GDPR went into effect in the European Union on May 25, changing the way data is collected and, ultimately, the way companies can market to consumers. However, even though these new regulations are in effect across the pond, you’re still not off the hook. After all, the internet has no borders.

The ultimate goal of GDPR is to ensure people feel that they are in complete control over their personal information. As we’ve seen in recent scandals involving Facebook and other big companies, this hasn’t always been the case.

GDPR puts data security and privacy at the forefront. Chances are, you’re inbox may have been recently flooded with “We’re Updating Our Privacy Policy” emails. That’s because nearly every website you use, from your banking website and Amazon account to your social media channels and favorite news site, collects your personal data. Under GDPR, these companies have to tell users what they’re doing with this data.

If you have a website for your business, you should take a good look at your privacy policy, too. What data are you collecting? How are you collecting this data?

Personal data isn’t just your name, email, and address. GDPR extends the definition of “personal data” to things such as IP addresses, identification numbers, and other online identifiers. So, if you’re collecting things like IP addresses or geographic location for analytical purposes, and not clearly collecting consent from the users you’re gathering this information from, you’re breaching GDPR rules.

But you’re business is in Pennsylvania or California or Michigan…why would EU rules apply? The physical location of your business doesn’t matter. It’s the physical location of the individuals accessing your online resources. Any business with activity on “European soil” is subject to GDPR laws and penalties.

Businesses collecting data have several responsibilities. First, they have to acquire the consent of the individuals they’re collecting data from. This means visible opt-in forms for emails, “cookie alerts,” and clear unsubscribe options are mandatory. Any change in privacy policy has to be announced and data you no longer use must be deleted.

Businesses also have the responsibility and legal obligation to let consumers know when a breach occurs almost immediately. However, this alert must be personalized—not distributed through a mass press release or Facebook post.

Almost unlimited control. According to the GDPR Checklist, they must be able to easily:

• Access/request access to their personal data
• Update their personal data
• Request that their personal data be deleted
• Request to have their data stop being collected
• Give and withdraw consent

Your site and its forms should be updated with these requirements firmly in mind. Don’t try to hide unsubscribe options, or use pre-filled opt-in boxes. That’s a sure way to find yourself in trouble.

Noncompliance will be costly. Companies that experience a breach or have mishandled consumer data will face a fine of up to 20 million euros (23 million U.S. dollars) or 4% of their worldwide turnover. For businesses both small and large, this is a fine that can be detrimental.

We’ll be in touch soon with our own checklist for GDPR compliance. However, in the meantime, there are three things you can do right now to make sure you meet compliance standards:

• Update and publish your privacy policy
• Ensure you have clear opt-in (and out) procedures for your mailing lists
• Start developing a plan of attack should data be hacked (How will you alert customers? How will you recover your data?)

Take these steps now and you’ll be on your way to protecting data, protecting your customers, and protecting your business.