Customer relationships are at the core of the wine industry, and in the digital age, a new customer relationship can start anywhere. The new data protection regulation launched on May 25, 2018, reinforces EU individual’s rights, and it should have raised more than one eyebrow in the wine industry, especially for businesses that have a web presence and/or ship products purchased online. Have you hosted international visitors in your tasting room? Do you have “clear” consent to use their data? Here’s what you need to know to safely continue communicating with your EU customers.

What is the purpose of GDPR?

The General Data Protection Regulation (GDPR) is a new set of rules to protect the personal data of European citizens. Moving forward, all business with European customers must ask permission before collecting personal data from them. Replacing the old 1995 Data Protection Directive, GDPR specifies what type of data a business may collect, how it should be stored and used. The goal? Strengthen data protection policies for residents of EU member nations. Data is defined as “any information relating to an identified or identifiable natural person” such as name, email or location, for example, of a wine club member.

My business is not located in the European economic community, so why should I be concerned?

The GDPR impacts any business, EU-based or not, that has EU users or customers. If you offer your goods or services to any EU resident, then your business must comply with GDPR. Even if a company does not have a European presence, it’s all about the data you process. With these new regulations, the geographical scope is borderless. Napa law firm Dickenson, Peatman & Fogarty illustrates how the wine industry may be impacted (1): “for example, a winery that had a single sale to an E.U. person in its wine club database might appear to meet the requirements to comply with the GDPR.”

What’s at risk if I don’t comply?

A heavy fine. The GDPR could bring costly penalties for noncompliance. If you are not storing data properly or failing to report a data breach, you may be fined up to $24 million or 4% of your worldwide turnover of the previous financial year, whichever is greater. The numbers are scary. The exact fines will depend on several factors such as the importance of the personal data breach or how noncompliant your business is. “Based on 2017 figures, penalties could top $1.6 billion for Facebook” stated cnn.com. Don’t forget that this data regulation does not apply to data about a company or any other legal entities. Just a short time after the launch of the regulation, it’s still too early to know how effective the 11 chapters of the law will be but it’s better to be safe than sorry.

So what should I do?

Become GDPR-compliant. The purpose of this regulation is to protect data of EU individuals more efficiently. The first step for businesses is to be sure to have clear consent before collecting any data from EU citizens. No more passive acceptation, opt-out or pre-ticked boxes. You want to send email to your European customers to invite him to a Mediterranean wine cruise? You need to clearly specify how you will use their information at the moment they give it to you. Not sure if you are GDPR-compliant? Play it safe and start your GDPR journey with an audit of all your data. Update your privacy policies and start a conversation with your customers to inform them you care about the information they share with you. The keyword in all of this? Transparency.

Ready to become GDPR-compliant? Get started with these 5 easy steps here.