Do businesses in the US need to be GDPR compliant
Is your company GDPR compliant? Don’t worry, you are not alone. According to Forbes, 79% of US businesses are not compliant yet. The deadline to become GDPR compliant was May 25th, 2018. You may have seen all these privacy emails come through your inbox already from US companies. Even if you are a small business, located in the US, you may have to follow the GDPR rules from now on.
But don’t panic. We are here to help. Here’s your quick education about GDPR, why you need it and what you can do to get your company compliant.
What Is GDPR?
“GDPR” stands for General Data Protection Regulation, a new legislation approved by EU Parliament, which goes into effect in May 2018. In summary, it’s a new set of rules designed to give EU citizens more control over their personal data. What type of data does GDPR cover. Below are some examples:
- Basic identity information such as name, address, email and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
So why does a US company need to know and care about GDPR? See below.
Does GDPR Apply To A U.S. Company?
GDPR applies to any company in the world that offers products and services to customers or businesses in the EU. Any company in the US that processes, stores or uses data related to an EU citizen is subject to GDPR. US companies are not exempt from Europe’s new privacy rules. Non compliance with GDPR can result in citations and fines for the business.
Example: Anne lives in the UK. She’s planning a trip to the US and researching places to visit and stay. She finds your website and fills out a form to download your planner. She books a hotel for a night. You email her your guide or booking confirmation. You add her to you email newsletter. She requests that you delete or change her contact. You need to comply within 72 hours.
What Are The Repercussions If You Are Not Compliant
If your organization manages data that includes even one EU citizen and you are not compliant with GDPR, you are subject to fines up to 4% of your global revenue or $20 million Euros.
What Does It Mean To Be GDPR Compliant
- Who is your data controller? (this is usually your business)
- How can users contact the data controller?
- Do you use personal information to make automated decisions? (Do you have Google Analytics installed? Then, yes you do)
- Is providing personal information mandatory?
- What is your legal reason for collecting and processing personal information?
- Are you using cookies on your website?
- Can you easily find, edit or delete a contact?
- Do you obtain specific consent from your contacts and clearly explain how you plan to use their personal data.
- Do you have a legal basis, like consent, to process an EU citizen’s personal data. Verifiable consent requires a written record of when and how someone agreed to let you process their personal data. Consent must also be unambiguous and involve a clear affirmative action. This means clear language and no pre-checked consent boxes.Sound overwhelming? We are here to help and walk you through it. See below.
How Can We Help
We can work with your team on making sure you are GDPR compliant following the following four steps:
1. Conduct a Data Inventory
Audit the data you are collecting, determine how the data is being used and and create data maps to establish processes for mitigating potential compliance issues or establishing new data capture practices.
2. Create a Data Protection Plan
If your company doesn’t already have a data security policy, you should begin working to put one in place and confirm that it is in compliance with the GDPR requirements. We would also analyze what data you are obtaining and securing. We would work towards minimizing the data and making sure the deletion of data is recorded for your files.
4. Assign a Data Controller Officer
We would work with you to determine if a Data Protection Officer is required in your case. The role of a DPO has significant power and independence within an organization, and may be an employee or an outsourced service by a specialist provider. If you determine a DPO is not required, the reason for this decision needs to be formally documented. If a DPO is required for your organization, we would conduct a one hour training with them.
Starting at $1,900 investment you can get peace of mind that your business is compliant with GDPR and you can focus on the rest of your business.