This article is intended for non-EU companies that have questions regarding their compliance requirements surrounding the European Union’s General Data Protection Regulation (GDPR). Specifically, this information is geared for businesses that do not directly market to individuals in the EU but may indirectly have EU contacts or even customers. If your company actively targets and markets to citizens in the EU the information below will be helpful, but you should take a deeper dive into your process, both online and offline, to ensure compliance. Most importantly, this article is not legal advice.
We’re assuming if you’re reading this article you already have a basic understanding of what GDPR is and are simply looking for some clarity and answers as to how it affects you and specifically what you need to do about it. General Data Protection Regulation (GDPR) goes into effect May 25, 2018 and comes with some big changes for how companies handle data, specifically when it comes to data of individuals physically within the EU. Many US-based and non-EU companies were previously able to avoid the Data Protection Directive (which GDPR is replacing) by simply being outside of the EU, but these new rules change that.
At MODassic we have clients in the US, Australia and Canada and do not specifically market to the EU. However, we get web traffic and contacts who opt-in to our content from around the world, including the EU. Many of our clients are in a similar situation and that’s where there are a lot of gray areas surrounding GDPR compliance.
Should I just block all traffic from the EU?
Anytime lawyers are involved there’s an overwhelming amount of information generated on the subject, but we somehow rarely get any closer to black and white answers.
Because of this we’ve seen a ton of frustration, panic and misunderstanding online with people unsure what to do. Several are simply resorting to blocking all traffic from the EU so they don’t have to deal with it. We understand that, since there isn’t a lot of clear information out there, but it’s a bit drastic. Blocking all of that EU traffic could really hurt your organic search rankings outside of the EU as well. At MODassic we don’t target customers in the EU, but we do have a lot of traffic from around the world, including the EU, from individuals that find our blog posts via search engines. Those individuals may download our ebooks and therefore become contacts of ours. Even if we never worked with anyone in the EU, this search traffic benefits us. Blocking that traffic could affect our domestic search rankings.
It’s all about intent and targeting
The internet doesn’t have borders (for the most part). So if you have a website there are some things you may need to do, but you don’t need to panic and don’t need to block all EU traffic.
First, a clarifying point, collecting data is not just related to a sale or financial transaction. Any data collected automatically through a tracking script or through a contact form counts. So even if you never sell to someone in the EU, you need to be aware of the following.
To fall under GDPR your company would have to specifically target individuals in the EU. Therefore the most important thing you need to do is get a clear understanding of what targeting is and see if you have any information or language on your website that could be identified as targeting the EU.
What is and isn’t considered targeting?
EXAMPLE – NOT TARGETING
If you are a US-based company and someone in the EU (say Italy, for example) was searching on Google for general information and then discovered your website and filled out a contact form, that is not considered targeting assuming your website doesn’t meet any of the targeting criteria below.
EXAMPLE – TARGETING
If in that same scenario above your website did any of the following, it would be considering targeting and therefore subjective to GDPR.
CONSENT & OPTING IN
If you are targeting EU customers, you will need to update your contact forms to obtain explicit consent. In the language of the GDPR, consent must be “freely given, specific, informed, and unambiguous.”
However, at MODassic we think this is a best practice to do even if you don’t target EU customers—especially if you do any marketing automation or paid media. This is because EU customers could find their way into your database without targeting them (which is fine) but then they could start getting your marketing emails or remarketing ads without you realizing it. By having everyone consent you cover yourself. In addition, it’s simply a best practice to let people know what they’re singing up for.
This can be achieved by doing three things:
PROTECT DATA & HAVE ACCESS TO REMOVE DATA
A term you may have heard a lot surrounding the GDPR is the “Right to be forgotten”. In short, EU users have the right to see what info you have on them and request that it be deleted. Therefore companies that are both targeting and collecting data on EU users need to be able to access and delete that information.
Most businesses use 3rd party cloud based platforms such as Hubspot, MailChimp, Marketo, Sugar CRM or Salesforce to collect this data and store it. These legitimate organizations are taking the necessary steps to ensure that data is protected and compliant. They should be taking care of the heavy lifting within their platform to ensure that you have access to easily look up and delete what info you have on an EU user, should they request it.
In closing, the main thing to remember is not to panic and don’t simply block all users from the EU. Instead run through this checklist and implement a couple very basic notification and content options on your website and contact forms.