I’m thrilled to featured this guest post from my colleague Cheri D. Andrews, Esq.
Cheri helps small business owners and solopreneurs just like you protect your livelihood. After all, you work hard to build your empire – Cheri has got your back!
If your website:
- has ANY forms for collecting names, emails, or other personal information for email marketing, scheduling purposes, or to enable download of a lead magnet, OR
Some would argue that because privacy regulations require you to disclose what personal information you collect, that you must have a policy even if it is just to disclose that you don’t collect ANY personal information.
You may rightfully be wondering “Why should I care about regulations in five states or the EU where I’m not located and don’t do business?” Fair question. The answer is simple. You can’t stop visitors from those states or the EU from visiting your website. And the minute they do, the regulations kick in.
GDPR is technology neutral – meaning it covers data you collect both online and offline, regardless of device – computers, phones, cash registers, paper.
GDPR covers both data privacy AND data security, so it’s not just what data you are collecting and how you use it, but also how you are protecting it, and how you will respond in the event of a data breach incident.
Under the GDPR, all businesses, regardless of location or size, are expected to comply with GDPR if:
- You collect personal information from EU citizens (newsletter, lead magnet, contact form) OR
- You sell goods or services to EU citizens OR
- You use analytics on your website that can capture the behavior of EU citizens (clicks, views).
It doesn’t matter if you actually do business in the EU or you actively target EU consumers – if you are getting their personal information or analytics, GDPR applies.
How can I be compliant with these regulations?
- Make sure your website is httpS certified – this is the security certification.
- Know what data you collect – Covered data includes:
- Personal Data – Name, address, birth date, SSN, etc.
- Web Data – geolocation, IP address, cookie data, clicks, views, etc.
- Protected Data – health, biometrics, race/ethnicity, politics, sexual orientation, etc.
- Do a data audit – know where your data comes from, where it is stored, how it is processed, how long it is kept, and how secure it is. Data audits should include your own computers, your paper files, any cloud-based storage, and all your vendors – such as Google Analytics, Email Marketing Platforms, Payment Processing Platforms
- Maintain a “reasonable” level of data protection & privacy, ensuring storage of data is secure, only the data you really need is collected, and data is stored no longer than necessary to fulfill the purpose for which consent is given
- Have a Breach Protocol Policy in place so that you know how to respond in the event of a data breach and can meet the 72-hour reporting requirement. Reporting is state or nation specific in terms of requirements, so your reporting will depend on where your data subjects reside.
- Respond to requests from data subjects for access to, correction of, or deletion of their information within 30 days.