
Here’s the most important part: Do you have any customers, or anybody on your mailing list, that is a EU citizen?
NO? Great! Nothing for you to worry about – have a lovely day.
Yes? You’ve got some work to do. Read on!
What the heck is the GDPR?
GDPR stands for General Data Protection Regulation and is the EU’s new law on consumer privacy. If you want to read all the details, you can do that here.
If you’re looking for the cliff notes version here’s the nutshell: the goal of the GDPR is to strengthen data protection and an individual’s rights around how their personal data is used. The underlying principle is that when you collect personal data, you must clearly define all the different ways that data will be used.
According to the law, personal data is any information that would allow you to identify an individual. The definition is pretty broad, and includes:
- Name
- Physical Address
- Social Security Number
- IP Address
- Behavioral Data
- Financial Information
For small businesses this most likely applies to you in the following ways:
- Marketing emails
- Website cookies (i.e. Google Analytics)
- Pixels (think Facebook’s ad pixel)
- eCommerce fields
Wow, that’s a lot more than you expected isn’t it?
It may seem overwhelming, but the GDPR is not meant to create hardships. In fact if your business has less than 250 employees, what it’s really asking is for you to be transparent, not sneaky. If you make a good faith effort to be clear about how you are collecting and using data, the belief is that regulators will work with you should any issues arise.
What steps should you take?
- Take some time to think about what kind of information you collect and how you use it.
- If you are collecting data you don’t really need, then update your forms to skip it. Example: do you really need a phone number or name of the company someone works for?
- Write out the different ways you may use someone’s data. Be specific.
- Update documents like your privacy policy to be transparent about the way you use data.
- Take advantage of the resources your service providers offer to help you be GDPR complaint (such as MailChimp or Google Analytics).
- Notify your customers and ask them to update their consent.
- Stay within the boundaries you have set. You cannot tell people you are collecting their email addresses to send them news about your company, and then decide to sell your list. If you plan to sell access to your list, you must be clear about that.
Any penalties?
Sure are. Non-compliance with the GDPR can be as high as 20 million Euros or 4% of your annual revenue. Whichever is higher.
This law went into effect on May 25, 2018 and there is no grace period. So if you market to the EU, it’s time to get things squared away.
Need help? Give us a shout.
*We want to note that we’ve pulled information from what we believe are credible sources; however, no one on the Social Light team is a lawyer. If you actively sell to EU citizens we’d recommend checking with a lawyer who can give you true legal advice on how to be compliant.