If you don’t know what the GDPR is, and if you’re not ready for it, you’d better read on or watch our webinar on demand by clicking here.
The General Data Protection Regulation goes into effect May 25, 2018. It’s a privacy law the European Union is enforcing to protect the personal data you collect from the individuals you do business with. Even if your company isn’t in the EU, if you do business there you must comply.
What Data Does The GDPR Cover?
The GDPR applies to personal data you collect from the individuals you do business with. This means from the time you collect it and as long as you keep it. This includes data like names, email addresses, physical addresses, and even IP addresses – anything you collect and add to your database including information from surveys, questionnaires or quizzes. If you segment information in your CRM database, it includes this too.
The GDPR Protects:
- Information such as names, addresses, and ID numbers
- Web data such as locations, IP addresses, cookie data and RFID tags
- Health and genetic data
- Sexual orientation
- Biometric data
- Racial or ethnic data
- Political views
What Businesses Does The GDPR Affect?
It affects any organization that stores or processes personal information about EU citizens who reside in the EU. For example, it covers any businesses:
- Located in the EU.
- Located anywhere in the world that collects the personal information of EU citizens located in the EU.
- Businesses of any size.
Does It Apply To Startups, Businesses With Only One Or Two Employees Or Businesses Outside the EU?
Yes –Even if you’re in the U.S., an entrepreneur or a one-man (or woman) office, you still must comply. The GDPR will apply to any relationship or business transaction in the EU no matter where you are, or how small your business. It’s based on where the people are you’re collecting data from. Plus, if your business is in the EU and you’re collecting data from someone in the U.S., you also must also comply. Essentially, any data collected in the course of doing business to or from the EU must adhere to the GDPR regulations.
And here’s what most businesses don’t know! The GDPR applies to collecting personal data EVEN IF YOU GIVE SOMETHING AWAY FOR FREE. It doesn’t necessarily apply to paid-for products. If you collect personal data for business purposes for ANY REASON, you must comply. Once you save a name or information in your database, you must follow the GDPR regulations.
Are You Unknowingly Collecting Personal Data?
If your business has a Facebook, LinkedIn or Twitter page, and you gather personal information from people in the EU (or if you’re in the EU and collect personal data from anyone, anywhere) you must comply. For example, if your business is in the U.S. and you have an ad on one of these social media pages, and a person from the EU responds with their personal information, you must comply with the GDPR. Even if you add a disclaimer saying what you’re advertising is only for people in the U.S., and someone from the EU provides their personal data, you’re not exempt. You must comply.
More Rules You Must Follow
- Process data lawfully, fairly, and in a transparent manner. In other words, you must be open about what data you’re collecting and what it’s for.
- Data must only be collected for explicit, legitimate and specified purposes. You must be able to explain why you’re collecting it and how you plan on using it.
- Data collection should be limited for legitimate purposes. In other words, if you don’t need someone’s address for the specific reason you’re collecting personal information, you shouldn’t collect it. And, once you collect the data it can only be used for its intended purpose.
- You must keep the data up to date and ensure it’s always correct. This is especially for businesses like Facebook and Google and others like them.
- You shouldn’t keep this data longer than necessary. If you’ve completed the project or sale, and don’t need the data for marketing purposes, you must erase it all.
- Data must be kept secure with appropriate data protection solutions and kept behind a secure wall and encrypted. You should already be using SSL certificates and adhering to other security policies. (Ask your Technology Solutions Provider to help you with this.)
What About Soliciting Leads?
The personal information you collect from leads for marketing purposes also falls under the GDPR rules. This means that you must get their consent. And this consent should be given freely and applied for specific and clear purposes.
This also means that you can’t automatically add personal information to your marketing lists if someone fills out a form. You must get their consent to do this. Plus, you can’t require that they give you their personal information for something you’re giving away (like a webinar registration or a free white paper, or another freebie).
AND EVEN MORE CONFUSING is the fact that you can’t require that they be added to your list to obtain the free item. The only way you can require that individuals give you the authority to keep their personal information is if they purchase something from you.
The rules aren’t totally clear, but you may be able to send a nurture sequence after someone downloads your free item. (This is called an expanded processing.) However, what you must consider is the link between the reason for the collection of the information, the purpose for expanding the process, and the potential consequences of doing this.
What About Existing Lists?
The GDPR regulations also apply to your CURRENT lists. If you can’t prove that you have specific consent to store or use their personal information you will be in breach of the GDPR rules. If you don’t have this consent, between now and May 25, you must get it to keep their personal information. You’ll want to do this if you plan to re-engage with these individuals.
