In a recent PRSA meeting, intellectual property lawyer Autumn Witt Boyd of The Law Office of Autumn Witt Boyd PLLC presented an interactive talk on how communicators and creatives can stay out of the legal hot water, including best practices for creating and maintaining websites. “No matter where you are located, it's possible you are collecting data from an EU resident; this is where GDPR comes in,” says Boyd. Read on for our summary of the informative talk on GDPR and why it does matter to American businesses!
To ensure Europe’s competence in the digital age, the European Union started procedures for data protection reforms back in 2012. A significant component of the plan was for the creation of the General Data Protection Regulation, better known as GDPR. This law helps residents of all 28 member-states in the EU have greater control over their private information by enforcing stricter guidelines for companies who gather, store and use their clients’ data. GDPR went to effect on Friday, May 25.
Guidelines and Compliance
In its simplest form, GDPR requires companies to monitor the data they have stored on EU residents closely. If someone wants their data (1) deleted, (2) shared with them or (3) corrected, then the companies must comply. Going further, EU residents have a say in what specific ways companies can and cannot use their data. For example, if a person does not want their information to be used for political purposes, all they have to do is contact the organization that collected their data. The company would then have to have to make changes accordingly.
In addition to respecting website visitors’ private information, the law demands organizations to notify users within 72 hours of a data breach. Unlike the Equifax breach where the company thought they could get ahead on damage control for weeks before informing millions of their clients of the breach, this particular regulation holds the companies responsible for communicating promptly with their constituents.
If the GDPR was created to protect EU residents, should it matter to Americans at all? Do American companies need to make their websites compliant? The answers are yes, according to Boyd. “The fact that the internet connects people around the world means that by proxy, even American websites must follow the guidelines,” says Boyd. “If a prospective customer in Europe visits your website, and your business collected their data in a noncompliant way, you might face a serious fine. This is especially true if you have gated content or have an e-newsletter or collect emails for any reason.”
While your business might not be collecting massive amounts of user information across the world, merely gathering your website visitors’ email addresses and sending out e-newsletters in a way noncompliant to the GDPR might get you in trouble with the EU. The best practice would be to talk to your lawyer and website manager to ensure your privacy rules and regulations are up to par with the GDPR. For more information on GDPR and how it affects American businesses, check out Boyd’s talk (and free checklist) titled How Your U.S. Website Needs to Change for GDPR.