The rules of the GDPR apply to data belonging to EU residents, and how a business can capture, retain, and delete that user information. (Americans living in the EU for three months or longer qualify as residents.) So even if your company is US-based, if you actively market to, or expect to collect data from, anyone residing in the EU, you need to become compliant. If it is clear that your company’s goods or services are only available to consumers in the United States (or another country outside the EU), GDPR may not apply.
GDPR asserts that an individual has basic rights regarding their personal data and that a company must support those rights in order to be GDPR-compliant. The main rights for individuals under the GDPR are listed below.
- Access their data to see what has been collected
- Have inaccuracies corrected
- Have information erased
- Prevent direct marketing (opt in or out)
Recommended Action Items for US Businesses
For a big company that collects a large amount of sensitive information (e.g., banks), setting up these systems and becoming compliant could be an enormous undertaking. For most companies that collect basic data (user behavior on a website via cookies), this will be not as onerous but still requires some effort.
While Mambo cannot provide legally bulletproof advice that is appropriate for all possible situations, there are few steps that we recommend organizations follow in order to protect your business and start toward GDPR compliance.
- Consult a lawyer: As with any regulatory or legal issues such as this, we recommend consulting an attorney specializing in such matters to ensure you are compliant with how you store and use data.
- Document your process for moving to compliance: Make a plan and track your progress on what your company is doing to become compliant with the GDPR regulations.
- Assign a Data Officer: This individual will process requests for data access, deletion, and correction. They could be an existing employee.
- Examine all your data collection and storage systems to establish methods for accessing, modifying, and deleting data: This may be complicated if you use third-party tools such as HubSpot, Marketo, or MailChimp. Test these methods to ensure they work before a user makes a request.
- An email address clearly listed to contact for data access, changes, and deletion (this would be the contact of your appointed Data Officer).
- A description of how user data is collected and stored and for what purpose.
- Information about which third-party sites are being utilized to track user data.
- Uncheck consent boxes on all online forms: All consent to data collection must be opt-in, so default inaction (like a pre-checked consent box) does NOT qualify as active consent under GDPR. This applies to all active forms. The recommended best practice is to make the checkbox REQUIRED to submit so that your company is still able to market to individuals filling out your forms.
- Cookie tracking: If your website is using cookies to track user activity, add a pop-up requiring active acknowledgement from users that cookies are being used.
From our research, the recurrent themes of this regulation are consent and transparency when it comes to personal user data. In this new age where internet users demand more control over their data, Americans should expect to see similar regulations come to the US at some point. So taking steps now to comply with GDPR will ultimately set your company up for less work in the future when similar laws will directly affect how you conduct your business on the digital landscape.
Please Note: The information above is accurate to the best of Mambo’s knowledge but should not be considered exhaustive or complete. This article is not legal advice to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. We insist that you consult an attorney about your company’s specific obligations under GDPR or any other applicable regulation.
Below are links for useful additional GDPR information as compliance may require action across multiple channels. Each source is entirely responsible for the completeness and accuracy of the information they provide.
- General Information: https://moz.com/blog/gdpr-and-online-marketing
- General Information: https://www.business2community.com/marketing/the-gdpr-is-coming-heres-how-it-will-affect-your-adwords-account-02062832
- General Information: https://www.hubspot.com/data-privacy/gdpr
- HubSpot Checklist: https://www.hubspot.com/data-privacy/gdpr-checklist