In April 2016 the European Parliament and Council launched a huge change in data regulation with the General Data Protection Regulation (GDPR) taking effect in May 2018. Now as we approach the one year anniversary of the regulation effective date, we want to know how your organization is doing in complying with the change.

Wait, back up. What is the GDPR? 

The GDPR is a comprehensive and far-reaching replacement for the Data Protection Directive. It provides increased protection to European citizens by giving them even more control of their personal data—when it’s collected, who it’s collected by, and what’s done with the data. Companies who didn’t make the necessary changes to comply with the regulation by the May 2018 deadline are now subject to serious fines.

But I’m in the U.S. so this doesn’t apply to me, right? 
While the Internet is great in that it makes the global world accessible from anywhere, that global accessibility puts you at the mercy of the GDPR if your audience includes any European citizens. Even if you’re a local business that focuses on foot traffic and rarely puts out content to the general public, if you have a website, you need to be GDPR compliant.

While you might not reach a European audience now, that could change in the future. It’s better to be prepared now than to be faced with the daunting task of working backward later.

So, what should I do? 
If you haven’t already made updates to be in compliance with the GDPR, here are a few places where you can start. For a complete list of what the GDPR regulates, check out the key changes.

• Update your privacy policy. Most privacy policies are out of date and therefore out of compliance. Make sure yours includes all the essential information like how you collect data, where and how you store data, third party disclosures, and more.
• Give your audience an easy “in” and “out” when it comes to their personal data. The GDPR regulates that you have to obtain consent from your users before you collect their data. You also have to make options available for users to request that their data be erased should they change their mind later. Make sure you use clear, concise language about what data you’re collecting as well as what you’ll be doing with that data.
• Make data handling a priority. The GDPR also regulates that certain companies must appoint a data officer. For example, if you collect data on individuals’ health, racial or ethnic origin, religious beliefs, or genetics, you must have a data officer. However, this position doesn’t have to be a new hire or someone’s sole responsibility; it can be added to an existing employee’s job duties.
• Communicate changes to your audience. Once you finish your updates and are sure you’re in compliance, send an email or letter to your audience letting them know of the changes you’ve made. In the communications, make sure to point them to your new privacy policy so they can review it and give them an option to opt out of having their data collected and/or stored.

Complying with the GDPR isn’t just a good idea in order to avoid fines, it’s vital in proving to your audience that you’re a trustworthy brand. Increasingly, individuals are changing their consumer habits and switching brand loyalty due to lack of trust. By complying with the GDPR and communicating those changes to your audience, you show them that you’re not only compliant but also have their best interests in mind.

For more resources on the GDPR and ways to stay compliant, visit EU GRPR.