Thursday March 29, 2018

GDPR: What U.S. Small Businesses Need to Know

GDPR Privacy Lock

The amount of data that’s collected about us from the internet is staggering. From the information we explicitly share, like our email address; to the information many people don’t even realize is associated with us, like our IP address, it can be very unsettling to consider all the things organizations know about us.

We've previously talked about ways marketers can keep customer and lead data secure. While our advice still holds true, new regulations are about to make it even more critical that you prioritize data security.

The European Union has developed new regulations that seek to better protect this type of personal data and give citizens more insight — and say — into what organizations know about them and what they do with the data. While these laws are intended to protect EU citizens, businesses in the United States will be impacted by them.

Here’s what you need to know.

What is GDPR?

The General Data Protection Regulation, or GDPR, represents a major change in data privacy regulation in the EU. The law, which goes into effect on May 25, 2018, was designed to standardize data privacy laws across EU member states. The regulations are a big win for EU citizens, whose data privacy will be both more secure and transparent as a result.

While the changes will greatly benefit individuals, many businesses are scrambling to meet compliance.

The GDPR requires organizations to make some major changes to how they approach data privacy. One of the changes is related to Personal Identification Information (PII). Especially in the United States, PII has often been used as an umbrella term to describe information like social security numbers and addresses. As CSO explains, the EU regulations vastly broaden the definition of PII, expanding it to include things like:

  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

By broadening this definition, organizations are on the hook for taking as great of care to protect a person’s IP address as they are for protecting their social security number. Organizations will only be able to store and process personal data when an individual explicitly consents, and they won’t be able to hold on to it for longer than is necessary for the purposes for which the personal data are processed. Companies must also erase personal data upon request (otherwise known as “the right to be forgotten”).

Take a moment to think about the many ways and reasons in which you collect and use any sort of data about customers, leads, website visitors or even people who you target with advertising. The GRPR is going to impact the way many departments handle data, including:

  • IT
  • Marketing
  • Finance
  • Sales
  • Operations

If you’re in the U.S., you’re probably wondering: Why should I care about GDPR?

The simple answer is the GDPR may very well impact you.

Per the GDPR website:

“The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”

If your Chicago business ever works with customers in the EU or processes the data of EU citizens (say, for example, through contact form submissions that come from your website), you’re on the hook here. 

Now: What happens if you violate the GDPR? 

As Forbes explains, “Fines for noncompliance are large. They can be as high as €20 million (roughly $24,715,000) or 4% of a company’s total global revenue, whichever is larger. This is the maximum fine that can be imposed for the most serious violations, e.g. not having sufficient customer consent to process data or violating core Privacy by Design concepts. However, there is a tiered approach to fines, e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment.”

What can I do to ensure compliance?

As mentioned, meeting compliance is a massive undertaking involving many departments and stakeholders in your organization. The steps you’ll need to take will depend on your current systems and processes and will require everyone in your organization to take an active role in updating and adhering to the rules.

That being said, from a marketing and sales perspective, I highly recommend reviewing HubSpot’s GDPR “Product Roadmap” information. Whether or not you use the HubSpot marketing and sales automation product, they offer clear explanations of some of the legal requirements outlined in GDPR, including lawful basis of processing, consent and cookies. If you’re a HubSpot user, you’ll be interested to see what they’re doing to help make their software GDPR complaint (because adhering to the regulations will be as much of a responsibility of your third-party service providers as it is yours).

Now, take a breath.

If all of this information has you feeling overwhelmed, you’re not alone. While there’s a lot to take in, I want to end this article on a positive note.

The goal of the GDPR is to help protect citizens from having their data misused or, worse, stolen in a data breach. Organizations have gotten away with lax security of personal data for far too long, and the EU regulations are a huge step to help prevent this data from being stolen in the future. Being compliant with GDPR means you’re doing your part to help protect everyone — yourself included — from becoming a victim of a data breach. 


Looking to learn more about GDPR? We recommend reviewing CSO’s in-depth guide, General Data Protection Regulation (GDPR) requirements, deadlines and facts.

The GDPR is a complex topic with serious legal implications for organizations that fail to adhere to its standards. While the regulations are designed to protect EU citizens, we’ve chosen to cover the topic today because organizations outside of the EU can be penalized for non-compliance. This article is intended to serve as an introduction the topic but is not intended to serve as legal advice; we recommend coordinating with your legal counsel to determine how this may impact your business and steps to take to meet compliance. 

Written by Brittney Lane | Tags: Legal, Data

Subscribe to Email Updates

Latest Posts