What Is GDPR And Why Is It Needed For Small Businesses?

In May 2018, the EU approved one of the world’s strongest data privacy laws known as GDPR. GDPR is the abbreviation for the General Data Protection Regulation.

Does GDPR Affect US Firms?

GDPR applies to US firms regardless of revenue or workforce size if at least one of two requirements are met:

  • The firm provides products or services to EU/EEA customers (even if it is non-commercial and they don’t charge them.)
  • Or if the firm tracks users inside the EU/EEA.

The GDPR covers names, contact information, device details and location data, biometric data, pictures, videos, and more.

Even if you don’t have a physical presence in the EU, you probably have a digital presence there that gathers some of this data. GDPR affects local content and tailored marketing strategies and procedures, so if you sell to EU consumers, you’re likely impacted.

How does GDPR impact small US firms?

All organizations, public or private, that store or handle personal data of EU citizens must comply with GDPR. That implies many US firms are affected by the regulations. 

According to Recital 23, international enterprises must comply with the GDPR only if they advertise to EU nationals. For example, if you have a website in an EU member state’s language and/or display pricing in Euros, you are deemed to be targeting EU residents and hence subject to GDPR.

If any of the following circumstances are true, you may be held liable:

  • You frequently handle EU residents’ data.
  • The data subjects’ rights and freedoms may be at risk.
  • You handle data pertaining to health, racial or ethnic origins, sexual orientation, or religious views.

What are the key GDPR regulations for US businesses?

The most important requirements for GDPR compliance are explained below.


The rules depend on whether you’re a Controller or a Processor.

  • Controllers determine the aims and methods of processing data. They must adopt necessary technological and organizational measures to guarantee and demonstrate GDPR-compliant handling of personal data.
  • Processors handle personal data as directed by a Controller. Alternatively, an outsourcing business might execute all or part of the processing operations.

The GDPR deems both Controllers and Processors are liable for violations, so businesses could be fined even if the fault is entirely on the part of a data processing partner. 

Finally let’s look at a couple of examples to illustrate the type of companies that need to apply GDPR and those who don’t. 

Example: An ecommerce website run by a Charlotte based leather goods producer accepts and ships orders to European countries and to cities such as London and Milan.  

The company meets the conditions of GDPR and its website and data handling should comply with the regulations. 

Example: A small chain of coffee shops in North Carolina sells coffee in store and they operate  a website offering delivery of coffee beans and other products within a 25 kilometer radius. They don’t ship nationwide or internationally. 

The company does not target consumers in the EU so it is not required to comply with GDPR. 

The fine for failure to comply with GDPR can be severe so it’s worth ensuring your website and data collection processes are compliant. 

If you would like help with your brand messaging, advertising, and digital marketing in Charlotte, North Carolina to Seattle, Washington, and everywhere in between, get in touch with Visual Caffeine to learn how we can help you.

No Comments

Sorry, the comment form is closed at this time.