This new law has bled over into the U.S. due to the global reach of many large brands like Apple, Facebook, Google, etc. that serve clients in the EU and around the world. But what does this mean for small businesses in the U.S. like home care agencies?
Currently, the GDPR law only affects businesses operating in the EU. The main goal of this legislation is to give individuals more control over their personally identifiable information (PII), including the ability to restrict how companies use their information.
Below are some of the key components of GDPR.
- Individuals must be able to request a copy of their personal information. This means that companies need to develop a way to gather and export this type of data as well as present it to users in a simple format. The good news is that there isn’t expected to be an influx of these types of requests.
- Individuals have the “right to be forgotten.” Companies must have processes in place to permanently delete all of an individual’s records from their systems upon request.
- Explicit consent is required for any forms of direct marketing – phone calls, emails, snail mail, etc. Pre-selected “opt-in” boxes will no longer be acceptable.
- This includes placing a cookie on someone’s hard drive to track their activity when they visit your website and is why you will start noticing a lot more “By using this site you accept cookies” messages.
- Businesses can no longer share personal data across borders (i.e. between the EU and the US).
The law went into effect May 25th, 2018, and while some larger companies have needed to make changes to their privacy policies as a result, businesses that do not interact with individuals in the EU do not need to take any immediate actions.
However, it’s good to be as prepared as possible in the event that the US decides to enforce similar legislation. The following are some things that can be done now to prepare for potential US legislation changes.
- Develop a list of all types of PII that your business collects, where you collect that information from, who you share it with, what you do with it, and how long you keep it.
- Create a list of places where PII is stored.
- Adjust your “opt-in” policy to more explicitly state what a user is opting-in to receive.