Things you need to know about GDPR

Things you need to know about GDPR

Are you unsure if GDPR will impact your website (it probably does!)?  GDPR is short for General Data Protection Regulation, a European Union law that took effect May 25, 2018.  First off, we should mention we aren’t lawyers; nothing on this website should be considered legal advice.

The General Data Protection Regulation (GDPR) is a European Union law that gives EU citizens control over their personal data and changes the data privacy approach of organizations across the world. You have likely gotten dozens of emails from companies like Google, Microsoft, Instagram, Constant Contact, et cetera, et cetera, regarding changes to their privacy policies and other “legal stuff”, because the EU has put in place hefty penalties for companies not in compliance. Fines to the tune of 4% of a company’s annual global revenue, or €20 million, whichever is greater! They will start with a warning, then a reprimand, and eventually the fines will come.

You might be thinking… OK, so does GDPR apply to my website?

The short answer is, YES.  It applies to every business around the world, small to large. If your website has visitors from EU countries, and it probably does, or could, then this law applies to you.

Not to fret, here’s a short guide to help you out.

What’s required by GDPR?

The goal is to protect users’ personally identifying information (PII) and hold businesses to a higher standard for how they collect, store and use the data. PII data includes name, email address, physical address, IP address, health information, income, cultural information, etc.

Explicit Consent – if you collect data then you need to get explicit consent that is unambiguous. You can’t send spam to people just because they gave you their business card. When filling out a form you cannot pre-check the opt-in box and it needs to be separate from other terms.

Rights to Data – you must inform users where, why, and how their data is processed/stored (usually in your non-existent Privacy Policy).  An individual has the right to download their personal data and an individual also has the right to be forgotten (deleted).

Breach Notification – companies must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data.

Data Protection Officers – if you are a public company or process large amounts of personal information, then you must appoint a data protection officer.  If you’re a small business this likely does not apply to you.

WordPress (as of v 4.9.6) now comes with a built-in privacy policy generator. It offers a pre-made privacy policy template and tips on what else to add, so you can be more transparent with users in regards to what data you store and how you handle their data.

As a website owner, you might be using various plugins that store or process data like contact forms, analytics, email marketing, online store, etc.  Look to your plugin vendors for GDPR compliant updates and workarounds.

In some cases, like with Google Analytics, to be GDPR compliant, you need to do one of the following:

  • Anonymize the data before storage and processing begins
  • Add an overlay to the site that gives notice of cookies and ask users for consent prior to tracking, and/or offer a way to have their tracking data deleted.

 

Ready or Not

GDPR took effect on May 25, 2018. If your website is not already compliant, don’t panic. Just continue to work towards compliance and get it done as soon as possible. After all, the EU’s website says you’ll receive a warning first, then a reprimand, and then… fines.

 

Need help making these changes?

If you aren’t a web developer, these changes can be overwhelming to get implemented.  Contact us for a free estimate.