The Fuss About GDPR

Unless you’ve been living under a rock, you’ve probably heard about GDPR, General Data Protection Regulation, that went into effect on May 25, 2018. As a small business, you may think that this really doesn’t apply to you – you don’t have clients in the EU and are not targeting or soliciting EU clients.

Well, you may want to think again. GDPR has a very wide scope, and includes a wide range of personal data that is collected. The goal of GDPR is to address the protection and management of consumer personal information. Personal information can be names, addresses as well as anonymous data like computer IP addresses.

You may have heard of cookies, not the edible sort but the more serious computer related cookies. Cookies are small files that are automatically dropped on your computer as you browse the web. Cookies can give a great deal of insight into your activity and preferences, and can be used to identify you without your consent. So unless you can be absolutely sure that no EU resident will ever wander onto your website or mobile app, it would be wise to comply.

As a small business, if you send out newsletters, have an email opt-in box on your website, do any kind of online marketing, or have a website, you should comply with GDPR. Non compliance with GDPR has hefty fines – they can be as high as 20 million Euros or 4% of yearly revenues, whichever is higher.

So how do you comply with GDPR? Here are a few steps you can take:

  1. Perform an internal analysis on the kind of personal information you currently hold and collect.

  2. Why and how did you collect this personal information, and did users consent to the collection of information?

  3. How long will you retain it, how do you ensure security of their information, and do you share their information with third parties?

  4. Your Privacy Policy must be prominently displayed and easy to access. For those of you that don’t have a Privacy Policy, you need to get one now.

  5. GDPR requires that the language in the Privacy Policy be “concise, easy to understand and clear”.

  6. Users must have the capability to easily access, view, edit or delete their information, and object to marketing messages.

  7. Links to edit users’ personal information must be provided in the Privacy Policy.

  8. You must request active user consent before collecting personal information (even if it is an IP address). 

At Nupur Shah Law, we help entrepreneurs protect their business. Call us at 646-820- 1366 or email us at I am happy to have a complimentary conversation with you on how to secure and/or defend your rights.

1 view0 comments