If you are an online retailer who markets to, and does business with, any customers from Europe, I have some news for you: A significant new privacy law came into effect in Europe (as of May 25, 2018) that applies to you. Similarly, if you’re considering expansion into European countries – even if only for e-commerce – you will need to comply.
Passed by the European Union and called the GDPR (for General Data Protection Regulation), the law is intended to protect the privacy rights of all EU citizens.
- They have a “right to be forgotten” in the case of a data breach
- There is a quick 72-hour reporting period for such a breach
- There are strong consumer consent protocols that apply, and
- Fines for breaches and non-compliance are high
Bottom line: If you sell online and have European customers or clients, you must take extra precautions to keep their data secure. The thrust of the law is to protect the privacy of EU citizens, and that means that you, even as an American small business, must adhere. That means if you have a data breach that compromises the privacy of your customers, as happens so often these days, you are subject to the GDPR.
What the law demands specifically is that, should your data be breached, you have three days to inform the country in question of the breach, let them know the citizen(s) involved, and offer the opportunity for the citizen to protect their data by being able to move it somewhere else (the “right to be forgotten.”) Failure to comply on your part can result in hefty fines and even a class-action lawsuit.
There is one caveat, however. According to Forbes, the protections of the GDPR apply only if you specifically have targeted this customer.
“Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.”
What You Should Do
So, what can you do to protect yourself and the privacy rights and data of your European customers? You must take data protection seriously and protect your business from getting hacked.
Here are a few simple ways to do that:
1. Update – or get! – anti-virus software. You should consider anti-virus software to be your first line of defense. Unfortunately, a lot of small businesses neglect this software altogether and are therefore vulnerable to some of the most severe security attacks, like ransomware.
2. Download from reliable sources. One of the bad guys’ top tricks is to make you download infected software from their scam websites. Be careful about where and what you download.
3. Use a secure connection for receiving/transmitting sensitive financial data and orders. Your e-commerce and other vital financial transactions should be done over sites that use either SSL (Secure Sockets Layer) or TLS (Transport Layer Security.) You want a URL that begins with “https.” That S stands for “secure.”
So, the bottom line on the GDPR is this, and Forbes puts it best, “U.S. companies, especially those with a Web presence, should be paying attention and changing practices now and not waiting to become a headline two years down the road.”
- Facebook Privacy: What Small Business Owners Need to Know
- Small Business Ransomware Attacks. Here’s What You Need to Know
- Learn More About Payment Security, and Get Fraud Tips to Help Protect Your Small Business
Steven D. Strauss is one of the world's leading experts on small business and is a lawyer, writer, and speaker. The senior small business columnist for USA Today, his Ask an Expert column is one of the most highly-syndicated business columns in the country. He is the best-selling author of 17 books, including his latest, The Small Business Bible, now out in a completely updated third edition. You can also listen to his weekly podcast, Small Business Success.© Steven D. Strauss.
Bank of America, N.A. engages with Steve Strauss to provide informational materials for your discussion or review purposes only. Steve Strauss is a registered trademark, used pursuant to license. The third parties within articles are used under license from Steve Strauss. Consult your financial, legal and accounting advisors, as neither Bank of America, its affiliates, nor their employees provide legal, accounting and tax advice.
Bank of America, N.A. Member FDIC. ©2018 Bank of America Corporation