Update on GDPR- What You Need to Know

What is GDPR?

“General Data Protection Regulation”, or GDPR, is a European Union (EU) law created to protect the personal data of individuals in the EU. Enacted in 2016, the regulations go into effect May 25, 2018. The regulations include the “right to be forgotten,” 72-hour breach reporting, consumer consent for data use, and some very, very high fines.

GDPR Definition | Keystone

Even if you have no physical presence in an EU country, your company must comply with the law if you market to people in EU countries. While the regulation is 200 pages long, there are some things you can do to make sure you’re in compliance.


The law only applies to data collected when a person is in the EU. If the EU citizen is outside the EU when their data is obtained, the GDPR does not apply. However, if you are a business that is located outside the EU, but collects data from citizens within the EU, GDPR applies to your company.

Targeted Marketing

If your website is written to solicit only customers in the United States or B2B customers, the GDPR does not apply. However, if your site clearly is targeted to persons in the EU, the regulation applies.

Explicit Consent

When collecting personal data from EU persons, your forms will need to obtain “explicit consumer consent” to the collection of their data. Consent must be “freely given, specific, informed, and unambiguous.” For example, if you’re collecting a person’s email address, there will need to be a check-box (unchecked) with language that explains how their email address will be used.

72-Hour Notification

In the event of a data breach, companies will have 72 hours in which to notify either EU regulators or the individuals themselves, depending on the type of data breached.

Right to Be Forgotten

Individuals will also have the “right to be forgotten.” In other words, you will have the right to instruct a company to delete your data from their records. For multinational companies with lots of personal data in multiple databases, this can be quite the task to pull off.

GDPR Steps to Take

US-based businesses, as mentioned above, should comply with the law to the fullest extent possible at this time. There are a few things to consider with regard to GDPR in the future:

  1. Be transparent about how you’ll use personal data collected via the internet. The GDPR legislation is likely to spur the development of similar legislation in the United States. By being up-front with your data collection now, it will save you time and trouble in the long run.
  2. Don’t panic yet. The likelihood the EU will come after your US-based business first is very small…unless you’re Google, Apple, or Facebook. They’re going to try this out on the ‘big boys’ first; especially the companies with a history of privacy problems.
  3. Keep your eyes on the news. As the roll-out of GDPR begins, you’ll learn more about how it will be enforced. The details of the bureaucracy that will enforce the law are not fully functioning. We’ll all learn more in the coming months and years.
  4. Consult your own legal counsel as needed. This article contains information pulled from a number of sources (including our own legal counsel) but is by no means comprehensive on the issue. We’re not attorneys, nor did we stay at a Holiday Inn Express last night.

The GDPR is a sweeping change in data privacy regulation. It’s vital that you understand your company’s liability. Below are a few resources to help you better understand the regulation.

General Data Protection Regulation (the law in website format)

GDPR Compliance for Email Marketing. A Step-by-Step Guide. (by We Compose)

MailChimp’s GDPR Guide (by MailChimp)

GDPR: What Growth People Need To Know (by Reforge)

Yes, The GDPR Will Affect Your U.S.-Based Business (Forbes)

Note: This article does not constitute legal advice. We recommend consulting with professional legal counsel to make sure you’re compliant with all GDPR regulations.

Related Blog Posts