Begin by segmenting your list into two parts:
1) Non-EU individuals
2) Individuals from the EU and any of unknown origin (treat these as if they are in the EU)
Many email service providers can help you with this.
You should delete anyone from your lists who hasn’t provided consent by May 24th. You cannot store or process this information without their explicit consent.
Many businesses are running re-engagement campaigns to the individuals who need to provide fresh consent. You can no longer offer a lead magnet to EU citizens and add names to your marketing lists without consent.
What About Technology? Are There Changes You Should Make To Your IT Infrastructure?
The following are steps your organization should take to prepare your technology for the GDPR.
- Perform a thorough inventory of your personally identifiable information, where it’s stored–in onsite storage or in the Cloud. And determine in which geographical locations it’s housed. Don’t forget about your databases. PII is often stored in databases.
- Perform a Gap Analysis. This is a process where you compare your organization’s IT performance to the expected requirements. It helps you understand if your technology and other resources are operating effectively. By doing this, your Technology Solution Provider (TSP) can then create an action plan to fill in the gaps. The right TSP will understand the GDPR regulations and how your IT must support your compliance efforts.
- Develop an Action Plan. Your TSP should document a detailed action plan for how to use technology to meet the GDPR if you experience a data breach. This should include individuals’ roles and responsibilities. Conduct tabletop exercises to practice how the plan will work with specific timelines and milestones.
- Ensure data privacy. If you don’t have a Technology Solution Provider, then you need one for this. Data protection is key for organizations of any size. Consumers have the right to have their data erased if they want. This is called “the right to be forgotten.” This is a concept that has was put into practice in the European Union in 2006, and it’s a part of the GDPR. You won’t be able to do this if their data is stolen.
- Be sure to document and monitor everything that you do that’s related to GDPR Compliance. This includes any changes or upgrades that your Technology Solutions Provider makes to your IT environment. You may need to demonstrate that you’ve done your due diligence when it comes to protecting citizens’ private information and that you practice “defense-in-depth” strategies where you use multiple layers of security controls when it comes to your technology.
If a breach occurs, and you have all these processes properly in place, you should be able to meet the GDPR breach notification 72-hour period. The organizations that have met most of the International Organization for Standardization information security requirements should also be ready for the new regulations.
Don’t Forget To Publish Your Privacy Policy
You need this regardless of whether the GDPR applies, but it’s a MUST now. Along with the EU, California laws are very stringent in this regard.
The following is a sample Privacy Policy:
PRIVACY POLICY – YOUR PRIVACY RIGHTS
Effective Date: {effective date}
Last updated: {last updated}
This Privacy Policy applies to the sites and apps where it appears.
This Privacy Policy describes how {company} treats personal information collected through the websites and applications where it appears (sometimes referred to collectively as our “website”) and how {company} treats personal information transferred pursuant to the E.U.-U.S. and Swiss-U.S. Privacy Shields.
{company} serves its client base in and around {location} from our office(s) in {address}. We may also refer collectively to these entities as “we” or “us”. This Privacy Policy applies only (1) to personal information collected through the websites and applications where it appears, including the sites and apps for our brand, as well as information collected at our call center pursuant to the E.U.-U.S. and Swiss-U.S. Privacy Shields. This Privacy Policy does not apply to information collected through other channels.
Your Consent
Please review this Policy before using this website or mobile app. By using this website, you are consenting to the collection, use, and disclosure of your information as set forth in this Policy. If you do not agree to be bound by this Policy, you may not access or use this service.
We collect information from and about you.
We collect contact information. For example, we might collect your name and email address. We may also collect your phone number or mailing address.
We collect demographic information. We may collect information such as your gender, age, and language preferences.
We collect payment information. For example, we may collect your credit card number for products or services.
We collect business information. For example, we collect contact and other relevant information about your business if your business signs on for our services, or if your employees or agents use a corporate account to do business with us.
We collect information you submit or post. For example, we collect feedback about our services that you submit to us. We also collect information if you apply for a job.
We collect other information. If you use our website, we may collect information about the browser you’re using. We might look at what site you came from, or what site you visit when you leave us. We may collect your precise, real-time location using GPS, cell phone towers, Wi-Fi signals, and/or beacon technology (including Apple’s iBeacon), and/or future technologies. We might look at how often you use an app and where you downloaded it. We collect this information using the tracking tools described below and in compliance with the applicable local law. To control those tools, please read the choices section below.
We collect information in different ways.
We collect information that you give to us. For example, if you sign on for our services.
We collect information about you automatically. Where permitted by law we use tracking tools such as browser cookies and web beacons to collect information from you. We collect information about users over time when you use this website.
