GDPR and how it impacts US based businessesGDPR (Global Data Protection Regulation) is about to go into effect on 5/25/2018. Many businesses here in the states are going to be impacted by this new regulation. If you deal with clients in the EU, or you have a website that is available in the EU, you must follow the GDPR. We have put together this website to give you 10 steps to get you started and familiar with GDPR. Note: Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. PLEASE NOTE: This is not legal advice, we are not lawyers, this is our interpretation of the regulations, please consult an attorney. We are going to give you 10 steps to help you get started. Feel free to watch the video: To begin GDPR is the regulations around how you can collect, use, secure, and explain your collection of personal data.
Step 1: Understand What is Personal InformationPersonal information or Personal Identifiable Information (PII) is any piece of information or pieces of information that can be used to identify an individual. This may include first name, last name, phone number, email address, physical address, or IP address if paired with another piece of PII.
Step 2: Perform a Risk AssessmentPerform an assessment to understand what PII you currently collect, how you collect it, how you use it, and why you collect it. This will be important to better understand how to perform the next steps.
Step 3: Write a Fair Processing NoticeA Fair Processing notice is a document you write in plain English (without legal jargon) to explain the following:
- What you are going to collect
- Why you are collecting it
- Who is collecting it
- How it is collected
- How it will be used
- Who it will be shared with
Step 4: Secure and Organize the DataDetermine how you are going to secure and organize this data. Who will have access to it? How will they get access to it? How are you going to protect the data from unauthorized access? This is important because any persons can request their information at any time and you must be able to deliver it within 1 month of the request. Any persons can also request that their information be completely deleted at any time. Having your data organized will make sure you can comply with these requests.
Step 5: Create and Opt In to any Data CollectionAny time you are collecting data (for those of us in the US this will apply mostly to our websites) you must have an opt in. This opt in can be a checkbox on a form, but can not be auto checked.
Step 6: Create a Layered Opt InWhenever someone opts in they must have access to your Fair Process Notice. This can be either included with the opt in, or it can be a link to the Fair Process Notice next to the opt in.
Step 7: Create an Opt OutYou must have a way for someone to opt out. If this is an email message they must be able to opt out/unsubscribe. If you are using an email system like MailChimp most already include this. If you send text messages, or use a phone service you must have an option for an opt out. If you are sending direct mail to EU residence you must have a clearly spelled out way for someone to opt out.
Step 8: Inform your EmployeesMake sure everyone in your organization knows about your new processes so if someone requests to be removed your employees can advise them properly.
Step 9: Designate a Data Protection OfficerDesignate someone to your organization to be the point person for GDPR. This way they can be the go to for any questions around your processes.
Step 10: Secure Existing DataGo back through all of your collected data and see if you have any EU persons in your databases. If you do send them an opt in to be safe. Of course if you have any questions, feel free to contact us at firstname.lastname@example.org or 336.310.0277
Questions about GDPR?
Important! We hate spam as much (or more!) than you and promise to NEVER rent, share, or abuse your e-mail address and contact information in any way.