Connect with us


GDPR Simplified for US Businesses


What is GDPR?

The GDPR is the “General Data Processing Regulation”, legislation by the European Union that from May, 25th 2018, does two primary things:

  1. Establishes personal data rights for individuals in the EU
  2. Sets principles for how businesses should store and process this personal data

Does GDPR affect your US business?

If you store or handle (processes) any information of EU citizens or individuals in the EU, then the GDPR applies to you. There is no size limit on GDPR, so it applies to businesses and organizations of all sizes (even freelancers, non-profits, and clubs).

This technically means that GDPR even applies to a small association that happens to have a member who is an EU citizen residing in the US. What will be interesting to see is what will actually happen to smaller companies and organizations who reside solely in the US.

What is the penalty for breaking GDPR?

Here’s where you want to pay attention. GDPR specifies a penalty of 4% of annual global turnover or €20m (whichever is the greater).

What does this mean for US businesses? We’ll have to wait and see. Either way start making changes now. It’s good for you, good for your customers, good for your team.

How does you US business comply with GDPR and do you need to become “GDPR Certified”?

There is no GDPR certification and a lot of the legislation is quite ambiguous. What you do need to be serious about is knowing what information you have, why you have it, and how long you are retaining it for. And then make that information available in your privacy policies. Below are a few pointers to get compliant with GDPR. By no means is this an exhaustive list, nor should you take this as legal advice, but it is a lot of really good information compacted into a few simple steps.

Simple GDPR Checklist

  1. Identify and document what personal data your business is storing, collecting, or processing.
    What types of personal data (name, address, email, etc.) and sensitive data (health information, religious/political views, etc.) do you have? Where is it coming from, how is it being used/stored, where is it going?
  2. Review your security and security policies to make them GDPR-compliant.
    While there are no exact guidelines on what security measures you need to have in place there are a few things you need to know.

    • Encrypt as much as possible. GDPR recommends separating and encrypting personal data from the personal identifier (name or even email address).
    • Report security breaches within 72 hours
  3. Update your privacy policies.
    You’ll need to include what data you are storing, why you are storing it, who you send data to, and how long you’ll store the data for. Keep things simple, in plain English and as short as possible. The irony is that the GDPR legislation telling you to keep it concise is an 88 page document!

What else do you need to think about?

  • Prepare to give EU citizens access to their data:
    Under the GDPR EU citizens have the right to access, update, and remove their personal data.
  • Make sure your service providers are GDPR-compliant:
    If personal data is being stored or processed by any other service providers, organizations, or contractors, you’ll need to make sure that they also are GDPR-compliant.
  • Do you need a Data Protection Officer (DPO)?
    Unless you are a large business, or are processing large amounts of personal data, or sensitive data, your probably won’t need a DPO. As with all information here, you should check with your lawyer.

Digging Deeper: A Few Key Points and Definitions

Key points for how personal data should be processed:

With Lawfulness, Fairness and Transparency – Personal Data is stored and used in a lawful, fair and transparent manner.
With Purpose Limitation – Personal data should only be collected for specific, legitimate purposes and then should only be used for those purposes.
Data Minimisation – Collect the personal data that is needed and no more.
Accuracy – Keep personal data up to date.
Storage Limitation – Keep personal data for the amount of time it is needed, then get rid of it.
Integrity & Confidentiality – Keep personal data secure by using the latest and best security standards you can.

EU rights under GDPR:

Right to be Informed – give simple clear privacy notices.
Right of Access – give access to their personal data.
Right to Rectification – can update personal data if it is inaccurate.
Right of Erasure – is “the right to be forgotten”, but only if there is legitimate reason to do so.
Right to Restrict Processing – can block processing of personal data.
Right to Data Portablity – can obtain and transfer their personal data.
Right to Object – can block different forms of data processing.
Right to block automated decision-making or profiling using personal data.


Personal Data – is really anything that can be used to identify an individual directly or indirectly.

Sensitive Data – is personal data that is requires higher security measures and needs to be treated with more consent and sensitivity. Sensitive Data is:

  • racial or ethnic information
  • political information
  • religious or philosophical beliefs
  • trade union memberships
  • genetic data
  • bio-metric data
  • sex life or sexual orientation
  • health data

Anything that is done to or with personal data (automated or manually). Processing means is a broad definition that tries to cover everything including – storing, collecting, recording, organizing, structuring, analyzing, etc.

Subject Access Request (SAR)
An individual exercising their right to obtain a copy of their personal data, within one month of the initial request.

Benjamin Kamp is a strategic advisor, fractional executive, reformer, and author of "Simplify Online." His passion is to see you and your organization fully come into your purpose. And to see that happen offers a unique mix of strategic advisory and executive leadership, with a focus on technology and AI, through his business, BISVI."

Learn more about Benjamin | BISVI

Continue Reading


Why Every Business Needs a CTO

Why Every Business Needs a CTO

Do you have someone that holds your vision in one hand and digital strategy in the other?

Larger companies do. It’s called a Chief Technology Officer (CTO) and they make sure the technology and digital strategy all line up with the future goals and mission of the company.

Do you have a CTO or any other form of digital leadership? If not, you might notice that your web designers, SEO agency, social media expert, and every other consultant in the digital space, are leading parts of your company in their own direction.

You’ve invested too much and what you are doing is too important to throw your cards into the digital air and hope for the best.

What if you don’t really need a new website, just updated content? A web designer has more incentive to sell you the new website. What if SEO, or search engine optimization, isn’t the most important thing for your business right now? For an SEO expert, it probably will be. What if social media advertising isn’t the best use of your budget nor in line with the specific customer you want to connect with? For many social media experts, it is their only product and only frame of reference. For them, it’s always the right answer.

In addition to that, each consultant wants to put their own technology stack into your business and on top of your website. This results in a slow web site and a complex network of software that rarely gets used. It means confusion for you and your team instead of what all of this is supposed to do – empower you to know and serve your customers better.

I don’t like to believe that most of these consultants are trying to sell you something you don’t need. It’s just that their frame of reference is too focused on a single aspect of digital marketing and technology. They can’t see the big picture for your company to help you find what will connect you with the right customers; in the way you want to connect with them.

Digital leadership is vital.

Over the past 20 years I have worked as a web designer, developer, advisor, and CTO. I have seen hundreds of companies bounce from consultant to consultant, never really getting what they are looking for. Companies spending thousands and tens of thousands of dollars on experts that each have their own vision for their client.

What if we changed that? What if your first consultant was a web advisor, CTO, or some form of digital leadership? Someone who invests in understanding the heart and vision of your company first. Someone who helps you develop the right strategy and find the right people to make it all happen.

I believe in small and medium business and their role in making a difference in our lives. I want to see digital leadership – in web advisors, on-demand CTO’s, and any other form of digital leadership, become the normal.

Without digital leadership, it’s too easy for your message, vision, and potential impact, to never find its voice nor place on the digital scene.

Continue Reading