Define GDPR For US Business Ownersdefine GDPR for US Business Owners

Because of how consumer protection laws have come under scrutiny you are likely seeing new Privacy Policy email from proactive companies wishing to get out in front of it. And while new European Union (i.e. EU) ‘General Data Protection Regulation’ (i.e. GDPR) laws do NOT apply to domestic sales, similar laws are likely to follow suit here in the US. If a US based business does, however, sell to individuals in the EU it can be held accountable! So we felt it would be useful to share information on the EU’s new laws in order to better support what’s coming.

I. What exactly is the GDPR?

The GDPR is a new set of laws concerned with the handling of EU resident’s personal data. Effective May 25, 2018, the laws give EU residents more control over their personal data and how business can use it. The laws require utter transparency for what’s collected, who it is shared with and what tracking technologies, if any, are used to follow citizens on the Internet. For US business that sell to EU residents, the laws apply – regardless. Fines for non-compliance are substantial and can be levied on businesses in and outside the EU.

II. What New Privacy Rights Does the GDPR Give EU Residents?

The new laws require a business to inform customers on what information is collected or shared. It also establishes ‘the rules of consent’ required before it can collect any data. It means business will be asking for consent and detailing any use of that personal data in their privacy policies.

It also dictates new rights such as ‘Right of Access’, ‘Right to Rectification’ and ‘Right to Erasure’. EU residents can now:
*Demand a copy of any data collected;
*Demand any errors in any such data be corrected AND
*Request removal of any personal data.

The GDPR also gives EU residents ‘a right to know’ if their personal data has ever been compromised. Now, a business must notify them if personal data is stolen or breached in a defined timely manner.

III. What is Personal Data?

Personal Data is anything that can identify an individual, either on its own or when combined with other data. Examples include:

  • Name
  • Address
  • Phone number
  • Any credit card digits
  • Shipping/ tracking numbers (unique to an order = to a person)
  • IP address

IV. Why Should a Business Place Someone in Charge of Customer Data?

A ‘Data Protection Officer’ (i.e. DPO), the person who according to GDPR must stay on top of compliance, is going to become a formal required business role. Someone must be designated to own data protection strategy and compliance. This person must:

* Decide how customers can make privacy-specific requests, maybe via a website contact form or to a special email address (e.g., privacy@example.com);
* Update a privacy policy on how it will use and store data, and why;
* Consider whether or not to collect less personal data;
* Determine how long the business retains data, possibly based upon state/federal tax requirements;
* How data is to be backed up or destroyed;
* Prepare procedures for responding to the ‘right to erasure’ or ‘right to access’ requests;
* Prepare for how to communicate a data security breach;
* Keep up to date on current and future changes to privacy laws that affect the business AND
* Figure out how this is all communicated in an easily understood Privacy Policy.

V. What Should a Modern Privacy Policy Disclose?

Privacy Policies should include:

1. What data the business collects on its customer/ clients;
2. If it uses cookies, applications to follow or track them specifically;
3. If any of the data is shared;
4. If so, with whom and for what reason;
5. How long data is kept AND
6. How a person can update or delete collected data. 

Often the sharing of an individuals’s data is obvious, like a personal address necessary to ship a product or to support an email on its’ status. If it is other than fulfilling an order, a good Privacy Policy should explain why and also how to opt out. Other examples include a) Payment gateways in order to process payment; b) shipping providers in order to calculate shipping rates and shipping labels; c) marketing or analytics apps’ that add customers to lists in order to analyze behavior. There are fair business practices for retaining records, for instance a disputed customer charge. Others include for tax audits or any legal concerns. And while the GDPR offers the “right to erasure” a business is NOT required to erase data needed in these areas. There are also instances of contractual necessity like what’s required to fulfill a contract (e.g. an order), for legal reasons (e.g., a VAT Tax ID) or for legitimate communication like follow up email.

VI. What Are ‘Right of Access’ requests?

When collecting data from an EU resident, a business can expect to receive a “Right of Access” request. The GDPR states customers have a right to any data that has been collected so it is probably proactive to develop a standard process for responding to and then delivering upon these requests. To start, a business must confirm a person’s identity so that data is never sent to anyone but! How it’s gathered and then shared is a DPO/ business challenge. When shared, the info should be marked as “Completed.” If multiple requests come from the same individual, GDPR law states a business can assess a fee. These terms are all elements of a good Privacy Policy.

VII. How About Erasure Requests?

Like with ‘Right to Access’ a business should expect to receive “Right to Erasure” requests. But as a business owner there is a need to keep some data. At least to comply with any contractual obligations and to protect the business, like for instance tracking IDs or info needed to deal with a shipping dispute. Know what personal customer data is needed, and include it in the privacy policy! Know how long inactive accounts, pending, failed or cancelled orders and completed orders are preserved. At least in the US, know what length of time a person can exercise a credit charge back for in case it is unfair to the business. And as with the above, confirm a person’s identity so that data is never sent to anyone but!

VIII. What Of Security Breaches?

To raise the bar the GDPR introduced rules governing what a merchant must do when an EU residents’ data is exposed in a breach. One of the continuing responsibilities of the designated DPO is to ensure a business website is secure as is possible, which includes:

  • ensuring the site and its applications are managed/ updated to the most timely security standards;
  • ensuring unnecessary applications are deactivated and removed;
  • backing up website and accounts data, including exporting the data to secure storage in order to minimize exposure for in the event;
  • requiring unique passwords on all accounts, regardless of the inconvenience;
  • never allowing shared accounts AND
  • removing employee accounts immediately WHEN they leave.

What also specifically changed with the GDPR is that when security is breached there are ‘communication requirements’ to impacted users as well as to law enforcement. These come first, and then for a public announcement.

In Summary, GDPR For US Business Owners

Privacy isn’t going to be a one time effort for business anymore. The GDPR is just the latest set of laws designed to shift power back in to the hands of people AND the USA will undoubtedly follow suit in the near future. Getting familiar with these laws, which ones apply, how they apply and are dealt with is going to be an ongoing responsibility!