Do United States (U.S.) based websites need to be GDPR Compliant?
The short answer is YES. Owning, managing and running a website in the United States does not make you exempt to the General Data Protection Regulation (GDPR) being enforced in the European Union (EU) starting May 25th 2018. As of that date, anyone doing business with or collecting data from any EU citizen MUST be in compliance with the GDPR. If there is one thing that people know about the GDPR it’s that fines (administrative fines) can go up to €20 million or 4 percent of annual global (note global!) turnover, whichever of both is highest. At the time of this article being written (04-23-2018) €20 million = $24472160.00 USD. At present there are 28 countries in the EU
Understanding as a U.S. based site owner what your responsibilities in regards to EU citizens data are is critical. As you can see above the fines can be astronomical and could bankrupt a small company. I’m sure you are wondering what your responsabilities are and how to become compliant. There is no blanket formula but there are certain general areas that need to be addressed. Below I will list a few key points concerning the GDPR.
Info below from business.com
- GDPR stresses consent above all else. In fact, that’s really the entire point. While obtaining data, consent needs to be explicit, crystal clear and corroborative. According to Article 4 of GDPR, consent is defined as: “Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”In addition, while dealing with data of children under 16, parental consent is necessary. Moreover, citizens of the EU can have their personal data erased if the company doesn’t require it for the initial purpose of collection anymore.
- Cookie Usage
- Notification of data breach
- If a data breach occurs, the supervisory authority needs to be informed within 72 hours of the happening. If the privacy of any EU citizens is at risk, they need to be notified as well. Starting this May, you’ll need to be vigilant and acutely aware of any actual or potential data breaches that may impact customers or individuals located in the EU.
- Right to be forgotten
- Pursuant to Article 17 of GDPR, every individual reserves the right to ask for the deletion of their personal data in situations when the data is no longer required: ” … in relation to the purposes for which it was initially collected or otherwise processed.”With this in mind, be prepared for any customers you might have in the EU to request that you remove any information you have stored pertaining to them. “
GDPR can be your competitive edge
Customers and clients love to feel companies they are doing business with really care. One of the biggest concerns people have online today is their information privacy. That’s where the EU have built from the ground up the (General Data Protection RegulationGDPR)Everyone collects data on us today from huge companies like Google, Facebook, and Amazon to small the small Mom and Pop online stores. Who has your data and what they do with it is always on our minds. It’s used everywhere from keeping us logged into a site to marketing our everyday products to us.
Being compliant not only protects us when EU citizens and businesses access our sites, but also can give us that competitive edge. People are much more at ease with transparency. It lets the individual or business accessing your site know you genuinely care about their privacy. Contact us, we can help you become compliant. There is no one shoe fits all solution to this undertaking. Every business and website has unique issues to overcome but there are a few basic elements as described above. These are the issues we will address to get started with becoming compliant.
Please log in and leave a comment.