We may have third parties collect personal information this way. We also collect information from our mobile apps.
We get information about you from third parties. Where permitted by law, we may share information with third parties with whom we do business. We may get information from persons acting on your behalf. We may also get information from social media platforms and advertising and analytics providers.
We combine information. For example, we may combine information that we have collected offline with information we collect online, to the extent covered by the transactional purpose or your consent. Or we may combine information we get from a third party with information we already have.
We use information as disclosed and described here, subject to any consent required by applicable law.
We use information to respond to your requests or questions. For example, we will use your information to provide the services you request, such as to fulfill a request for IT services or solutions, or to ask you to participate in a customer survey. Where legally permitted, we may use your personal data to personalize your experience with us. We might use your information to respond to a question about our services or products. We use social security numbers and tax ID numbers to process tax documents.
We use information to improve our websites and services. We may use your information to make services better. We might use your information to customize your experience with us. Where legally permitted, we may combine information we get from you with information about you we get from third parties.
We use information to administer our site and for internal operations. For example, we may aggregate or anonymize your information for analytics, research or other business purposes.
We use information for security purposes. Where legally permitted, we may use your information to protect our company, our customers, and our websites.
We use information for marketing purposes. For example, we might send you information about new services or special offers. We might tell you about new IT solutions or updates. These might be third-party offers or products we think you might find interesting. If you register with us, we’ll send you our promotional emails. We obtain consents as required by law before marketing to you. To manage this, read the choices section below. We may also use push notifications on our mobile apps.
We use information to communicate with you about your account or our relationship. We may contact you about your account or for feedback. We might also contact you about this Privacy Policy or our Site Usage Terms and Conditions.
We use information as otherwise disclosed or permitted by law.
We may share information with third parties.
We will share information with our branch offices unless legally prohibited. For example, we will share your information to facilitate services or to customize offers to your preference.
We will share your information with data processors that perform services on our behalf. For example, we share information with vendors who send emails and other communications for us. We also share information with companies that help us operate our sites or run promotions and advertisers and advertising networks that assist us in marketing and advertising our products and services. Some vendors may be located in a country other than where you live. We may also share information with analytics and search engine providers who act on our behalf.
We may share information with our business partners unless legally prohibited. For example, we might share information with third parties who co-sponsor a promotion. Some of these partners may send you information about product or services by mail or email where legally permitted or based on your prior consent.
We will share information if we think we have to in order to comply with the law or to protect ourselves, our customers or others. For example, we will share information to respond to a court order or subpoena, or in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. Or, when required by law, we may share your information if you are the winner of a contest or other contest with anyone who requests a winner’s list. We may share information in order to enforce our Site Usage Terms and Conditions or other agreements and to protect the rights of others. We might share if we are investigating potential fraud. This might include fraud we think has happened during a promotion.
We may share information with a successor to all or part of our business. For example, if part of our business or assets is sold, we may disclose user information as part of that transaction. You have certain choices about sharing and marketing practices.
You can opt out of receiving our marketing emails. To stop receiving our promotional emails, you can visit your account settings on the site or follow the instructions in any promotional message you get from us. Even if you opt out of getting marketing messages, we will send you transactional messages. These include responses to your questions.
You can control participation in our iBeacon program. iBeacons are electronic devices that broadcast signals that can be received by mobile devices on which one of our mobile apps is installed. If you have voluntarily installed one of our apps on your device, and if you have granted permission for the app to track your location, then iBeacons installed in our offices may send a signal to the app on your device about the precise, real-time location of the device. The app may use this information to deliver special offers and promotions to you, at a time and place when the information is most relevant. As a convenience to you, receipt of the iBeacons signal and delivery of the special offer or promotion may occur even if you are not currently using the app. To make our mobile apps and services operate better, we may also collect other information based on iBeacon signals, for example, the strength of the signal between the iBeacon and your device, the duration your device is near the iBeacon, or the battery level of the iBeacon itself. To avoid having us receive or use your precise, real-time location, do not opt-in to location services. If you did opt in and have changed your mind, you may opt out of location services through your device settings or by deleting the app.
You can control cookies and tracking tools. To learn how to manage how we – and our vendors – use cookies and other tracking tools, please visit: INSERT LINK
You can control tools on your mobile devices. For example, you can turn off the location services or push notifications on your phone. Choices you make are device specific.
EU and Switzerland Residents.
