What is the General Data Protection Regulation?
On May 25, 2018, the General Data Protection Regulation went into effect. The GDPR is a European Union initiative designed to give consumers greater control and transparency when it comes to the personal data companies are collecting and storing. The law protects individuals in the 28 member countries of the European Union, even if the data is processed elsewhere.
“As an example of the law’s reach, the European Commission, the EU’s legislative arm, says on its website that a social network will have to comply with a user request to delete photos the user posted as a minor — and inform search engines and other websites that used the photos that the images should be removed.” – Wired.com
Now the users will have to be aware in the most obvious format (usually through pop-ups), that they have the ability to opt-in, rather than jumping through hoops to opt-out. And if brands collect any data, they now have to be very upright and transparent on how, where, when and for what purpose they are using that data. And you can never share that data, regardless of how insignificant you feel it is, with anyone at anytime.
Non-compliance is not a choice if your business is affected by the GDPR (see requirements below). Heavy fines can be imposed for non-compliance, as of May 25, 2018, which could be up to 4% of annual global turnover or $20 Million (whichever is greater).
Which companies does the GDPR affect?
Any company or organization that collects, stores and utilizes data about EU Citizens, whether that is inside any of the EU states or in any other country. So if there is any possibility that your website can be viewed and used by a citizen of the EU, you need to comply. If you have more than 250 employees, or if you have fewer than 250, but your data collection and processing impacts EU citizens, that you also must comply. A recent survey showed that 92% of U.S. brands “consider GDPR a top data protection priority.”
Even in the small chance, the GDPR does not apply to you, it would be advisable to take notice and make needed changes, as change is coming globally sooner if not later.
What types of data does the GDPR apply to and protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
What Steps should you take to comply with GDPR?
I. Form Submission Notice: Each form needs to disclose why and how you’re using collected data. For example, if you have an email signup form on your website, you now need to explain what you will use that content for. For example: “This form collects your name and email so we can email you our monthly newsletter. For more information, please see our privacy policy.” And oh yes, every website now needs a privacy policy, regardless if you’re selling online or not. If they do provide their data, they need to clearly understand what you use that data for, know how it’s protected and be able to contact you if they want it deleted, or have access to remove it themselves.
II. Add a Privacy Policy to your website: If you have a privacy policy, that is a great first start, but with the new regulations, you will need to simplify your data privacy statements so that your customers, even those without a legal degree, can understand them and agree to them with trust and confidence. If any changes are made to your privacy policy, you need to notify users in an obvious and accessible way. Make sure your existing or revised privacy policy is compliant with current GDPR regulations, and if you don’t feel qualified to write this yourself, please contact your lawyer for confirmation of compliance. (Sample Privacy Policy)
III. Notice of Cookies or Retargeting: If you’re using retargeting pixels, cookies or any other tracking service, you now need to disclose that right from the first page view, with a message similar to this on a pop-up, “This site uses cookies. To see how cookies are used, please review our cookie notice. If you agree to our use of cookies, please continue to use our site.” Only when they take traceable and deliberate action to agree, then they can continue to view your website, otherwise, they’ll go elsewhere.
Under GDPR every user needs to provide opt-in consent before marketers are allowed to track, retarget or mail those users, this also applies to existing users. It also must be easy for users to revoke their consent at any time and have a clear understanding of who is using their data and what it is used for.
IV. Protection of Collected Data: Once that data is collected, you must have a policy in place to keep that data secure, prevent data breaches and regularly audit and cleanse that data. It also reemphasizes the need for an SSL for your website, which ensures all data collected is encrypted. If you are breached, the GDPR requires a 24-hour reporting window to properly report a breach to all users affected. It would be recommended to hire a third-party Information Technology company specializing in data protection to ensure data security, data breaches, and GDPR compliance.
Making your WordPress Site Compliant:
When you update your WordPress to the latest version, WordPress 4.9.6 will add some needed features. And after you update, you’ll get this message on your dashboard:
“Personal Data and Privacy: Personal Data Export and Erasure. New Tools have been added to help you with personal data export and erasure requests. Privacy Policy: Create or select your site’s privacy policy page under Settings > Privacy to keep your users informed and aware.”
If you have the Akismet Plugin added and updated, as most WordPress sites do, you’ll get this message with the latest message:
“Akismet & Privacy. To help your site be compliant with GDPR and other laws requiring notification of tracking, Akismet can display a notice to your users under your comment forms. This feature is disabled by default, however, if you or your audience is located in Europe, you need to turn it on. Please enable or disable this feature.”
If you have a WordPress site there are several excellent plugins you can add to your site to ensure GDPR compliance, including:
- GDPR by Trew Knowledge: This plugin is meant to assist a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR.
- WP GDPR Compliance by Vans On: This plugin assists website and webshop owners to comply with European privacy regulations known as GDPR. This currently supports Contact Form 7 (>= 4.6), Gravity Forms (>= 1.9), WooCommerce (>= 2.5.0) and WordPress Comments.
- Call Startup Production to get assistance on verifying if your website is compliant, and what is needed if not.
Other articles that provide more information:
Why should I comply with GDPR when I nor my clients reside in the EU?
That is a good question and while it’s true you may not need to comply if outside the EU, but unless you are Geoblocking traffic from the EU, your website traffic may include visitors from the EU. This means you will need to comply if they fill out a contact form, make a purchase or utilize any functionality that captures their information or IP address. Also, protecting clients data, making visitors aware of your privacy policy and ensuring visitors understand how you utilize/store their data is just good business. It encourages trust and credibility to comply with privacy protection guidelines, and shows you care about your customers, leads and website visitors, which is also good branding.
The state of California has enacted the California Consumer Privacy Act (CCPA) on January 1, 2020, which applies to for-profits that collect consumer personal data, more specifically any business that meets one of the following:
- Businesses that earn $25,000,000 or more a year in revenue
- Businesses that annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes
- Business that derive 50% or more of its annual revenue from selling consumer personal information
While that may not include you right now, protect your brand, your content and limit your liability by applying the four recommended suggestions above.
