4 Changes You Need to Make Now to Comply With the EU's Tough New Data Law
Non-compliance can lead to hefty fines whether your company is based in the European Union or not.
Opinions expressed by Entrepreneur contributors are their own.
You have probably heard about the European Union's (EU) General Data Protection Regulation (GDPR) Rules. Even if your company isn't based in the EU, these regulations will apply to you if you collect any information from people located in the EU.
If you are collecting information about your website visitors through a form, or even through cookies, you will need to adhere to these regulations, which go into effect on May 25, 2018. Non-compliance can subject you to fines of at least 20 million euros.
What exactly does GDPR entail, and exactly how do you stay compliant?
Related: Facebook's Data Scandal and Europe's New Data Privacy Rule Have Massive Implications for U.S. Entrepreneurs
This is a question nearly every business is asking right now. In this article, I will mention the key actions that we have been recommending to our clients as a content marketing agency. However, I am not a lawyer or a data privacy expert, and my input should be viewed as marketing recommendations only and not legal advice.
1. Opt-in forms.
GDPR regulations begin to apply the moment you collect any data from your visitors through a form -- whether it's to make a purchase or just download a whitepaper.
The two key principles to follow are consent and transparency. You need explicit consent for collecting data. When someone makes a purchase from your website or even downloads an ebook, you can't just add them to your email list and send them newsletters or promotional emails without explicit consent. If you keep a checkbox asking them for permission, make sure that it's not checked by default. That amounts to GDPR violation.
You must also explain exactly why you are collecting each piece of information, such as a phone number or an address, and how you will use that data. That's why it's a good idea to ask for as few data fields as possible. Avoid asking for phone numbers, addresses and other personal information, unless you absolutely need to.
Hubspot, Mailchimp, Elegant Themes and most lead generation and website tool companies are all rolling out features that help you to stay GDPR compliant, so implementing this will not be difficult.
Related: Facebook's Answer to E.U. Privacy Law: Accept Data Collection and Ads, or Don't Use Facebook
- A detailed explanation of who you are and specifically name who else will have access to the data -- such as your partner companies.
- What you will use the data for and how long you will store it.
- How people can download full records of any data you have on them as well as how they can delete all their data from your database if they wish, in line with the EU's "right to be forgotten."
- How you will inform users in case there is a breach of data. GDPR mandates that any breach must be disclosed within 72 hours.
You will need a checkbox or a radio button that allows people to choose if they want to be tracked though cookies or not. What's more, even if they accept, they can change their minds and ask for their data to be deleted.
4. Data protection officer.
Implementing GDPR and remaining compliant can be challenging, especially if you collect, process and transfer large volumes of complex personal data. GDPR actually mandates that some companies would have to hire a Data Protection Officer who would oversee the entire process. This role would involve several tasks such as ensuring that the organization remains in compliance of GDPR and cooperating with the supervisory authority when necessary.
A study by The International Association of Privacy Professionals (IAPP) estimates that 75,000 DPO positions will have to be created across the globe for companies to stay GDPR-compliant.
Related: This is How Ecommerce Companies Can Protect Customer Data
There are typically two reactions to GDPR. People think it's cumbersome and say it will take away the power of marketers to acquire more leads. Both are true to a certain extent, but if you can't generate more revenue by using retargeting through cookies, your competitors can't either. Moreover, marketers are already innovating with approaches such as using macro data to create more relevant advertising, so no -- this is certainly not the death of marketing as we know it.
Despite the seeming cumbersomeness, it's important to remember that GDPR will lead to the creation of a more secure internet where the privacy of individuals is protected, including your own. That's an excellent reason to support it.