GDPR  - Ignore It At Your Peril

Posted by Judith Eckles

July 10, 2018

 What is GDPR?

On Friday, May 25 the General Data Protection Regulation (Data-Protection-GDPR_105902283-compressor-1GDPR), a new European law, went into effect. While it primarily applies to European Union (EU) countries, under certain circumstances it will also apply to many others, including the United States (US), even if you don’t do business in Europe.

This may be as surprising to you as it was to me, according to “Since the dawn of the Internet, companies have been gathering as much data as possible on anyone they can. It’s simple to collect that information, so there’s no reason for them not to hoard it.” And hoard it they have, used it to sell their products and services, and in many instances sold it to third parties.

The GDPR is designed to protect EU citizens’ personal data from misuse. Wikipedia asserts that “According to the European Commission personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” Personal data includes biographical data, education, work history, genetic data as well as things like your call history, private messages, or geo-location data.

While data abuse recently came to the forefront with the Facebook/Cambridge Analytical scandal, the EU has been working on legally protecting data for decades. The EU’s GDPR replaces its predecessor the Data Protection Directive which went into effect at the end of 1995. The difference, GDPR is an enforceable regulation (a law), not a directive.  The law is enforceable because the US and the EU have trade treaties that enable enforcement, prosecution and the levy of fines on US companies.

How does GDPR affect US companies?

If a US company has a website, and who doesn’t, it is accessible to the whole world, including citizens of the EU. If a US company website is visited by an EU resident and data is collected, it is required to follow the rules of the GDPR.

Be sure you check out the regulations of how the GDPR impacts your company with your attorney. The GDPR is especially important to those US companies that market to the EU. In it’s white paper “Marketing Guide to the GDPR” Treasure Data, a data management software firm, states “a US company that uses cookies when an EU citizen visits its website is affected by GDPR if that visitor data is collected in web forms. Any sales, marketing or advertising that involves personal EU citizen data falls under the GDPR umbrella.”

 Beginning on May 25, any organization covered under the GDPR and is not compliant faces the possibility of fines of up to $26,589,740 (£20 million) or 4% of global annual turnover - net sales without VAT (Value Added Tax) - whichever is greater. That’s not inconsequential.

If your website is not yet compliant, you need to get busy. It’s more than just an update to your privacy policy.  You have to have a process for allowing EU citizens to opt-in and opt-out.  And if they come back at some future time and want to opt-out, you have to have a process in place to delete the data entirely – not a simple task.


In our next blog, learn how marketing will be impacted by GDPR.

Topics: GDPR, General Data Protection Regulation

Blog comments

TMD_LOGO_338x149_(web)_(1)The Marketing Department Malvern, PA is a full service Marketing Agency serving Malvern, Main Line, King of Prussia, Wayne, Paoli, Berwyn, Chester County and Montgomery County, PA areas.