Image Alt

GDPR Compliance: What Businesses Need to Know

GDPR Compliance: What Businesses Need to Know

Over the last few weeks, you have probably noticed a flood of emails from your favorite retailers prompting you to read their new “privacy policy.” If you’re anything like us, these are the kind of pesky messages we normally send straight to Trash without opening. But these policy updates are more than just corporate spam or an opportunity for Internet dwellers to crank out some dank memes. They’re actually a sign that companies are embracing the General Data Protection Regulation, or GDPR, a new data privacy and protection law that went into effect last week.

But what is the GDPR, and what does it mean for small business owners? We’ve outlined the basic legal implications below as well as how your company can become GDPR-compliant. Just be sure to consult your legal team while you’re at it – only one day after the GDPR went into effect, Facebook and Google were slapped with $8.8 billion in lawsuits. It pays to play by the rules!

[wonderplugin_video videotype=”mp4″ mp4=”″ videowidth=800 videoheight=600 keepaspectratio=1 videocss=”position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;” playbutton=””]

So, what is the GDPR?

The GDPR is a legal framework that requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. The law went into effect on May 25, 2018 and applies to all companies handling the consumer data of citizens within the EU, regardless of the business’s size, industry, or country of origin.

Simply put, the law is telling companies to modify the way they process, store, and protect customers’ personal data. At a minimum, GDPR compliance measures could include updating your terms of service and privacy policy, adding opt-in consent language to the contact, subscription, and registration forms on your website, and notifying consumers about your use of tracking mechanisms, such as cookies. But the level of effort needed to achieve compliance will vary from business to business. It all depends on your business model and current practices.

TLDR: The GDPR is meant to protect and empower Internet users everywhere.
If you don’t live or work in the EU, how does the GDPR affect your business?

Even if your business is based in the United States, it probably needs to be GDPR-compliant. Of course, any company that serves customers who reside in the EU must adhere to the law’s requirements. But the GDPR also applies to any website that is accessible from the EU.

What should you do to make your business GDPR-compliant?
1. Understand the types of personal data your business is handling.

Are you collecting names, email addresses, phone numbers, banking information, or other personal details from your prospects, leads, and customers? Is any of this data considered sensitive, such as health care information? As a business owner, you need to know what data is being collected, where this data is being stored, and exactly how it is being used. To answer these questions, we recommend conducting a comprehensive data audit with your team.

2. Create a “cookie consent banner.”

The GDPR requires businesses to notify their website visitors when cookies are being used, and this notification must be shown in a language they understand. Then, visitors must consent to being tracked by cookies. Consent, as it’s defined by this law, should be affirmative, apparent, and specific. The easiest way to do this is by putting a cookie consent banner at the top or bottom of your website’s homepage. Below is an example from the Forbes website.

3. Create or update your terms of service and privacy policy.

If your company does not already have formal terms of service and privacy policies, develop and clearly display them on your website for public access. These documents should include thorough, but easily understandable explanations for:

  • What information you collect
  • How you use, share, store, process, and protect that information
  • Whether and how you use cookies and similar technologies
  • And how users can access and control their personal data
    Basically, your company needs to establish a legal reason, or “lawful basis,” for two things: processing someone’s information (ex. storing their name, phone number, and email address in your CRM) and communicating with them (ex. calling them or sending them marketing emails). It is the right of every user to agree to or decline one or both of these actions. And it is your obligation, as a business, to respect the wishes they express.


4. Plan and implement clearly defined compliance processes company-wide.

Under the GDPR, your customers must be able to precisely control how you use their data. This means you can’t use one, catch-all checkbox or banner to capture universal consent to process and communicate in whatever ways your company chooses. Consent mechanisms must be kept separate from other terms and conditions, and requests for consent must be unmistakably clear. Affirmative consent is obtained when a user opts-in with full knowledge of what they’re consenting to.

Furthermore, new and existing customers must be able to easily opt-out or withdraw consent at any time. A GDPR-friendly marketing email, for example, should always include a link or written instructions allowing the recipient to immediately unsubscribe from future communications. Keep in mind that even if a customer opts into a certain mailing list, newsletter, or blog subscription, that does not give your company permission to use their data for purposes other than those the customer consented to. To that end, make sure your company has a means of tracking and remembering your customer’s preferences.

The GDPR also empowers individuals to request their information, as well as modify or delete it completely, at any time. This means a customer can ask for a copy of their data in a readable format, ask to see and verify the lawfulness of processing, ask for changes to be made to their records, and ask for their information to be permanently removed from your database. Should your business receive any such requests, you must have a way to accommodate them.

Below is an example of how to establish consent on the Duffy Agency’s contact form.

Becoming GDPR-compliant can be daunting and tedious, but remember: these regulations will ultimately protect you, your business, and your customers. If you’re uncertain about the law’s requirements, we encourage you to consult your legal team for more personalized counsel.