With the rise and rise of digital business, cross-border transactions and data transfers are inevitable. Under the General Data Protection Regulation (GDPR), organizations are subject to the regulation if they process personal data within the European Union. However, it also applies to organizations outside the EU “that offer good and services to individuals in the EU.”
But we offer goods and services, we don’t process personal data.
That’s what you think! Many U.S. organizations do not think that GDPR applies to them. Here’s a simple scenario:
- You have an email list.
- Your business is based in Idaho.
- You offer coaching services to clients.
- Before people become your clients, they first visit your website and complete an opt-in form to download your free white paper that will help them jumpstart their business. The information you collect on the form includes name, last name, email address, telephone number.
- Your website is on the world wide web and available to anyone anywhere in the world.
- A few people based in London, Stockholm, Brussels, Paris sign up. Upon subscription, they receive the free white paper.
Now you have their personal data, you will use it to build the new digital relationship with the ultimate aim to turn them into clients. You nurture the relationship by sending further emails; some commercial in nature and even an opportunity for your subscribers to use a third party application to book a free mini clarity session. This is an initial discussion to understand your needs and to close the sale.
Okay, so you are confident that none of your perhaps 20,000 email subscribers are in the EU, but check this out.
GDPR Personal Data Scenario
Because you have heavy traffic on your website from all over the world to effectively market your services to reach your target audience, you have an analytics tool installed. It gives you a lot of information about where your traffic is coming from, even the IP addresses of subscribers.
Under GDPR, IP addresses are now included in personal data.
GDPR and Tracking Info for Advertising Purposes
What about that Facebook pixel that you added to your website or client’s website? Does it not track the activity of the website user? Facebook describes its pixel as thus:
Do you still think you do not process any personal data within the EU? What about the email addresses and other identifiers? Do you think because you do not have a physical EU location that your virtual transactions are not subject to GDPR?
What about England and Brexit?
Does it mean a U.S. organization that processes personal data and offers services to clients in Nottingham, England will not be subject to the GDPR when it leaves the EU?
The fast answer is this: don’t even dream of it! The UK government confirmed that withdrawal from the EU does not affect it.
GDPR applies to automated and manual lists. If you are collecting personal data via list building and funnels or advertising, be sure that whatever you are doing is GDPR compliant.
Not sure what to do? Click here
PS. Failure to comply with the GDPR could result in a fine of €20m or 4% of annual global turnover or whichever is greater. Who wants that? Need a GDPR consultant for your project? Contact us
Belinda is a Global Privacy and Cybersecurity Consultant, Corporate Trainer (leadership, culture, diversity and inclusion, cyber privacy and security awareness), Writer, and International Speaker with a unique blend of law and technology. She is a digital entrepreneur, author, ordained pastor, mentor to women ready to impact their generation and host of Destiny Chats podcast. For consultation, click here and invitation to speak, click here