How GDPR Affects Small Business USA
*The following are my suggestions and is in no way legal advice. I am not a lawyer. For legal questions, please consult a lawyer.
Mark your calendars. On May 25, 2018, General Data Protection Regulation (GDPR) will take effect. Even if your business doesn’t typically interact with European citizens, every website should be proactively taking steps to comply.
I will be the first to admit that I originally thought nothing of the regulations because I didn’t think that it would affect me in any way. In fact, a recent study found that 60% of companies are not going to make the GDPR compliance deadline. However, in the last two weeks I have been learning all about GDPR and now realize that every website should be GDPR compliant in order to protect themselves from any potential legal problems down the road.
What is GDPR?
Simply put, GDPR is getting put in place to protect European Union citizens’ online data and privacy. It is designed to create basic principles for user data management and security that companies need to comply with. The regulations themselves are quite vague as it requires companies to provide a “reasonable” level of protection without defining what “reasonable” actually means. The regulations apply to any type of personally identifiable information that is collected. This includes the user’s name, email and even IP address.
How Does This Affect My Business?
This affects every business in a few different ways. First, the new regulations are designed to protect EU citizens even when they are not in the EU at the time they visit your website. So let’s say that a EU citizen visits the United States and needs services that you offer, the new regulations would still be in effect because this person is a EU citizen. If your website is not GDPR compliant then you would be in violation of GDPR.
For most local businesses in the US, this situation is probably pretty rare and even if it did happen, the likelihood that the person would report you is probably even more rare. BUT it is better to be proactive than reactive should it happen. Especially because the punishable fines can reach over $20 million or 4% of the worldwide annual revenue of the prior financial year.
Sounds scary, right?
Don’t panic. These fines would apply to large corporations should they be irresponsibly mishandling user data and privacy. The reality is that local small businesses in the US will probably never encounter any GDPR backlash, but the regulations should at least shine some light on the importance of transparency for your users. If a user wants to know what information is being used and in what way, they have that right and it can only benefit you to provide it to them.
Questions To Ask Yourself About Your Website
- What information are you gathering?
- Are you collecting personally identifiable information?
- How are they being collected?
- How long are you retaining the information?
It really doesn’t take much to become GDPR compliant for US small businesses. I think that answering the questions and then completing the two steps above would be considered a “reasonable” level of protection and transparency. I recommend completing these steps by May 25, 2018 to be safe. For me, it took about an hour to complete but it will differ for everyone. After May 25, we will quickly find out more about how the EU plans to enforce these regulations and whether or not further steps are required.