GDPR: Everything you need to know if you’re a small business in the USA

If you haven’t already noticed, a lot of vendors like Google, Youtube and every other company you have submitted your email to, have recently been updating their privacy policies

Why is this happening? The European Union’s General Data Protection Regulation has taken effect on May 25, 2018. This means that the EU now requires all businesses to be compliant with new privacy regulations if they wish to operate in EU member states and serve individuals in the EU — either directly or as a third party.

So, will this affect your company personally? Well, It depends on your engagement within the EU.

  • If you sell to or communicate with the EU on a regular basis then YES. You must have compliant websites and updated policies in place by May 25, 2018.
  • If you do business only in the US- then for right now, NO. However, usually, standards that are set by the EU gradually get adopted by the rest of the world.

If you answered yes- read on and see what you need to do to be in compliance with the GDPR policy.

If not- you may want to read on anyway but you are not obligated to make any changes (yet).

If you do need to make sure you’re GDPR compliant, these are the 3 big points you need to understand:

  • People must clearly consent to receive marketing messages from you. This means clients will need to specifically check how they wish to receive communication from you ie emails, phone calls and more.
  • The purpose of your messaging must be specific and inform the customer of what to expect from you. Your privacy policies will need to be clear on how you’re using each customer’s personal data.
  • People have the right to opt-out, be removed and/or update their information. You need to have a clear place where you keeping the data AND be able to show that you have completely deleted it too.

Important things to note:

  • Even if your company is collecting information properly, if you have subcontractors or employees that are not following the same protocol, you and your company could potentially be fined.
  • Don’t know if you got the correct consent? We suggest sending a re-permission email to invite your existing audience to recommit to receiving emails from you.
  • You can no longer add someone to your email list from a business card or by adding them on Linkedin.
  • You will need a secure place to store your contact information. One of our website design partners, Design It Please, has created a great checklist to help ensure your data is stored properly.
  • Have a data breach procedure. What do you do if your information is hacked or breached? In a case of an audit, can you provide tangible proof to make sure you’re protecting your clients’ and networks’ information? If you don’t know how to create a data breach procedure, we suggest talking to an IT specialist.

What are my next steps?

  1. Get in touch with your website designer or manager to make sure your privacy policy is up to date. The policy should include an outline of what data you are collecting and where it is being stored. Don’t have a website designer? No worries, feel free to contact us today and we can connect you with some of our favorite website designers.
  2. Refresh your contacts: review your lists of contacts, and see if they’re up to date and segmented properly.
  3. Send a re-submission of consent email, and announce that you’ve updated your privacy policies. This is especially important If you have clients in the EU, to make sure you email each of them a confirmation of their consent, as well as an overview of your updated privacy policies.
  4. Turn on double opt-in and GDPR forms in your email marketing system.

How does this affect my marketing moving forward?

  • Every individual on your email list needs to consent to both receiving emails AND receiving retargeted ads. We’re already noticing a change in what we can and cannot do in Facebook ads and other ad platforms.
  • Make sure your third-party vendors and employees are following the similar protocol. Consider discussing best practice methods with your HR or IT specialist.
  • Your customers must be given a free and genuine choice to accept or reject the option to join your email list. They must also be able to easily withdraw their consent.
  • You have to state what data will be collected and how it will be used.
  • If you run pixels, google analytics or any other data tracker, you will need to update your privacy policy to state that you are using these certain trackers.
  • If you are running lead form ads on Facebook, you will need to have an updated privacy policy before you can continue running them.

Need some more info on next specific steps? Our awesome website designer, Sam Fagan of Design It Please wrote a fantastic article on what US Small Businesses need to know about GDPR.

Want a deep dive of more info? Check out how Compose Agency out of the UK is incorporating GDPR for themselves and their clients.


Need more details?

Contact us today