR compliant? Don’t worry, you are not alone. According to ​Forbes​, ​79% of US businesses are not compliant yet​. The deadline to become GDPR compliant was May 25th, 2018. GDPR compliantYou may have seen all these privacy emails come through your inbox already from US companies. Even if you are a small business, located in the US, you may have to follow the GDPR rules from now on.

But don’t panic. ​We are here to help​. Here’s your quick education about GDPR, why you need it and what you can do to get your company compliant.

What Is ​GDPR​?

“GDPR” stands for General Data Protection Regulation, a new legislation approved by EU Parliament, which goes into effect in May 2018. In summary, it’s a new set of rules designed to give EU citizens more control over their personal data. What type of data does GDPR cover. Below are some examples:

  • Basic identity information such as name, address, email and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data

So why does a US company need to know and care about GDPR? ​See below​.

GDPR compliant

Does GDPR Apply To A U.S. Company?

GDPR applies to ​any​ company in the world that offers products and services to customers or businesses in the EU. Any company in the US that processes, stores or uses data related to an EU citizen is subject to GDPR. US companies are not exempt from Europe’s new privacy rules. Non compliance with GDPR can result in citations and fines for the business.

Example​: Anne lives in the UK. She’s planning a trip to the US and researching places to visit and stay. She finds your website and fills out a form to download your planner. She books a hotel for a night. You email her your guide or booking confirmation. You add her to you email newsletter. She requests that you delete or change her contact. You need to comply within 72 hours.

What Are The Repercussions If You Are Not Compliant

If your organization manages data that includes even one EU citizen and you are not compliant with GDPR, you are subject to fines up to 4% of your global revenue or $20 million Euros.

What Does It Mean To Be GDPR Compliant

The very first step is to update your privacy policy, terms of use and website online forms.

Here’s a quick checklist of things to consider in order to update your privacy policy:

  • Who is your data controller? (this is usually your business)
  • How can users contact the data controller?
  • Do you use personal information to make automated decisions? (Do you have Google Analytics installed? Then, yes you do)
  • Is providing personal information mandatory?
  • What is your legal reason for collecting and processing personal information?
  • Are you using cookies on your website?
  • Can you easily find, edit or delete a contact?
  • Do you obtain specific consent from your contacts and clearly explain how you plan to use their personal data.
  • Do you have a legal basis, like consent, to process an EU citizen’s personal data. Verifiable consent requires a written record of when and how someone agreed to let you process their personal data. Consent must also be unambiguous and involve a clear affirmative action. This means clear language and no pre-checked consent boxes.Sound overwhelming? We are here to help and walk you through it.​ ​See below.

GDPR compliant

How Can We Help

We can work with your team on making sure you are GDPR compliant following the following four steps:

1. Conduct a Data Inventory

Audit the data you are collecting, determine how the data is being used and ​and create data maps to establish processes for mitigating potential compliance issues or establishing new data capture practices.

2. Create a Data Protection Plan

If your company doesn’t already have a data security policy, you should begin working to put one in place and confirm that it is in compliance with the GDPR requirements. We would also analyze what data you are obtaining and securing. We would work towards minimizing the data and making sure the deletion of data is recorded for your files.

3. Review and Update Your Privacy Policy

The very first action here is to update your Privacy Policy. Due to the requirements of compliance with the GDPR, your current privacy policy may need to be updated. We would work with you to make sure it’s up to date and compliant with GDPR.

After the policy is created and post on your website, we will work with you to Create a Public Notice​ to be send out to your current customers notifying them of your new policy. This is normally an email that is sent out to everyone in your database alerting them about your new privacy policy. A pop up can also be installed on your website alerting visitors about the privacy policy and cookies you are using.

4. Assign a Data Controller Officer

We would work with you to determine if a Data Protection Officer is required in your case. The role of a DPO has significant power and independence within an organization, and may be an employee or an outsourced service by a specialist provider. If you determine a DPO is not required, the reason for this decision needs to be formally documented. If a DPO is required for your organization, we would conduct a one hour training with them.

Your Investment

Starting at $1,900 investment you can get peace of mind that your business is compliant with GDPR and you can focus on the rest of your business.

The time is now to get GDPR compliant. Contact us​ to start working on getting your company GDPR compliant.


Tags :

About Milena Regos

Marketer, Consultant and Creator of the Simple Marketing Blueprint online marketing course for busy professionals.

Leave a comment