On the 25th of May 2018 GDPR compliance will come into effect for all websites that capture Data via contact forms, purchases, email sign ups and even personal emails and on comments on blogs.
Disclaimer – We’re not lawyers. This article is for information sharing only and isn’t meant to replace legal advice.
What is GDPR
General Data Protection Regulation (GDPR) is a set of laws for Europe that deal with the privacy of consumers. It specifically focuses on citizens of the European Union and how businesses are to handle data for them.
It includes consent for collecting data, how companies should handle a data breach, and allowing consumers to delete their data. The purpose is to give the consumer the power to decide how and when their data is used.
The entire Internet will be affected by this because the EU wants the law to apply to any website where a citizen of the UE can visit. This specifically applies to any website that stores data about their visitors.
Data is any information that pertains to a person. This includes a name, photo, email address, bank details, medical information, location, an IP address, and even posts on social media. Sensitive data includes race, health status, religious beliefs, political beliefs, and sexual orientation.
There are three elements to be concerned with:
- Right to Access– shows the user what data points are being collected, where it’s being processed and stored, and the purpose, processing, and storage of the data. Websites must provide this information free of cost within 40 days.
- Right to be Forgotten– allows users opt-out of the data-collection process.
- Data Portability– allows users to download their personal data they’ve consented to and transmit it to a different controller.
What’s good about GDPR is it protects data and gives the consumer power over their information. It’s meant to be a global standard for data protection. It will change the way the Internet works with consumer data. The advantage to consumers is they get to see what they’re interested in. Advertising pertains to them instead of being random.
What’s bad about GDPR is it causes extra steps and precautions that might not be needed in the first place. It will cost companies as they work to become compliant, which will result in raised prices in order to recuperate the cost.
How to Prepare
Steps you can take include:
Audit Your Website – Audit of all the data your website and plugins collect. This applies to every way data is collected on your website including user registrations, contact forms, comments, analytics, logging tools, security tools, etc.
Publish a Policy – This will inform the users that you’re collecting data, what the data is, and how you’re using it.
Notify – Create a notification when you’re collecting data. Many plugins will include this.
Allow Users to Opt-Out – Once users have given consent they must be able to opt-out at any time.
Get Permission – Every time a user submits information, for newsletters, etc., you have to get permission to collect their data.
Provide Users with a Copy of their Data – This can be done through plugins.
Notification of Breach – If there is a breach, notification must be sent within 72 hours of becoming aware of the breach.
Make Sure Plugins are Compliant – The larger companies are working on updates so their plugins will be compliant. If you’re using a plugin that doesn’t update consider replacing it.
What GDPR Means for Your Business
In reality, nothing much has changed from the cookie law, can-spam or any other rules and regulations that control what data we as website owners collect in our day to day business. The GDPR simply attempts to roll all of them into one simple to use, simple to understand methodology and compliance advice guidelines. Yes, the EU has a big stick to wield on non-compliance but as small businesses as long as you allow all your visitors to OPT IN – give a clear indication to them of how you intend to use their data. Give explicit instructions on how to get removed from a mailing list or your store data (remember, if you have details of a customer in your store and they want that deleted, you must for Tax purposes inform them that you will keep that data for up to 7 years in order to comply with your tax office but, will not use it for any other reason) .
Where GDPR advice is not clear is where you are being told by a lot of advisors, that you need a data officer or DPO- not quite true.
DPOs must be appointed in the case of (a) public authorities, (b) organizations that engage in large-scale systematic monitoring, or (c) organizations that engage in large-scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO. (Source) I.E PayPal, Amazon etc.
GDPR must be observed but only as far as you need to observe it so, don’t panic, its all going to be OK.
How can Faydinkum Studios help your business to prepare for GDPR
Note: GDPR removes the ability for interpretation and is a law binding regulation “as is”. It will be the same across every affected state.
GDPR will be enforced May 25th 2018, so it’s important to start preparing as soon as possible. The fine for non-compliance is up to 4% of annual global turnover or €20 Million (whichever is greater). The EU can even block your website.
Please remember that businesses that are public authorities, engage in large-scale systematic monitoring, or engage in the large-scale processing of sensitive personal data will need a Data Protection Officer (DPO).
You’ll need to assess the risk of your data and take extra precautions to protect it. If you don’t need the data it would be best to avoid data storage when possible. Delete data you don’t need to ensure it isn’t a risk.
Even with the extra cost, this data is still good to have because you can target your audience better. You can advertise to your actual audience without having to make costly guesses about who they are and what they’re interested in.