The GDPR and Mississippi Businesses
“We don’t have any European clients. Do we need to address this new GDPR law?” I received this question and others like it earlier this year as we approached the effective date for the European Union’s General Data Protection Regulation (GDPR). In fact, we continue to be asked about it frequently by clients and prospects. What does the EU’s GDPR and its privacy protection requirements have to do with Mississippi businesses? For many, it has absolutely nothing to do with your website or how you operate your business. For others, if you do any business with customers in a EU member nation or if you market products or services to EU residents, it undoubtedly will have an impact.
What is the GDPR?
A few years back the European Parliament and Council established a set of consumer privacy protection guidelines in a law known as the GDPR. This law is applicable to businesses collecting personally identifiable information from residents of European Union countries. Among other things, these guidelines address:
- What type of consent is required to collect personal data
- What measures must be taken to protect certain data
- And What rights consumers have over data that has been collected
Does The GDPR Impact My Business?
The GDPR was developed to provide a consistent set of consumer privacy protection laws and standards across all EU members. However, the law also applies to any company doing business with or marketing to residents in the EU regardless of the company’s location. Therefore, if you own an eCommerce site based out of Jackson, MS, but have customers that are residents in a European Union country, then you must adhere to the GDPR requirements. If you do not have customers in the EU and do not target customers in the EU, then the law does not apply to you.
The law provides governing authorities power to investigate potential GDPR violations and work with businesses to take corrective actions. On a case by case basis, the corrective actions may include penalties for non-compliance that can range up to 4% of annual revenue or 20 million euros, whichever is greater. Yikes! (Note: A colleague in the UK recently shared with us that it’s widely believed the authorities will not be overly harsh with businesses unless there is a blatant disregard for the law and its intended protections.)
Impact For Your Website
So, what does this mean for your website if for example you have clients in the UK? Or if you have an opt-in email newsletter that you are targeting to customers that might be residents of an EU nation? The complete answer is best left up to your lawyer, but there are some high-level concepts we will touch on for companies needing to comply with the GDPR law.
Do you have a form on your website that has an opt-in newsletter invite? For example, when customers place an order on your website, do you have a checkbox for them to sign up to receive a monthly newsletter? If so, that opt-in checkbox can no longer default as checked for “yes”; it must default to blank or “no”, requiring the user to actively check the box to sign up for that communication method.
Any opt in options should be specific, allowing users to provide explicit consent for each type of data permission you are requesting. For example, if you want permission to send both emails and direct mail advertisements to a customer, these should be separate opt-in options for the user to select.
Right To Be Forgotten
Under the GDPR it must be just as easy for users to be able to withdraw consent as it was to grant it. The language also grants the user the right to be completely forgotten, requiring all personal data to be erased upon request once it is no longer reasonably necessary to conduct the business for which the consent or data was provided. Make it clear to site visitors how this can be done, whether it is modifying cookie preferences, withdrawing opt-in consent, or requesting personal information to be removed.
By no means is this list of issues complete when it comes to your website and the GDPR. We’ve simply addressed some of the common issues relevant to almost all sites needing to comply with the GDPR. The requirements are vast and actually extend far beyond data you collect on your website. However, the law also reduces requirements on businesses with fewer than 250 employees in certain cases, so certain guidelines may not apply to you. The intent of the law is to protect the privacy of consumers, and that’s a good thing for all of us long term. If you believe your business must adhere to GDPR guidelines, and you are unsure of where to start, familiarize yourself with the GDPR language and consider contacting a 3rd party expert to provide guidance on how to achieve compliance.