Keep hearing about GDPR? What does it mean for you?
Recently the European Union (EU) established new regulations for managing data that will go into effect in May 2018.
You may have heard about these changes or, if you use Google Analytics, you may have already received a number of Data Retention related emails from your website provider or from Google.
At first glance, you may have thought that these are a reaction to the recent data scandal surrounding Facebook when, in fact, they are really about the GDPR initiative that has been in the works by the EU for several years.
Of course, in light of this new law, your biggest question probably is: “How will this affect my business?”
Before getting to the answer, let’s consider some important information about the GDPR.
What Is the New General Data Protection Regulation?
The GDPR, enforced by the European Union is a legislative requirement that was passed by EU Parliament in April 2016 with the goal of being implemented in May 2018.
The objective of the initiative is to help the EU have a unified policy for all their member countries. Therefore, the GDPR aims to protect EU Citizens’ privacy and data and regulate how companies use this information.
The law was initially first implemented in 1995 but has recently been updated to reflect changes in how we use the Internet.
How Has the Law Changed?
According to the official EU website, the policies that are part of the GDPR include:
Right to Access Data
Consumers have a right to access their data collected by a company. They can also receive a free copy of this data.
Notification of a Data Breach
If a company experiences a data breach that could, “result in a risk for the rights and freedoms of individuals,” the company must inform customers within 72 hours.
Data Erasure
This has been covered in the media as being “The Right to Be Forgotten.” This means consumers have the right to ask companies to remove their data from their files and to cease disseminating their data.
Privacy by Design
A company is required, “to hold and process only the data absolutely necessary for the completion of its duties.” The organization must also limit who has access to the data.
Fines
A company that breaches this regulation can face financial consequences of up to 4% of their annual global revenue or 20 M Euros, depending on which is greater.
Release
When a consumer authorizes a company to collect their data, such as in “terms of use,” the release must make sense and be clearly understood.
Data Portability
Consumers have the right to be able to transfer their data to another organization.
Data Protection Officers
This is meant to streamline data processing activities for companies but requires more internal recordkeeping.
How Does the New Law Affect Your Business?
Since the GDPR affects any company that provides goods and services marketed to EU citizens as well as any company processing or holding personal data from these EU citizens—regardless of the company’s location—this is the obvious question for therapists and coaches worried about the new law.
Here’s the good news: If you are a U.S. based therapist or coach who only markets their business to people in the United States, you don’t have to worry about the law. This law is only meant for businesses that target, or attempt to attract, customers and clients from EU-member countries.
In other words, if someone who lives in an EU country happens to find your website and opts in to your email list or does business with you in another fashion, this law does not apply to you. As long as you do not specifically market your services or products to EU citizens—meaning your website is written in English and for U.S. consumers—you’re okay.
However, if you are a U.S. based therapist or coach who markets their business to people in the European Union—meaning your website has information in the language of an EU country or you quote prices in EU currency, or you make references to customers and users from that country—the GDPR does apply to your business.
In summary, “doing business in the EU” means specifically:
- You market yourself to people living in European Union countries.
- Your practice has a domain name from an EU country.
- You create an ad campaign or website pages targeting people living in EU countries in their language.
- You collect personal information from a consumer you have targeted that lives in an EU country.
Of course, most U.S. based therapists and coaches who own their own business are not marketing to people in Spain or other European countries. Rather, they keep their focus on their specific city or region for finding clients.
Yet, if you are a practitioner who has a niche clientele and who specifically markets to people in the EU, you need to familiarize yourself with these new rules.
Do You Need to Do Anything?
Obviously, the Internet has changed a lot in the last thirty years. How we use and share our personal data looks a lot different today than in the 1990s. Therefore, national and international regulations that govern these matters and help to better protect customers’ privacy and the security of their personal information will continuously change.
For that reason alone, you will and may have already received information from your website provider or from Google about Data Retention. These companies operate on a global scale—which obviously includes the EU.
Since the GDPR identifies IP addresses as “personal data” and Google Analytics, for example, uses IP addresses to calculate the number of unique visitors to your site, extra efforts are being made to be more transparent about how this data is used. In fact, through this effort, Google Analytics is enforcing a Data Retention Policy.
What do you need to do? – That depends upon the scope of your business and your usage of Google Analytics.
Within Google Analytics, under the “Admin” menu and the “Tracking Info” menu, there is a “Data Retention” menu item. To assure that you are in compliance with the GDPR, under this menu, you can adjust how long data from your users and/or customers is being retained.
However, as mentioned before, if you are a therapist or coach in the U.S. who is not marketing to EU countries or consumers, you shouldn’t have to worry about this. The notices from Google Analytics do not pertain to you and you can simply utilize the default settings on your Google account.
Fortunately, for 99% of the therapy and coaching business field in the U.S., the new policies of the GDPR will not be an issue.