If your website:
- has ANY forms for collecting names, emails, or other personal information for email marketing, scheduling purposes, or to enable download of a lead magnet, OR
You may rightfully wonder “Why should I care about regulations in five states or the EU where I’m not located and don’t do business?” Fair question. And the answer is simple. You can’t stop visitors from those states or the EU from visiting your website. And the minute they do, the regulations kick in.
Understanding the General Data Protection Regulations
The GDPR is technology neutral. This means it covers data you collect both online and offline, regardless of device. Including computers, phones, cash registers, and paper records.
The GDPR covers both data privacy AND data security. So it’s not just what data you are collecting and how you use it, but also how you are protecting it, and how you will respond in the event of a data breach incident.
Under the GDPR, all businesses, regardless of location or size, are expected to comply with GDPR if:
- You collect personal information from EU citizens (newsletter, lead magnet, contact form). OR
- You sell goods or services to EU citizens. OR
- You use analytics on your website that can capture the behavior of EU citizens (clicks, views).
It doesn’t matter if you actually do business in the EU or you actively target EU consumers. If you are getting their personal information or analytics, GDPR applies.
How can I be compliant with these regulations?
- Make sure your website is httpS certified – this is the security certification.
- Know what data you collect. Covered data includes:
- Personal Data – Name, address, birth date, SSN, etc.
- Web Data – geolocation, IP address, cookie data, clicks, views, etc.
- Protected Data – health, biometrics, race/ethnicity, politics, sexual orientation, etc.
- Do a data audit. Know where your data originates, where you store it, how you process it, how long you keep it, and how you secure it. Include computers, paper files, and cloud-based storage in your data audit. And don’t forget your vendors! Include Google Analytics, Email Marketing Platforms, Payment Processing Platforms, etc. in your data audit.
- Maintain a “reasonable” level of data protection & privacy. Ensure secure data storage. Only collect the data you really need. Store data no longer than necessary to fulfill the purpose for which consent was given.
- Have a Breach Protocol Policy in place. Make sure you know how to respond in the event of a data breach and can meet the 72-hour reporting requirement. Reporting is state or nation specific in terms of requirements, so your reporting will depend on where your data subjects reside.
- Respond to requests from data subjects for access to, correction of, or deletion of their information within 30 days.