The European Union’s General Data Protection Regulation (GDPR) went into effect May 25, 2018, bringing with it new privacy requirements that can affect businesses around the world. We’ll answer the big questions, so you can get back to marketing your small business while remaining in compliance.

Who needs to pay attention to GDPR?

Nearly everyone. These new EU laws affect U.S. companies as well. If your company collects data from someone residing in a country that’s part of the EU, you’ve got to play by the same new rules. Industries with international markets — like hospitality, travel and e-commerce — will have to be especially careful, as targeting audiences in the EU is now a trickier business. If U.S. companies have advertisements or websites in an EU country’s currency or language, they’ll have to comply with GDPR. The best bet is for all companies to be aware of the coming changes and potential action items.

What do businesses need to know?

GDPR is a law meant to protect citizens of EU countries by placing new compliance rules about the collection of personal data and online behaviors. The biggest change will be the method of gaining consent from consumers. To gain consent, companies need permission policies that allow consent to be “freely given, specific, informed and unambiguous.” Additionally, people must be able to have their information deleted whenever they want, be notified within 72 hours of a security breach and be able to ask companies what data is being stored about them.

There will also be some changes in the email marketing landscape. No longer is it permissible to display pre-checked sign-up boxes, or to auto-enroll past customers to receive email. Businesses must disclose every way they will use consumers’ emails in clear and plain language. And for email addresses previously collected, backtracking work may be needed to make sure the proper permissions were given. Since it’s hard to know for sure when someone is online in the EU, it’s better to be safe than sorry: If the use of someone’s email address was not clearly disclosed, you can’t consider it informed consent and continue to email that recipient. On the other hand, if your consumers have been given the option and clearly opted in to receive emails, no actions need to be taken on your part.

Companies on social media can relax a bit here. Platforms like Facebook and LinkedIn will be GDPR covered by putting privacy notices in their terms and conditions. In turn, you and other social media users are covered by agreeing to the terms. Besides, organic activities, like posting and engaging with fans, don’t collect personal data from people who view or engage with those activities. You only need to take action if you’re tracking visitor behavior with a tool like Google Analytics, or if you’re exporting contact details from your followers.

When do companies need to make changes by?

Although GDPR went into effect May 25, 2018, it’s never too late to make changes. Meeting these new requirements will be a flexible and ongoing process, and as long as businesses show an effort to comply, fines won’t be dished out. It’s well worth the effort because companies that refuse can face fines up to 20 million euros or 4 percent of a company’s’ gross annual income, whichever is higher.

How should you respond?

Follow these steps to head in the right direction:

  1. Find out what data your business has already collected and keep track of it in a spreadsheet where you can mark databases, files and other items that contain personal information
  2. Make sure the spreadsheet is accessible by everyone in your company
  3. Track if consent was given (if it hasn’t, according to GDPR, you’ll have to gain permission before emailing those users again)
  4. Hire data protection officers — or outsource the role with an IT or law firm — to ensure the data is compliant and continuously monitored to meet requirements
  5. Don’t ignore your third-party services (it’s important that they are GDPR compliant, too, or EU regulators may consider your company non-compliant)

Following these guidelines will help keep you in compliance with GDPR. If you have additional questions, refer to the GDPR website or consult with an IT or legal professional in your area.