If your business operates a website or potentially collects, transmits, or stores the personal data of European Union (EU) residents, you need to know about the General Data Protection Regulation (GDPR). GDPR is a privacy law regulation for the EU and European Economic Area specifically designed to ensure EU residents have greater control over and protection of their personal data. It applies to every company selling to and storing personal information about EU residents, including companies located outside of the EU.
How Does the GDPR Affect Your Business?
Non-EU businesses are subject to the GDPR if they collect any personal data from an EU resident, regardless of whether they are actively seeking EU customers. If your website collects any information connected to an identifiable person residing in the EU — including but not limited to names, birthdays, IP addresses, or other personal data — you are required to comply with GDPR.
Building a GDPR-Compliant Privacy Policy
In general, a privacy policy is a statement that explains the types of personal information a business gathers from its website visitors, how it uses this information, and how it protects it. The law permits you to gather and store personal data as long as there is a legitimate business reason or the user provides consent.
GDPR compliance requires specific communication with users beginning with:
- Collecting consent to receive emails from you
- Providing updated privacy policies
- Establishing terms of service.
You should send a transparent message to your users detailing how your company will use their personal data. To comply, you must be aware of what information you are collecting on your website and limit its use to only what is necessary for business purposes.
To receive email marketing content from you, users must explicitly consent. Pre-checked boxes and implied consent do not satisfy GDPR. Implementing an opt-in form allows website users to click a box acknowledging the privacy policy, ensuring compliance with the GDPR.
Do not forget to audit your service providers. Review any agreements you have with third-party service providers who process personal data on your behalf. Ensure your service provider is able to prove they are GDPR compliant. If not, any work the service provider performs related to EU residents’ personal data puts your business at risk. Outsourcing does not exempt you from liability.
Penalties for Failure to Comply with GDPR
Companies that fail to comply with the GDPR face fines of up to 4% of their annual global revenue or 20 million Euros, whichever is greater. Furthermore, negative publicity regarding mishandling of personal privacy is generally bad for a business. One complaint from an EU resident is all it takes to prompt an investigation, and ignorance is not an excuse for failing to be GDPR compliant.
If there is any possibility that your business will be servicing EU residents or if you operate a website that may collect data from an EU resident (note that, in practice, this includes nearly all websites), it is vital that you comply with the GDPR. An attorney skilled in privacy policy compliance can help you create a GDPR plan of action, develop your privacy policy, and ensure ongoing compliance, if you handle a large amount of personal data.
To speak with an attorney knowledgeable in this area, who can guide you through compliance, contact our team at The Myers Law Group today at (949) 284-7878.