Information about European Union and Switzerland residents may be sent to the U.S., where it is processed in accordance with this Privacy Policy and our Ad and Cookie Policy, the U E.U.-U.S. and Swiss-U.S. Privacy Shields. {company} complies with the E.U.-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland (please note that the Privacy Shields principles do not necessarily apply to the collection, use, and retention of personal information from other countries). {company} has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. The Federal Trade Commission shall have enforcement jurisdiction over {company} compliance with the Privacy Shield. {company} may have potential liability in cases of onward transfer to third parties. To learn more about the Privacy Shield program, and to view our certification page, please visit www.privacyshield.gov/.
Inquiries and Enforcement of Compliance.
In compliance with the E.U.-U.S. and Swiss-U.S. Privacy Shield Principles, {company} commits to resolve complaints about your privacy and our collection or use of your personal information. European Union and Switzerland residents with inquiries or complaints regarding this privacy policy should first contact {company} at the address provided below.
{company} has further committed to refer unresolved privacy complaints under the E.U.-U.S. and Swiss-U.S. Privacy Shields to the American Arbitration Association, http://go.adr.org/privacyshield.html. Finally, in certain limited circumstances and as a last resort, it may be possible for individuals to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission.
Please note that if you are not a European Union or Switzerland resident, then Privacy Shield requirements regarding the handling of complaints may not apply to you and Privacy Shield enforcement mechanisms may not be available to you.
Russian Citizens.
In accordance with Russian Federal Law “On Personal Data” No. 152-FZ we collect, record, systematize, accumulate, store, update (renew and modify), and extract personal data about Russian citizens using databases located in the territory of the Russian Federation. If you indicate that you are a Russian citizen of the Russian Federation, we will process your personal data in compliance with this requirement and your profile will be maintained on databases in the Russian Federation. If you do not indicate that you are a citizen of the Russian Federation, we are not able to process and maintain your personal data under these requirements and will not be liable for that. You are solely responsible for indicating the country of your citizenship. Information containing personal data of Russian citizens may be transmitted from the Russian Federation to countries that ensure an adequate level of protection for personal data, including member states of the European Union and other countries which Russian law recognizes as ensuring adequate to protection, and also to other countries that may not ensure adequate level of protection for personal data. By submitting information to us on our sites and apps, submitting forms to us, or registering on our sites, programs, and apps, or scheduling services, you grant us consent to process your personal data.
Your California privacy rights.
If you reside in California, you have the right to ask us one time each year if we have shared personal information with third parties for their direct marketing purposes. To make a request, please send us an email at {email} or write to us at the address listed below. Indicate in your letter that you are a California resident making a “Shine the Light” inquiry.
Our sites and children.
Our sites and apps where this Privacy Policy is found are meant for adults. We do not knowingly collect personally identifiable information from children under 18 without permission from a parent or guardian. If you are a parent or legal guardian and think your child under 18 has given us information, you can contact us at {email} or write to us at the address listed as the end of this Privacy Policy. Please mark your inquiries “COPPA Information Request.” Parents in the United States, you can learn more about how to protect children’s privacy online at www.consumer.ftc.gov/articles/0031-protecting-your-childs-privacy-online.
We use standard security measures. The Internet is not 100% secure. We cannot promise that your use of our sites and apps will be completely safe. Any transmission of your data to our site is at your own risk. We encourage you to use caution when using the Internet. This includes not sharing your passwords.
We retain data. We keep personal information as long as it is necessary or relevant to the practices described in this Privacy Policy. We also keep information as otherwise required or permitted by law.
We store information both in and outside of the U.S. Information we collect from you may be transferred to or stored at, a destination in the United States or another destination outside of United States. It may be processed by staff operating in these locations who work for us or one of our suppliers. Such staff may be engaged in, among other things, the processing of your payment details and the provision of support services. If you live outside of the United States, you understand and agree that we may transfer your information to the United States. U.S. laws may not afford the same level of protection as those in your country.
We may link to other sites we don’t control. If you click on a link to a third-party site, you will be taken to a website we do not control. This Privacy Policy does not apply to the privacy practices of that website. Read the privacy policy of other websites carefully. We are not responsible for these third-party sites or their policies.
Feel free to contact us if you have questions. If you have questions about one of our branches or the information it retains, please contact it directly. If you have any questions about this Privacy Policy, or if you want to correct, update, reasonably access or delete, your information with us, please email us at {email}
For your safety and ours, we may need to authenticate your identity before fulfilling your request.
We may update this Privacy Policy.
From time to time we may change our privacy policies. We will notify you of any material changes to our Privacy Policy as required by law. We will also post an updated copy on our website. Please check our site periodically for updates.
© 2018 {company} All rights reserved.
I know this is a lot to consider and to do. But you make GDPR compliance a priority. Contact us if you need more information or assistance.