We are living under the regime of General Data Protection Regulation. Your dreams and innocent memories are collateral damage.
Living the Dream
May 25th was a historic Internet milestone. Prior to this epic day in the year 2018, Internet Service Providers (ISPs) were wooing everyone to launch a website and sell useless widgets or begin a recipe blog. Soon, people who never penned a postcard were blogging under the nom de plume, ‘Hemingway.’ Toll House cookie bakers and many others with dropshipping dreams were “virtually” in business with no graphic design experience required. As a result, ISP businesses were making a lot of dough hand over fist, so to speak.
Let’s be honest. Most of the pop-up websites are pretty pathetic looking. But they’re a start. Longing for customers, these shallow-pocket hopefuls bombard social media and begin accumulating subscriber emails. To improve website appearance, a third-party app plugin is added here and there. With persistence and a few theme changes, a site’s successfulness begins to rise like cookies with too much baking soda. Perhaps you were inspired to serve up your own website.
Living the Nightmare
What dashed this utopian dream on May 25, 2018? A regulation halfway around the globe from many folks battered ISPs by the dozens. ISPs that remain are not assuming extended liability for the many website owners they signed up. The fond childhood memories of baking cookies with siblings and some day making an online business out of it may need to remain memories.
The Internet disrupter is called GDPR for short or General Data Protection Regulation. This regulation makes maintaining a website anywhere in the world more difficult. Whether international laws concede so much authority to the European Union is yet to be seen. In the meantime you can either risk doing nothing and become a test case for legal limits or pay more attention to site visitor data.
The principle is simple and well-intentioned—protect the privacy of European visitors. But implementation can be daunting if you don’t know where your subscribers reside or never paid attention to those third-party plugin privacy agreements. Even if you did, your vendors may not have disclosed everything done with the customer data or allowed you to opt-out of questionable usages.
That’s the Way the Cookie Crumbles
Who doesn’t love freshly baked cookies? To ones wooed by the simplicity of launching a website without understanding its ingredients, cookies have a new technical meaning. Visitor Web browsers might be littered with your crumbs unless you know the difference between sessional and persistent cookies. The fact is, many site visitors terrified of cookies, have no idea of their importance. So given the control to remove them, they can actually obstruct their browsing experience. It could be like someone asking you to remove the coconut, pecans and chocolate chips from your German chocolate cookie recipe.
You may not recall personally saving cookies on visitor computers but the apps that make creating websites so easy have done so. Now, Toll House Baker is liable for undisclosed data usages, inadequate data protection and possible breaches. Before you shrug off the assessments, understand that these fines are not morsels. GDPR penalties run into the millions of dollars.
Multiple data controllers (your new title as a small business owner) are sometimes held equally responsible as third-party companies hired to process data. Penalties may be multiplied by the number of companies handling customer data. That adds up to some serious dough. The European government may be targeting large multinational corporations, but the law also holds the hands of little guys to the fire.
For the sake of analogy, initially, you may have envisioned you could simply let people taste the wonderful cookies you bake. They would be so delighted, the cash register should start overflowing. After all, everyone loves cookies, right?
It doesn’t matter whether your website is an adjunct to a brick-and-mortar store or the sole source of income. The new regulation, metaphorically speaking, requires you to disclose what will be done with the DNA left on the napkins used by customers before they take a bite. You need to hand them a napkin that indicates the origin of the chocolate chips and nuts. Calorie counts and nutritional benefits, of course, are on the reverse side. Now document acceptance of the napkins for each customer.
Keep track of the serial numbers on any currency that exchanges hands. Then, at some point in the future, visitors from 28 specific geographic regions can return and request a detailed report of how many napkins they used, what they ate and how much they spent. Others ask you to wipe your store of their fingerprints and DNA. It’s enough to make you smash your Easy-Bake Oven.
If that is not taxing enough, the U.S. Supreme Court South Dakota v. Wayfair ruling opens the opportunity for states to charge interstate sales tax. As legislation rolls out, likely it will be mostly threshold-activated, at least initially. Returning to our analogy, imagine charging a different tax to each customer based upon the state in which they were born and how many bakery goods purchased. This requires sophisticated software to track location-based online sales. Fortunately, TaxJar is ahead of the game but very likely you will still require assistance from an accountant.
Cut them off like you’re slicing a roll of Toll House cookie dough.
If GDPR caught you off guard or you have not yet launched your website, get informed and comply—quickly. Begin by asking all your vendors what customer data they retain, for how long, what do they do with it, and how it’s secured. If you are unsatisfied with the responses, request the data they have (in case your customers want it in the future) and cut them off like you’re slicing a roll of Toll House cookie dough, so you won’t get burned later.
This is just the beginning. The GDPR recipe book is 261 pages long. So you may need help from real writers, programmers, security and legal experts. Many of the compliance tools that rushed to market ahead of the deadline had major flaws. More are now available but select carefully. Make certain the tools and apps used do not themselves violate GDPR. If all this is too much to comprehend, afford or implement, consider selling your cookies door-to-door or leave this business to the French bakery chefs.
Obviously, GDPR affects more than online bakery goods. It regulates scientific specimens, medical history, financial data, social security numbers, photographic likenesses, racial or gender bias, and personal contact information like phone numbers, street and email addresses. For healthcare, GDPR is a level above HIPAA. Protect customer and visitor data or your business could vanish like a sessional cookie.
- Will Companies ‘Brexit’ EU Over GDPR? ClinicalPosters.com
- GDPR: what does the new EU data protection law mean for small businesses? sophos.com
- All About Cookies. allaboutcookies.org
- Speed up & Optimize your Mac with CCleaner. ccleaner.com
- The Supreme Court Just Gave States Power to Tax Online Sales. nationalreview.com
- TaxJar by Avalara. taxjar.com
- GDPR Final Text. (PDF) Brussels, 6 April 2016, europa.eu
- What is Valid Consent Under the GDPR? pcounsel.com
- GDPR for pharmacies – what should you know and do? ansonssolicitors.com