Does the GDPR affect non-European companies?

Sabine Kowalski
Content Marketing Managerin

The General Data Protection Regulation (GDPR) came into force in Europe at the end of May 2018.

It has brought a strict set of rules with it for companies and everyone who deals with user data. And non-European companies might want to revise the privacy settings of their websites too, because the GDPR will also affect them in certain cases.

The last few months have been tumultuous for many companies in Europe; after a transitional period of two years, the General Data Protection Regulation finally came into effect. And with it, many strict regulations on how data must be used, processed, saved and deleted. These regulations have an impact on American or Asian companies, too, if they have a web presence that is directed at a European audience.

What is the GDPR even about?

The legislator wants to prevent that personal information is abused. Whenever you collect data of your website-user, you must inform him why and what exactly you know about him. Ensuring the integrity of personal data for individuals — not organizations — is now the priority. Users must be able to deny you access to their data and have the right “to be forgotten”. That means, whenever you use tracklinks, or ask for names, dates and the like, the user’s consent must be

  • given freely and knowingly
  • explicit
  • unambiguous
  • retractable

Furthermore, whoever is processing personal data must ensure that this information is stored securely and inaccessible to third parties. Breaches in data safety, missing clarification on data usage or the use of data beyond the communicated purpose can result in high fines. No less than $ 24 million or 4% of your annual turnover need to be paid in that case – whichever sum is higher!

Who is affected by the GDPR outside the EU?

According to a RealWire survey, only 16% of American organizations believe that they need to be compliant with the GDPR, while the real percentage of companies involved is certainly higher. So, if any one of these situations applies to you, it is time to update your data handling:

You collect data in the EU

If you process data of EU citizens living in the EU, the GDPR applies to you. This does not only involve payment data, but also  personal information (i.e. when conducting a survey or allowing registration for your newsletter). However, if a European citizen is not in the EU while you collect his data, the GDPR does not apply to you.

You direct your advertisement and products at European markets

Of course, your website can be found all over the globe. Whether you have to comply to the GDPR depends on your customer targeting. If you offer shipping to and financial transactions with European countries, you should probably adapt your data handling to the GDPR. Software services, travel- and e-commerce companies are most likely to be affected. If you, however, only direct your communication at your own, non-European country, you can disregard the European law.

5 to-do’s to make your website more compliant

There are some quick changes that can be made now to ensure that your website is compliant with the European law:

1) Upgrade your privacy policy: Your data privacy policy must be written in a way that everybody can understand what you do with your user’s data – no hidden meanings or legalese allowed!

2) Obtain consent via double-opt-in: Especially relevant for your newsletter marketing is the double-opt-in. Here, you first let your users decide whether they want to receive your emails, no ties attached (i.e. they don’t automatically enter your mailing list by shopping in your onlineshop). Then, they confirm their agreement in a confirmation email. This way you make sure that your new recipient is legitimately interested in your news.

3) Checkboxes: If you have a comment section on your website, you also have to point out why you ask for the names and email addresses of your readers at this point. One simple checkbox to confirm the agreement of the user does the trick here.

4) Secure storage: Make sure that you use strong passwords. No unauthorized person should be able to access your user’s data, which is especially important for sensitive information such as medical records or credit card numbers. Also, double storage prevents data from being lost in the event of a server crash.

5) Trainings: It can be wise to appoint and train someone among your employees to be responsible for data protection matters. But really anybody in your company should be in the know about the GDPR. That’s why the establishment of staff retraining programs and procurement of more compliant information technology platforms is advisable.

Still unsure about the implications of the GDPR on your email communication? Stay on the safe side and download our checklist for GDPR-compliant newsletter marketing here!

CleverReach Newsletter
Tips and tricks for successful email marketing!