What is the General Data Protection Regulation?
On May 25, 2018, the General Data Protection Regulation went into effect. The GDPR is a European Union initiative designed to give consumers greater control and transparency when it comes to the personal data companies are collecting and storing. The law protects individuals in the 28 member countries of the European Union, even if the data is processed elsewhere.
“As an example of the law’s reach, the European Commission, the EU’s legislative arm, says on its website that a social network will have to comply with a user request to delete photos the user posted as a minor — and inform search engines and other websites that used the photos that the images should be removed.” – Wired.com
Now the users will have to be aware in the most obvious format (usually through pop-ups), that they have the ability to opt-in, rather than jumping through hoops to opt-out. And if brands collect any data, they now have to be very upright and transparent on how, where, when and for what purpose they are using that data. And you can never share that data, regardless of how insignificant you feel it is, with anyone at anytime.
Non-compliance is not a choice if your business is affected by the GDPR (see requirements below). Heavy fines can be imposed for non-compliance, as of May 25, 2018, which could be up to 4% of annual global turnover or $20 Million (whichever is greater).
Which companies does the GDPR affect?
Any company or organization that collects, stores and utilizes data about EU Citizens, whether that is inside any of the EU states or in any other country. So if there is any possibility that your website can be viewed and used by a citizen of the EU, you need to comply. If you have more than 250 employees, or if you have fewer than 250, but your data collection and processing impacts EU citizens, that you also must comply. A recent survey showed that 92% of U.S. brands “consider GDPR a top data protection priority.”
Even in the small chance, the GDPR does not apply to you, it would be advisable to take notice and make needed changes, as change is coming globally sooner if not later.
What types of data does the GDPR apply to and protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
What Steps should you take to comply with GDPR?
Under GDPR every user needs to provide opt-in consent before marketers are allowed to track, retarget or mail those users, this also applies to existing users. It also must be easy for users to revoke their consent at any time and have a clear understanding of who is using their data and what it is used for.
IV. Protection of Collected Data: Once that data is collected, you must have a policy in place to keep that data secure, prevent data breaches and regularly audit and cleanse that data. It also reemphasizes the need for an SSL for your website, which ensures all data collected is encrypted. If you are breached, the GDPR requires a 24-hour reporting window to properly report a breach to all users affected. It would be recommended to hire a third-party Information Technology company specializing in data protection to ensure data security, data breaches, and GDPR compliance.
Making your WordPress Site Compliant:
When you update your WordPress to the latest version, WordPress 4.9.6 will add some needed features. And after you update, you’ll get this message on your dashboard:
If you have the Akismet Plugin added and updated, as most WordPress sites do, you’ll get this message with the latest message:
“Akismet & Privacy. To help your site be compliant with GDPR and other laws requiring notification of tracking, Akismet can display a notice to your users under your comment forms. This feature is disabled by default, however, if you or your audience is located in Europe, you need to turn it on. Please enable or disable this feature.”
If you have a WordPress site there are several excellent plugins you can add to your site to ensure GDPR compliance, including:
- GDPR by Trew Knowledge: This plugin is meant to assist a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR.
- WP GDPR Compliance by Vans On: This plugin assists website and webshop owners to comply with European privacy regulations known as GDPR. This currently supports Contact Form 7 (>= 4.6), Gravity Forms (>= 1.9), WooCommerce (>= 2.5.0) and WordPress Comments.
- Call Startup Production to get assistance on verifying if your website is compliant, and what is needed if not.
Other articles that provide more information:
Why should I comply with GDPR when I nor my clients reside in the EU?
The state of California has enacted the California Consumer Privacy Act (CCPA) on January 1, 2020, which applies to for-profits that collect consumer personal data, more specifically any business that meets one of the following:
- Businesses that earn $25,000,000 or more a year in revenue
- Businesses that annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes
- Business that derive 50% or more of its annual revenue from selling consumer personal information
While that may not include you right now, protect your brand, your content and limit your liability by applying the four recommended suggestions above.