5 Steps to GDPR Compliance for U.S. Businesses

Peter A. Liefer II | Posted: May 17th, 2018 | Updated: May 21st, 2020

5 Steps to GDPR Compliance for U.S. BusinessesSeveral organizations in the U.S. and around the world are bracing for the implementation of the European Union (EU) General Data Protection Regulation (GDPR). Regardless of where your business is based, the regulation affects you if you are providing products or services to EU citizens and organizations. Your lack of compliance inflicts serious damages of up to 4% of your annual global turnover or €20 Million, whichever is greater, and a tainted reputation.

Your Action Plan for GDPR Compliance

The GDPR gives EU citizens the right to know and decide how their personal information is being used, stored, transferred, deleted, and overall protected. Every business, including yours, need customers to thrive, and implementing the GDPR will affect your entire organization. You will need to rethink how personal information is handled from the source to the point of consumption. You should also consider how your data management and data governance frameworks will support GDPR requirements for personal data protection.

If you do not want to risk your business and its reputation, here are the steps you can take to achieve GDPR compliance:

Step 1: Include a cookie consent pop-up to your website.

Internet cookies, browser cookies, or cookies are small pieces of data sent from a website and stored on the user’s computer while they are browsing. The unique data allows your site to store each user’s preferences and retarget them with ads. To comply with the GDPR, you need to prioritize getting your users’ consent before storing cookies on their device.

The most common way to do this is to display a pop-up (a window that suddenly appears), with a message asking consent to the use of cookies.

Step 2: Ensure that your online data collection programs ask for explicit consent.

Alternatively referred to as a checkbox, tick box, or selection box, a checkbox is a form that can be selected to indicate an answer to a question or to enable a setting.

Explicit consent is pretty straight-forward. Users have to select a checkbox, which is a form that indicates an answer to a question or to enable a setting. It tells a user that to complete a specific activity, they must click on or check a button to opt-in or opt-out of allowing your site to gather data. This means that if you ask for an email address to directly market to people, you provide them the information on the form, and you have a tick box, which gives consent and is not automatically checked. This way, there is no way for users to consent to anything accidentally.

Step 3: Update your privacy policy to align with GDPR regulations and follow them.

Your company’s privacy policy is one of the first formal documents a regulator will view. If your privacy policy is out of GDPR compliance, you are basically handing an invitation to further scrutiny by EU regulators.

There are many reasons why you should always have an updated privacy policy, including:

  • It is required by law, especially if you collect personal data from users
  • It’s required by third-party services you may use, which includes Google Analytics
  • Users have the right to be concerned about their privacy (Aren’t you worried about how other businesses process your private information?)

Step 4: Check your third-party tools.

A third-party data processor is an entity that processes personally identifiable information (PII) on behalf of a data controller. Under the new rules, any third-party processor you use is now directly and legally obligated to also be in compliance.

Many organizations have updated their data processing agreements and added GDPR sections to their websites and knowledge bases. Some offer short primers on the legislation, checklists for customers, and updates on how they intend to comply. Specifically, MailChimp, Hubspot, Salesforce, and Constant Contact are among the many providers who indicated that they have certified with Privacy Shield, which shows their intention to abide by GDPR’s rules on the transfer of data between countries.

Step 5: Have a plan in case you experience a data breach.

The GDPR legislation indicates that in most cases, you have 72 hours to report a data breach. Your business should take precautionary measures to secure your data and have a strategic plan in case you get hacked. These actions plans may include assessing the risks to all private data, contacting all relevant financial institutions and affected customers, or by asking users to change their passwords immediately, among several other procedures.


Lack of GDPR compliance imposes great threats to the future of many organizations. However, personal information has tremendous value. If managed improperly, it can create significant disadvantages that will result in grueling legal battles. It is highly advised to consult with your legal team and create a plan for the GDPR launch on May 25th, 2018.

If you have any questions on how to ensure that your marketing efforts are in line with GDPR regulations, call PrimeView today at 480-970-4688. We can provide the best practices to help with your compliance.

Read more articles like this: ,