The General Data Protection Regulations (GDPR) is legislation enacted by the European Union. And because of the mere location of these new regulations, it seems it might be an easy thing for businesses based elsewhere to dismiss it -- especially if they know that none of their customer base is within that area. However, we would urge you to reconsider that fact, as you are likely impacted even if you only do businesses within the US and Canada.
Rather listen to this content? Check out our video podcast below!
First Things First: What is GDPR?
The GDPR is a legal framework that the EU established to provide more protection for the citizens of its 28 member countries and states. It establishes guidelines that govern how businesses can collect and process their customers' personal information. In addition, the GDPR also set requirements for data management and the protection of individuals. These regulations aren't just on paper either. Companies that breach them can be slapped with heavy fines that equal up to 4% of their global revenue. (Yikes!)
Implications of GDPR
The GDPR rules went into effect on May 25, 2018. It is unarguably the most expansive change that privacy rules have seen in decades. In spite of a fair amount of media coverage regarding its impending implementation, it's estimated that about half of companies in the United States prepared for GDPR. What's even worse is that by not preparing, these companies could be setting themselves up for disruptions in their customer relations, those significant fines, and more.
What's Involved in Complying with GDPR?
As we mentioned, a company that isn't based in one of the EU states might think that they don't need to follow the GDPR, but that assumption would be false. If such a company has even one resident from the European Union on their email list or collected information from them during the check-out process, they are affected by the GDPR.
Not only does the GDPR establish strict guidelines concerning the way businesses collect, store, and manage the customer information they receive, these companies must also be more transparent regarding those practices. Any EU customers can request to access that data and that information must be provided to them within one month. In addition, that data needs to be in a machine-readable format.
The GDPR also states that a business must be granted consent before they can either store or use any customer data. If a company experiences a breach of their data in any form, the people who have been impacted must be notified within 72 hours.
Is Your Company Impacted by GDPR?
Any company that has any data on any citizen of an EU member's country or state is impacted by the GDPR. The possibilities when it comes to this type of data are far-reaching. These can include files related to medical, gaming and fitness apps, for example, messaging platforms, and even unstructured data such as the kind often found in an inbox. The GDPR is so overarching and far-reaching that it spans nearly any information and can affect those companies that might not even know that they need to be compliant.
Why GDPR Compliancy is a Good Idea
If your company clears all the hurdles that GDPR establishes, you might be breathing a sigh of relief. You don't need to change anything in how you are dealing with your customers -- or their data. However, this approach might not be the best one to take when it comes to ensuring the loyalty of your customers and establishing their trust.
Why? Even if GDPR doesn't apply to you, chances are that at least some of your customers are aware of it because of the huge media coverage leading up to its implementation. Given the continuous breaches in data that have littered the news in the past few years, the problem is not likely to go away anytime soon, either. The fact that huge companies with their generous budgets couldn't protect the sensitive and private data they collected from their customers makes it more likely that people will be cautious about sharing such information in the future.
This could also shine an unfavorable light on smaller businesses that lack the deep pockets and well-staffed security departments that nationally and internationally known companies have. There's also the perception that many small businesses have in that their mind that their data is "safer" because they simply don't have access to the volume of information that larger companies have.
Unfortunately, this thought may backfire. Because a small company doesn't have the resources, knowledge or time to properly secure its data, they often make easier targets for data thieves to hack into. In some cases, it can take months for a small company to become aware that such an incident has even occurred.
Should Your Business Become Compliant with GDPR?
I'm sure you know if you've made it this far into this blog, the answer is yes. In today's world where so much information is shared (often haphazardly in many cases) it's crucial to develop trust with your customers. They need to know that their personal and financial information is protected when they visit your site. One of the best ways of doing so is by adhering to the guidelines established by the GDPR. Not only does doing so mean that you are more transparent in how you plan to use the data, you also gather and the methods you've established to protect it, it also sets your business up to expand into the EU and other global markets in the future.
Alerting those people who visit your company's website to the fact that you are compliant with GDPR will go a long way toward establishing the trust that's so important to maintaining smooth relationships. When it comes to choosing between a company that has a lackluster approach to maintaining privacy and security and one that is GDPR compliant, most customers will choose the latter.
