The question that has been on many business’s minds is what is GDPR? GDPR (General Data Protection Regulation), effective May 25, 2018, was created to better promote transparency on how data is being collected, used, and transferred. It also creates accountability for companies and aims to give EU citizens better control over their data. The GDPR has companies either scrambling to comply or simply blocking the EU from their websites (which is why you may have seen disclaimers on websites like: “Unfortunately, our website is unavailable is most European countries”).
However, mass blocking of the EU is not necessary and compliance is possible following a few steps.
GDPR regulates how personal data is used in the EU.
Find out how to comply with GDPR.
Does the GDPR apply to you?
First, you need to figure out if the GDPR applies to your company. The GDPR does not care if your company is small, if it is located outside the EU, or what your company does, if you interact with EU citizens there is a chance you will have to comply with the GDPR. There are two kinds of agencies that must comply with the GDPR: 1) agencies that process data of EU citizens and intend to offer them goods or services; and 2) agencies that monitor EU citizen’s behavior. If either applies then you will need to hire a DPO (Data Protection Officer) who will ensure you are complying with the GDPR. For further information click here.Even if you do fall within one of these categories that does not mean that you should geo-block the EU, it just means you have some extra work to do.
How are you collecting the data?
The next step would be to determine if you are legally collecting the data (because keep in mind the GDPR is not meant to stop all data collection, it just wants to promote transparency and give EU citizens choice). The main concern of the GDPR is that companies get consent from the people they are collecting data from. So if you have contracts with your clients to collect their data then under the GDPR you’re good! You might also be good if the customer has “legitimate interest” in your goods and services. What is a legitimate interest? Someone with a legitimate interest has “opted in” to your services and wants to receive your materials, but keep in mind you still need their consent to use their data.
What is your Privacy Policy
Further steps would be to look at how you are collecting the data, how are you using it, and where you are transferring it. Next, look at your privacy policy and see if you are telling customers what you’re doing with their data. If you are not telling them exactly what is happening, then you need to update your policy so that you do and give them the option to “opt-out” if they don’t like what is happening with their data.
What if I don’t want to do any of these things but still collect data from the EU?
Well, that is an option, but not one without consequences. Right now we are not sure how companies will be prosecuted for not complying with GDPR, but fines can be as high as €20 million or 4% of global annual turnover. The companies likely to face this fine are bigger ones collecting loads of data which is why so many have begun geo-blocking. Regardless if you get caught, the biggest consequence is the damage to your brand reputation and the potential for losing customers.
