The GDPR, Small Business Websites in the US, and the Internet

Illustration containing the General Data Protection Regulation and various online activities.Whether you’re a small business owner in the U. S. of A. or a European customer wondering how far your data protection will go (or just someone like me who is curious how an EU regulation affects businesses in the states), it’s important to know about the GDPR. This regulation – full name, General Data Protection Regulation – rolled out last week and caused some chaos, already striking down several news sites and make them unavailable in Europe. We’re going to see more strikes in the future, along with possible blacklistings and fines. So, let’s see how it works, and how it could affect any US business that touches EU data.

What Exactly is the GDPR?

So, way back when in 2012, the EU wanted to create consistent data privacy laws throughout all the member countries. They settled on the General Data Protection Regulation to help protect consumer data. In some ways, the regulations set out are similar to Data Breach laws set out by all US states, and even some similar to the more stringent Massachusetts laws. Here’s a brief outline of what the GDPR does:

  • Breach Liability and Reporting: If a breach occurs, anyone involved in processing user data, including third parties, is liable.
  • Personal Deletion and Portability: If an individual requests their data to be removed from a company’s database, it must be done. Likewise, they must help data be transferred to another service upon request.
  • Data Protection Officer: Shortened to DPO, this officer is mandatory for any company that manages lots of private data (from employees or from outside the company).
  • Parental Consent: Lastly, for children under a certain age (below 16 to 13 depending on the country) parental consent must be given to use services/apps.

What the GDPR Defines as Personal Data

The terms like “personal data” or “private data” get thrown around a lot in the online world of cybersecurity. After all, beyond corporate data and digital property, it’s often the users’ data that is the most useful to would-be hackers. The GDPR thankfully has a great FAQ that helps cover their own definition, and it’s pretty broad:

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information about people.

As you can see, pretty much any information that can identify a person, including simple things like their name and address, let alone personal information such as email, phone, credit cards, or their equivalent to SSNs. If you store any of this data: congratulations, the GDPR applies to you.

How This Affects Small Businesses

The short answer is the internet. This “service” has become an integral part of the world, and in that, it has also brought people from across the world together. Which means if your services or products can be bought from Europe, you’re storing European personal data from the form or payment they filled out. And that means that all the parts of the GDPR are applicable to you. In fact, many websites and apps that even have the chance of gaining EU users are getting themselves in line for the GDPR.

The Types of GDPR Fines and More

And if you don’t get in line with the regulations? Besides blacklisting we’ve seen with those news organization, companies that are found to not be compliant could see stiff fines, with larger companies that do business in Europe seeing €20M or up to 4% of their total global revenue for the year in fines, with half that for smaller infractions. And this isn’t including issues with being shunned by third-parties and vendors (and insurance).

How Do I Become GDPR Compliant?

Now, that’s a topic for another blog. In short, it’s about getting consent, knowing a user’s rights to their data, and making sure to secure that data properly. There are a ton of resources online to get started. I recommend this CIO article, Becoming GDPR compliant quickly, effectively and risk-free, as a good place to start. The GDPR is why you’ve been seeing a notice about an updated privacy policy from pretty much every app and service you use: most of them have European clients too. If you’re in the same boat, it might be time to get help.

I work for Vision Advertising, and while we’re mostly concerned with businesses located here in Massachusetts, we also understand that “here” isn’t just the Bay State online. It’s important for every business with an online presence to have an understanding of the GDPR and take steps according to the type of data they collect and where their clients are. If you’re looking to not only get your regulations up to snuff, but also taking your website, social media, and more to the next level, contact us.

Branding Yourself on Social Media and Why It Matters<< >>Behind the Scenes at Vision Advertising

About the author : Alex Geyer

Alex wears many hats, and not just because he’s bald. A writer by his background, Alex writes “social media content” for Vision – anything from social media statuses to blogs to whitepapers and beyond. In addition, he builds and maintains all search engine advertising for Vision’s clients, along with social media advertising for others. In his free time, he starts and stops writing novels, compiles tabletop roleplaying system conversions, and cooks a mean Chicken and Dumplings avec Peas. A videogame enthusiast, he is also developing his first video game with the startup game studio, Pretty Weird. He is terrible with plants*.

Leave a Reply

Your email address will not be published.