GDPR and how it impacts US based businesses

GDPR (Global Data Protection Regulation) is about to go into effect on 5/25/2018. Many businesses here in the states are going to be impacted by this new regulation. If you deal with clients in the EU, or you have a website that is available in the EU, you must follow the GDPR. We have put together this website to give you 10 steps to get you started and familiar with GDPR. Note: Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. PLEASE NOTE: This is not legal advice, we are not lawyers, this is our interpretation of the regulations, please consult an attorney. We are going to give you 10 steps to help you get started. Feel free to watch the video:
To begin GDPR is the regulations around how you can collect, use, secure, and explain your collection of personal data.

Step 1: Understand What is Personal Information

Personal information or Personal Identifiable Information (PII) is any piece of information or pieces of information that can be used to identify an individual. This may include first name, last name, phone number, email address, physical address, or IP address if paired with another piece of PII.

Step 2: Perform a Risk Assessment

Perform an assessment to understand what PII you currently collect, how you collect it, how you use it, and why you collect it. This will be important to better understand how to perform the next steps.

Step 3: Write a Fair Processing Notice

A Fair Processing notice is a document you write in plain English (without legal jargon) to explain the following:
  • What you are going to collect
  • Why you are collecting it
  • Who is collecting it
  • How it is collected
  • How it will be used
  • Who it will be shared with
This should outline the above to explain will full transparency what you are doing with someones data. You can not collect data without INTENTIONAL means. This means you can not just scrape data without knowing what you are going to do with it.

Step 4: Secure and Organize the Data

Determine how you are going to secure and organize this data. Who will have access to it? How will they get access to it? How are you going to protect the data from unauthorized access? This is important because any persons can request their information at any time and you must be able to deliver it within 1 month of the requestAny persons can also request that their information be completely deleted at any time. Having your data organized will make sure you can comply with these requests.

Step 5:  Create and Opt In to any Data Collection

Any time you are collecting data (for those of us in the US this will apply mostly to our websites) you must have an opt in. This opt in can be a checkbox on a form, but can not be auto checked.

Step 6:  Create a Layered Opt In

Whenever someone opts in they must have access to your Fair Process Notice. This can be either included with the opt in, or it can be a link to the Fair Process Notice next to the opt in.

Step 7: Create an Opt Out

You must have a way for someone to opt out. If this is an email message they must be able to opt out/unsubscribe. If you are using an email system like MailChimp most already include this. If you send text messages, or use a phone service you must have an option for an opt out. If you are sending direct mail to EU residence you must have a clearly spelled out way for someone to opt out.

Step 8: Inform your Employees

Make sure everyone in your organization knows about your new processes so if someone requests to be removed your employees can advise them properly.

Step 9:  Designate a Data Protection Officer

Designate someone to your organization to be the point person for GDPR. This way they can be the go to for any questions around your processes.

Step 10:  Secure Existing Data

Go back through all of your collected data and see if you have any EU persons in your databases. If you do send them an opt in to be safe.   Of course if you have any questions, feel free to contact us at info@creativeit.com or 336.310.0277

Questions about GDPR?

Just Ask

  • This field is for validation purposes and should be left unchanged.

You can read our Fair Processing Notice here
Important! We hate spam as much (or more!) than you and promise to NEVER rent, share, or abuse your e-mail address and contact information in any way.