5 reasons why GDPR can impact your American business
5 reasons why a privacy law passed in the UK can drastically impact your American business
General Data Protection Regulation (GDPR) is Europe’s 88 page, 99 article, privacy regulation reform effective 25 May 2018. Although your small business is a U.S. company, if you have a web presence (website) and sell your products on the internet then you may be a GDPR impacted organization. In summary, if you collect personal data or behavioral information from someone in an EU country or have targeted advertisements aimed at an EU country and the person(s) submits personal data to your website then your company will have to be GDPR compliant.
For American companies that are impacted by GDPR here’s an overview of some major things to prepare for:
1. Your company is accountable for the way you handle people’s personal information whether they surrendered the data willingly or not
Your small business may be a victim of a data breach or a 3rd party that you have granted access to customer’s data (whether for advertisement, analysis or other reasons) may abuse that data. In each circumstance you will be accountable and may face penalties. It is essential that you have data protection policies, data protection impact assessments and relevant documentation on how data is processed.
2. Serious data breaches are no longer an internal matter
The new GDPR states that your company has to report data breaches to “the supervisory authority [the ICO in the UK] without undue delay, and at the latest within 72 hours after having become aware of the breach” if the breach poses a risk to a customer or that user’s individual rights and freedoms. In the past some of the top companies have used their best judgement on how they handle data breaches. This new GDPR regulation does not offer a gray area in data breach reporting in certain circumstances and requires company by law to report breaches to their country’s data protection regulator.
3. Your company’s internal operations have to change
Documentation will be key to keep your company compliant if you identify yourself as GDPR impacted business. For instance, if you have 250 or more employees GDPR requires you to have documentation explaining why your customer or client data is being collected and processed. In addition, you have to outline your security measures to protect this data after you have log what data you are collecting and how long it will be kept for.
Furthermore, if you manually or automatically handle customer’s data on a large scale like macro monitoring or your small business handles a lot of sensitive personal data you have to hire a Data Protection Officer (DPO). This person will manage GDPR compliance and be the key contact person for privacy matters internally and to the public.
4. The customer has rights over their information that your business collects
Under GDPR customers have new rights to their information throughout its life cycle within your corporation. From the beginning when a UK native customers sign on to your website your business must have “freely given, specific, informed, and unambiguous” consent.
This means you have to call your web developer and have them update your forms to include some copy on the form stating what you are doing with the specific information you are collecting. A link to your “Terms and Conditions” accompanied by an already checked checkbox will no longer be adequate or compliant. To add, you have to get explicit permissions for each medium you plan on using the data on (newsletters, third party sharing, advertisement…etc). Paired with the 72 hrs breach disclosure and data protection logging, your IT/IS team (developers, database admins, UI devs, digital marketing staff… etc) have to be on point and leverage customer rights over profits.
On the next stage of the customer’s data life cycle (data under your company’s control), the customer has the right to request personal information that you have collected about them and you have to provide it to them within a month without being charged a fee. In the past some companies would charge almost $15 for this request but now under these new regulations customers can request their personal data and any other data that you have collected about them for free. This includes behavioral data and even processed data on your back-end so be careful how you categorize your customers internally (ie. sucker, quick spender, easy sell).
The end of the customer’s personal data life cycle will also be under the customer’s control. The customer can request their data to be deleted when it is no longer used for the purposes outlined when the customer forfeited the information. Also, if the customer withdraws their consent, there is “no legitimate interest” or if the data was “unlawfully processed” they have the power to have it removed from your system(s) entirely. 
5. Safe guards have to be put in place to handle people’s personal data both internally and externally
Protecting customer’s personal data is the main incentive in developing GDPR. Within your organization, the storage, transmission and sharing of customer data has to be audited to meet security requirements. Encryption and security patches for all mediums that interact with people’s data will be essential in maintaining the data’s integrity and protection. Often, the weakest link in security is not the technology but the staff. You have to ensure that your small business has reliable employees who will handle data properly and follow security guidelines. You will also have to use data minimization techniques such as Pseudonymization which replaces personal identifiable information with artificial identifiers.
How can the EU enforce this law on U.S. companies?
The exact measures have not been set in stone for international companies but general international business law is very tricky so you may want to safeguard yourself against fines up to $650,000 from the EU which can sink your business. The EU also has other measures that can really hurt your business. For instance, they can ban your site from their countries which can have deeply impact your bottom line depending on your market share in the EU.
Looking past the consequences, as a small business owner you should care about your customers enough to effectively manage their data. This will build a reputation for your brand and build customer loyalty and trust in the future.
You have 2 years to be in compliance. Use that time wisely.
Determine how many uk customer segments your small business currently services and consult with your business lawyer.