There is a new European law that recently went into effect, requiring all businesses that conduct operations in or have contact with EU citizens, to safeguard and protect their personal identifying information.
This law is called the General Data Protection Regulation or GDPR. Violations of this law come with stiff penalties, and the law and it’s consequences for non-compliance beg careful study, and action on the part of American and other non-EU companies.
You may think that because it is an EU law, and a business does not have any EU customers or clientele, that it would be exempt.
The way the law is written seemingly provides an air-tight case for government or private persons to seek data concerns and damages from any business, anywhere on the globe, so long as that person has submitted information and resides in the EU.
I don’t know if you noticed or not, but this GDPR situation is somewhat of a mess. Right now it is making huge waves in most industries, as larger global organizations struggle to comply.
Smaller business are likewise struggling to even understand and implement changes to their business to protect against high fines and bad headlines.
There are several things a small business can do to comply with the law and offer itself a minimum level of protection against violations.
The problem is interpretation and knowing how best to apply these
“I am not a lawyer or constitutional scholar by any stretch but am certain that GDPR will be heard by the US Supreme Court as it seemingly violates the 14th Amendment.
I may even go so far as to say the SCOTUS will hear the argument in the next 12 months when (not if) the EU fines a US business.
It is also worth noting: the first time a business gets sued for GDPR violations, other companies will be making a dash to pay consultants to get them compliant. In some respects, this is already happening, globally.
Like it or not, GDPR may be wholly applicable to
US-based businesses simply because of existing
legal agreements between nations.“
The Right To Be Forgotten
When a consumer fills out a form, makes a purchase, or has contact with a
business, their personal information is captured and maintained. Generally,
this info is stored, often indefinitely, and may be used for other marketing efforts.
The GDPR provides for the right of the consumer to be removed or forgotten from the business’ data record.
Meaning, the business must have a plan in place to delete the customer information. This method could be automated or via manual request. (such a via a support ticket or email)
Administration of Consumer Information
The business must have a solution in place (either via software or via manual request) to administer the information it retains on its customers and contacts.
This includes requests to alter, change, or delete data held in
confidence from purchases or interactions with the business.
Such administration is typical of many marketing communication and member systems.
You must ensure that the administration is also tagged
and a record is kept of the actions taken.
A help desk application could be
used to provide administration and record keeping.
Management of Consent
Using the example of an email opt-in list, a customer’s request to receive information must be provable, and revocation possible without condition.
If you are using a list provider who records the date, time, and IP address of the user who requests to opt-in, and allows you to manage the record,
you are covered.
Of course, customers need mechanics to control the consent, and in this example, an unsubscribe or opt-out link in an email can
satisfy this requirement.
Likewise, consent and other policies can be handled and revealed in Terms of Service, Privacy, and Data Usage
Policies posted on the businesses website.
Support for Audit & Investigation
Give the business the ability to quickly track down when a request was made, and what steps were taken to change or remove information when
such actions are requested by the customer.
This can be as simple as a log book that uses to document requests.
Again, the easiest way for a small business to handle this would be to have a support desk that funnels all information change / deletion requests.
Such requests are tagged and noted, so should a look up need to be performed in the future, that information is safely stored for recall