While all European Union (EU) businesses should now be fully compliant with the General Data Protection Regulation (GDPR), B2B firms based in the United States are still wondering what GDPR means for them. Do they need to comply? If so, to what degree?
We have helped many of our B2B clients over the past few months comply with the GDPR at various levels, depending on their involvement with the EU. In this article, we will provide a summary of GDPR and give you several options to consider to help your US-based firm move towards GDPR compliance, based on its involvement with the EU. While only EU citizens are currently protected under the GDPR, we anticipate similar regulations might make their way to the U.S. in the future.
So what exactly is GDPR?
By now you probably know that the GDPR is legislation approved by the EU to create greater and more uniform data privacy protection for all EU citizens. The goals of the GDPR are to give EU citizens insight into the data collected about them and put the control into the hands of users, rather than companies.
Here are three main areas of focus for the GDPR:
- Consent: Companies must alert users when they are tracking them with cookies, munchkins, etc. and also get their explicit CONSENT. This includes implementing double opt-in for forms, documenting consent by users, and giving users the ability to control their subscription preferences.
- Data Management: Companies must give users the right to: a) understand what data has been collected on users; b) give users the option to update that data; and c) give users the right to erasure/deletion of that data.
- Privacy Policies: Your privacy policies may need to be aligned with the new GDPR requirements and you will need to document your legal basis for processing personal data.
There is a lot of gray area with this regulation, but we’ve seen clients fall into three general areas, based on EU involvement. The levels are based on several different parameters:
- Do you actively pursue business in the EU? If yes, you’ll fall into level 3.
- Do you have a cookie tracking system on your website? A cookie-tracking system would be defined as platform that captures user information and tracks visitors using cookies. This would include marketing automation systems (e.g. Hubspot, Act-On, Marketo), advanced web analytics (e.g. HotJar, Crazyegg), and advertising-related cookies (e.g. Google/DoubleClick, Bing). If the answer is yes, your company falls into level 2.
- Is your firm in a compliance-heavy industry (i.e. financial services)? If yes, start at level 2.
Level 1 – Your firm is not actively doing work in the EU and does not have a cookie-tracking system.
- Add an SSL certificate to your website – An SSL certificate will add a level of security to your site, keeping data secure between servers, plus it will display your site as “secure” beside the URL, building user trust. SSL certificates are mandatory by the GDPR, and Google Chrome will start to mark all non-HTTPS sites as “not secure” beginning in July 2018. As an added bonus, an SSL certificate can also give your site a boost in Google’s ranking, so adding one will help not only with compliance, but also with SEO!
- Change your Google Analytics snippet to make IP addresses anonymous.
Level 2 – Your firm is not actively doing work in the EU, but may be tracking cookies or you are in a compliance-heavy industry:
- All Level 1 items
- Require double opt-in on subscription forms (i.e. blog or newsletter subscription). Double opt in means that users must submit a request to be added to subscriptions twice. This could mean having an email verification triggered to verify consent after users have clicked submit on a form on your site, or having users click two separate submit buttons when submitting a subscription form.
Level 3 – For clients actively targeting or working with clients in the EU:
- All Level 2 items
- Add a cookie consent tool to your website to allow users to manage their cookies settings. We have found OneTrust to be the most robust tool for our clients.
- Add a link to your Terms and Conditions on all forms across your site.
- If you have a newsletter or blog subscription, add a subscription center so that your users can adjust their settings to what they want to receive.
- Ultimately, you need to comply with all of the regulations of the GDPR and should hire a legal team to assist with consultation and implementation.
Ultimately, our team is not equipped to guide from a legal or compliance standpoint, so it is imperative that you speak with your legal team and assess your firm’s needs when it comes to GDPR and how to adapt to the new regulations. With that disclaimer, we hope this article can provide you with some basic guidance to determining what level your firm falls into and to what degree you need to comply with GDPR.