A Note To The Yachting Industry Re: GDPR

May 29, 2018

What is GDPR?
A few years ago, the European Union put into place a new privacy law that is intended to protect EU citizens and residents from data misuse. This privacy law is called the General Data Protection Regulation (GPDR).

At the time, they set a date, May 25, 2018, as the deadline for companies to be compliant. That, of course, was last week, and the reason many of us saw a flurry of ‘Opt-In’ & ‘Updated Privacy’ emails from firms across the yachting industry, and of course, beyond.

How do I make sure my company is compliant?
That’s a question for an attorney or a consulting firm that specializes in GPDR. A few resources below may provide some decent insights:

UK’s Information Commissioner’s Office: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
FAQ’s For Small Businesses: https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/.
Summary of How GDPR applies to U.S. Companies: https://www.compliancejunction.com/gdpr-for-us-companies/
GDPR Compliance Checklist 1: https://informi.co.uk/articles/how-will-gdpr-affect-my-small-business
GDPR Compliance Checklist 2: https://www.3bweb.com/blog/gdpr-compliance
General Info: https://www.youtube.com/watch?v=_J5IZxI_xKk

Wow, that’s a lot of work and might be really annoying.
Yeah, as a small business owner it will be a pain. But as a consumer, it will mean that companies everywhere will likely clutter your inbox less and pay attention to securing your data more.

Please just give me the basics.
Okay, 2 major things:

Don’t spam clients or leads that live in the EU.
Have a clear plan in place to protect your client’s data, including personal info.

Okay, tell me more about #1.
Most people agree that spamming is a bad idea. But let’s be honest, most small business owners are guilty of doing it. And there are lots of gray areas, legally and morally. So, let’s see what we can do, and maybe march toward GPDR compliance.

A few examples of what other yachting companies are doing to comply:

Give your clients an opportunity to ‘Opt-In.’ There are a few ways of going about this:
1. Email your entire database, and ask each client to click an ‘Opt-In’ button that confirms they want to be included in future updates and newsletters.
2. Email only EU clients this same ‘Opt-In’ message. This can be tricky, as there is no way to 100% confirm which clients are in the EU. One yachting firm had an intern identify .eu email addresses and place them in a separate file for this purpose, but again, this likely didn’t include all of that firm’s EU clients, after all, not all French clients have an email address ending in a ‘.fr.’

Update your privacy policy, which should include a bit of information on who you are, how you share or sell your data, how you store and protect client data (see next question), how to contact your company to opt-out, etc. Denison’s update policy lives here: https://www.denisonyachtsales.com/privacy-policy/. It’s not perfect, but might serve as a resource for anyone that needs help getting started. After doing this, it’s probably a good idea to let your clients know what your updated policy is. You can do this via email, which is why you received dozens of emails last week with the subject line ‘Updated Privacy Policy.’

Thanks, now what about #2, that part about ‘protecting client data?’
This is a big deal. If you don’t already have a plan in place for protecting client data, you DEFINITELY need to do it now. This should be done for all clients, EU + everyone else.

Some of this is common sense. For instance, you do your best to keep your office secure, and hopefully have good locks, maybe an alarm, and are committed to keeping physical offices safe. But this isn’t good enough. We also need to look into ways we protect our client’s data on our servers, in the cloud, and in our inboxes. We also need to make sure the partners we share our data with, like Yacht Closer, are doing the same.

Cool, thanks. Is that all I need to do?
Hell no! You should do more research, maybe contact your attorney. Bigger firms might want to look into hiring a consultant based in the EU. It’s important to take this seriously. The good news, the process will likely result in a better and broader plan for protecting your client’s data.

There are lots of other topics to wrestle with, including:

How to adjust your web site’s forms.
Displaying cookie policies.
Other GPDR policies (Canada).
Client’s right to ‘be forgotten.’
And a bunch of other stuff beyond my pay grade.

I don’t want to deal with any of this crap. What are my options?
Not a good idea, but some U.S. companies are taking this approach. A few are actually blocking EU visitors form their web site: https://www.wsj.com/articles/u-s-websites-go-dark-in-europe-as-gdpr-data-rules-kick-in-1527242038. If you want to do the same, contact whomever hosts your web site, or your IT firm, and they can walk you through this process.