The General Data Protection Regulation (GDPR) goes into effect May 25th, yet you haven't prepared. This article will show why you need to act, and what your next steps are.

Have you seen the movie “Dunkirk?” Starting on May 26, 1940 and continuing for eight days, 338,226 troops from France, Britain and Belgium were evacuated across the channel to England. It was a dramatic, heroic, miraculous escape and rescue, facilitated by not just military vessels, but also hundreds and hundreds of civilian boats and ferries.

By The History Department of the United States Military Academy

Trapped by the advancing German army (shaded in pink above), these troops raced to the nearest port – Dunkirk – and began to evacuate France as General Viscount Gort, Commander of the British forces, saw no hope for repelling three panzer corps. Why was there no hope? Because they never anticipated this would happen.

The French had invested over 3 billion French francs, and nine years, constructing a series of fortifications along the German border, intended to stop, slow, repel and redirect any invasion from the Nazis.

By Goran tek-en, CC BY-SA 3.0

While a decoy army sat across from the wall further south, German forces raced through the Ardenne forrest and difficult terrain in Belgium and passed easily through the northern, weaker, areas of the “wall.” This wall, which completely failed to deter a German invasion, is referred to as the Maginot Line after the French Minister of War André Maginot. The term Maginot Line has since become a metaphor for expensive efforts that offer a false sense of security.

Are the new privacy regulations out of the European Union similarly misleading? Will these EU laws really have an impact globally? And of more immediate concern, do you, as a business owner, really need to adhere to these new rules?

In short, yes.

Today’s article is going to explore some of ways and reasons why, and then on Thursday, MAY 24 at 5pm ET, you’ll have an opportunity to tune in as Stephanie Liu and I talk about what we’re really supposed to do with and about GDPR.


GDPR stands for General Data Protection Regulation and it is a set of laws passed by the European Union (EU). Unlike traditional laws which only apply to people within a particular country, this regulation is designed to protect the data and privacy of EU citizens, from the rest of the world.

Which means any company that does business with, in, or for people who live in any country in Europe must be aware of the regulation stipulations and comply, or risk being assessed tremendous fines.

European Union courtesy Wikipedia.

“Does business with” may be too broad a definition though, so let’s hone that down further to: “collects personal information from, including names and email addresses.” Which means that even if you aren’t selling products, but you are allowing site visitors to subscribe or have an offer emailed to them, you’re collecting personal data, and the GDPR applies to you.

What’s confounding some businesses is the realization that the regulations cover not just how data is collected and used, but how it’s stored as well. This means that any business that uses one or more of their own servers to store customer or subscriber data must now take that server’s environment into consideration. Who has access to the server, and therefore access to the data? What is the possibility for an error on the part of an employee which might accidentally expose that data?

Training employees to create a “Human Firewall” is something that every large business needs to consider, according to training firm Privacy Awareness Academy. That means teaching them how to handle personal data, as well as how to keep the technology surrounding that data secure.

And while it might seem that local businesses outside of the EU who only serve their local geographic region have nothing to worry about, that may not necessarily be true. Is it possible for a citizen of the EU to be visiting your location, happen upon your business, and leave you with personally identifying information? The truth is, very few businesses have the option to ignore GDPR stipulations, but…


Do you have a spare 20 million euros laying around? That’s the maximum fine that can be imposed for being found in violation of the GDPR.

There are fines, sometimes massive fines, which are tiered depending on the egregiousness of the issue. The maximum fine is 4% of annual global turnover… that’s total sales revenue, not just net profit… or 20 million euros, whichever is GREATER.

These fines can be applied both for failure to comply, as well as to breaches of data or consumer trust. A failure to properly disclose and handle a severe data breach will be treated more harshly than, say, failing to obtain explicit permission to send an email newsletter. But all it might take is a single complaint on the part of an EU citizen to one of the reporting agencies to initiate an investigation into your business and data collection practices.


Completely ignoring GDPR stipulations, ultimately, is a terrible idea. Even if you believe that you’re too small or too remote to be impacted or of interest, the fact is, GDPR is just the beginning. Anyone who thinks that the United States is indifferent to data privacy issues need only watch Mark Zuckerberg’s interview before Congress. While the U.S. Congressional body may be woefully behind in terms of their understanding and appreciation of these issues, legislation is only a matter of time.


First, you’re likely going to have to change how you’re collecting email addresses, as well as communicate with a portion of your existing list. You see, by May 25th, any time an EU citizen signs up for something from you, you have to expressly tell them how their information will be used, and they have to expressly provide permission for that use. You cannot, for instance, offer to send them an eBook and then begin emailing them newsletters unless they specifically checked a box that permitted sending of newsletters.

What’s worse, it’s retroactive, which means every EU citizen that you have in your subscriber list needs to have granted you permission to email them by the 25th. We’ll talk about this a lot during the Facebook Live on Thursday, May 24th at 5pm ET.

Second, you will need to update your Privacy Policy (which means, for some of you, you’ll need to have a Privacy Policy), and make sure that your business or organization adheres to GDPR regulations in this regard.

Third, you will need to ensure that if you are storing personal data yourself, that storage is GDPR compliant. Otherwise, you will need to review every data processing service you are using and make sure they are GDPR compliant, and that you’ve agree to their new terms of service.