GO Digital WSI

How GDPR Impacts American Businesses

The biggest news in digital marketing over the last three months isn’t related to yet another change on Google Search. Nor is it a new social media platform or new strategies to boost conversions through email marketing. Instead, it’s the EU’s new General Data Protection Regulations (GDPR), a series of new laws that drastically change how businesses serving EU customers can use and store personal data.

GDPR Compliance Avoidance

Many American businesses have overlooked the GDPR, assuming that because they aren’t working in the EU, the GDPR doesn’t apply to them. But this is a dangerous assumption. In reality, the GDPR impacts any American company serving any of the EU’s 28 states, even if they’re based in the United States. We’ll explain how you’re affected in the next three sections.

Collecting Personal Data for EU Residents

This is the most basic reason American businesses might need to adhere to the GDPR. If analytics show that EU residents use your website, for any reason, you must be sure that you are adhering to GDPR regulations when you collect, store, or serve their data. While an international lawsuit is unlikely, it is possible to be sued by overseas entities if you mishandle that information.

What is Personal Data?

What exactly is “personal data?” From an American perspective, anything considered personally identifiable information (PII) falls into this category. This includes name, address, telephone number, credit card information, and/or specifics like SSN (mostly used in the banking industry) or personal ID number.

How to Become Compliant

Before you collect any of this information, you must gain consent from the individual accessing your website from the EU. This includes EU residents and anyone accessing your site while visiting the EU. The GDPR requires that this consent be “freely given, specific, informed, and unambiguous.”

For most American businesses, this will mean editing marketing forms, order forms,  and back end collection methods to be sure consent is gained. But the GDPR also specifies that EU-oriented users must be able to control their data at will, too, meaning you may also need to create deletion request features.

Expiring Stored Data

If you are storing data – including simple demographics – you still have work to do. The GDPR requires that most companies delete such data at least once every 90 days; some applications must delete data even more often. This keeps users safe by ensuring data doesn’t languish on business hard drives for years, increasing the risk of a breach or malicious use. Be sure to check this GDPR handbook if you need guidance specific to your industry.

Need help identifying how you can become GDPR compliant? Call Go Digital WSI now for one-on-one-assistance.