Let me start by saying, I am not a lawyer and since I did not stay in a Holiday Inn last night I can’t even pretend to be one. With that out of the way.
We have clients all over the US. We do not really have any clients that are based in the EU at this moment. So I am writing this guide as a clif notes version for US companies.
Let's start with a definition. GDPR is short for EU General Data Protection Regulation. The official website can be found here.
Basically, the regulation states that users should have the right to delete their data from your records, they should have the right to restrict access to their the data, they should have the right to export their own data, the right to fix their own data, and the right to be able to see all the data you store about them.
As a US based company doing business with other US based businesses the chances of you having issues with GDPR are so slim you probably have a greater chance of being struck by lightening than having someone take issue with your implementation of GDPR. Especially if your website does not have membership capabilities.
If you are based in the US but you do business in the EU then I would have a lawyer review your Privacy Policy and your Terms & Conditions just to make sure that you are covered. The Regulation also calls for those documents to be written in an easier to understand language vs the pages and pages of legalese most lawyers provide.
If you use email to market your product or services, I would immediately stop sending email to any lists that you have purchased that have EU email addresses in them.
Many of our clients use MailChimp to collect email addresses. Mailchimp appears to have plans to release some new functionality that will allow for a user to adhere to the above. To read that article.
This PDF, also provided by MailChimp, was published almost a year ago. Page 6-9 are of interest if you are a MailChimp user.
One other thing you might want to do is have a little blurb next to any sign up that tells them you will be using their email address to send emails x times a month with x information in them
If you have a website that has membership capabilities then you'll want to dig deeper into the Regulation. But if you adhere to the paragraph above that outlines the basic tenants of the Regulation you should be ok.
If your website ties into a CRM like Salesforce, then you'll also need to provide for the basic tenants of the Regulation. Salesforce has some information regarding GDPR on their site as well.
And finally, if you are a US company that sells products through an ecommerce platform the Regulation will definitely affect you. We have a few clients on Shopify. Shopify also has an article on how they are going to address GDPR. If you are on a different system than Shopify then you will want to make sure that system has a plan.
GDPR goes into effect on May 25th 2018. If you need any more help understanding how it may affect your business then drop me a line
Oh, and consult a lawyer. Because I am not one.