What Startups and Small Businesses in the US Need to Do to Comply with the GDPR
The first question is: does your startup collect data from, store information of, sell products to, or monitor the behavior of anyone in the European Union?
If the answer is no, which means you’re certain your users aren’t using your services while traveling in the EU, you can stop reading.
If the answer is yes, then you have some work to do.
The bad news is that compliance requires some focused effort, requiring both technical and legal information to assure your company does not run afoul of these new regulations.
The really bad news is that the penalties are significant: up to 4% of global revenue for offenders.
The good news is that this will be a wake-up call for many startups that are long overdue for a health and sanity check when it comes to what they do with their data. The truth is, many companies post privacy policies they found online and never give them a second thought. Not only do many such companies not actually comply with their own privacy policies, they’re not sure what’s in them.
That wasn’t a good practice before. And under the regime of the GDPR, there are serious consequences for that behavior.
(1) to have a clear understanding of how your organization collects, manages, stores, and uses data
(2) to inform your users about that data strategy
(4) to comply with your policy in a consistent way
To do this right, you’ll have to work with your technical personnel and put real time into this policy and its implementation.
This is now the reality of doing international business in 2018.
This isn’t a simple cut-and-paste template you can put on your site and forget about. You won’t achieve GDPR compliance (or ever draft an effective contract of any kind) with general language that isn’t tailored to what your business actually does.
 We are not trying to scare you. The exact extent to which the EU will be actively enforcing this new regulation on American companies without a physical location in Europe is unknown. It is certainly—and I say this with the deep affection of a dual citizen of the US and Ireland—the most horrific, sprawling mess of a regulation that I have ever seen. But as we read this new regulation, it will apply to most US companies—and impose potential liability, including fines, on those that do not comply. Thus, we are helping our US companies do their best to comply with it.