The European Union (EU) General Data Protection Regulation (GDPR) will take effect on May 25, 2018. GDPR is the most significant change to European data privacy in over 20 years. Whether or not you are in the European Union, failure to comply may result in fines up to 4 percent of annual revenue or more.
Are U.S. Businesses Required to Comply?
Any U.S. company that collects personally identifiable information or financial data through their website from someone physically located in one of the 28 EU member states is subject to the requirements of GDPR. Although this is not an exclusive list, it is especially important to review compliance regulations if you are a hospitality, travel, software services or eCommerce company.
GDPR applies if you:
- Market your website to EU residents – generic web marketing doesn’t count
- Accept the currency of an EU country
- Have an EU domain suffix
- Offer shipping services to an EU country
- Provide translation in the language of an EU country
- Store web-based cookie data
- Track and collect personally identifiable information to predict online behavior of EU web visitors
Note: If EU consumers are outside the EU when the data is collected, the GDPR does not apply.
What is Personally Identifiable Information?
Personally identifiable information is any data that can be used to identify a specific individual. This includes name, social security number, physical or email address and phone number. Technology has expanded the scope to include login ids, social media posts, digital images or any identifiable behavioral data collected using analytics or personalization platforms.
What You Need to Do
This is not a comprehensive list but completing the following actions is a start and may even be sufficient for most U.S. based companies – for now at least.
- Verify what personal data you are collecting and why.
- Provide easy to understand website terms, conditions and privacy policies that explain how your business uses personal information, cookies and how you keep data secure.
- Whenever and wherever you capture customer data, tell them why you are asking for it and explain how it will be used. Make sure customers have an easy way to provide consent to use their personal information for marketing purposes.
- Offer a way for customers to opt-in or out of all marketing and communications.
- Develop a process to handle security breaches quickly. Any beach must be reported within 72 hours.
- Ensure you have a process for responding to a customer’s request for access to or removal of their personal data.
- Ensure your site is fully secure, PCI compliant and all personal data is encrypted.
To be successful online and stand above the competition you need the right web partner. Smart Solutions is 100% dedicated to your success.