Most US-based small business owners paid little attention to General Data Protection Regulation (GDPR) news because it was a European Union (EU) law. But if you sell or advertise products online, offer B2B services, or outsource work to international freelancers, violating GDPR rules could land you in hot water — even if your office and its employees are located somewhere like Austin.
What is GDPR?
Enacted in May 2018, GDPR is a legal framework developed by the EU to protect the privacy of its citizens. But considering that 68% of EU citizens provided personal data to eCommerce sites in 2017, and thousands of those stores were headquartered abroad, GDPR would be toothless if it couldn’t be applied to non-EU businesses. That’s why it protects data stored all over the world.
What is protected by GDPR?
Any organization that has access to private information pertaining to one or more EU citizens must follow GDPR’s disclosure and cybersecurity rules. Most importantly, these regulations grant EU citizens the right to request a detailed report of all the information a business stores on them as well as the right to demand its deletion. That applies to any of the following data:
- Names, addresses, and ID numbers
- Web-based locations, IP addresses, and “cookies” that use browsing histories to target ads
- Health, genetic, and biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
With such a broad array of data covered, it was mere weeks after GDPR’s implementation that a US business was in the crosshairs. Ticketmaster, which is headquartered in California, faces a €20-million fine for a data breach that affected UK customers.
Unfortunately, big-business online retailers won’t be the only victims of this law.
US businesses that must be GDPR compliant
Obviously, any company that ships products to the EU or provides services to its citizens must be GDPR compliant. However, there are several other run-of-the-mill business practices that will require US-based SMBs to follow these international regulations.
- Website translations – Simply creating an EU-language (e.g. German) version of your website is enough to infer you market there.
- Visitor tracking – Not giving EU visitors to your website the choice to opt in or out of activity tracking violates their privacy rights.
- Email marketing – Sending electronic messages (e.g. email newsletters) to EU citizens and using an app to monitor when messages are opened requires compliance.
- B2B services – If you have access to EU citizen data stored by another company (e.g. you handle a third-party’s accounting), you must adhere to GDPR.
- Working with freelancers – Paying EU citizens for freelance work requires keeping names, addresses, and payment information on file — which requires compliance.
The vast majority of SMBs in Austin use at least one of these strategies. And nearby Round Rock is even more at risk because it has been designated a Foreign Trade Zone by the US government. Thankfully, protecting data is well the capacity of small businesses.
How to achieve GDPR compliance
First and foremost, you must catalog and categorize every shred of data you have that is covered by the EU’s privacy law. Did you send an email to a customer in France five years ago? Or pay a freelancer in the UK last time you updated your website? This information must be organized in a way that would allow you to find it and delete an individual’s records “without undue delay” should they demand it.
As for technical security measures, GDPR gives you significant freedom to design your own IT strategies as long as “organisational measures ensure a level of security appropriate to the risk.” The law specifically states that IT outsourcing is permitted, which helps SMBs handle security measures that aren’t built into hardware and software solutions, such as encryption.
Partnering with a managed IT services provider for computer support also helps you meet the stringent breach notification requirements of GDPR, which state that businesses must notify authorities of any incident within 72 hours.
Achieving compliance with IT outsourcing
Between GDPR’s €10 million fines and the half-dozen other regulatory frameworks facing SMBs in Central Texas, a managed IT services plan is a no brainer. Our plans include proactive maintenance and 24/7 monitoring so you never need to worry about whether your computer support team has enough capacity. For more detailed information on our GDPR compliance tools, download our free whitepaper.