Web Design & Internet Marketing

Serving Richmond KY & Lexington KY area

How to Protect your Users’ Privacy (GDPR)

What is the General Data Protection Regulation?

On May 25, 2018, the General Data Protection Regulation went into effect. The GDPR is a European Union initiative designed to give consumers greater control and transparency when it comes to the personal data companies are collecting and storing. The law protects individuals in the 28 member countries of the European Union, even if the data is processed elsewhere.

“As an example of the law’s reach, the European Commission, the EU’s legislative arm, says on its website that a social network will have to comply with a user request to delete photos the user posted as a minor — and inform search engines and other websites that used the photos that the images should be removed.” – Wired.com

Now the users will have to be aware in the most obvious format (usually through pop-ups), that they have the ability to opt-in, rather than jumping through hoops to opt-out. And if brands collect any data, they now have to be very upright and transparent on how, where, when and for what purpose they are using that data.  And you can never share that data, regardless of how insignificant you feel it is, with anyone at anytime.
 
Non-compliance is not a choice if your business is affected by the GDPR (see requirements below).  Heavy fines can be imposed for non-compliance, as of May 25, 2018, which could be up to 4% of annual global turnover or $20 Million (whichever is greater).
 

Which companies does the GDPR affect?

Any company or organization that collects, stores and utilizes data about EU Citizens, whether that is inside any of the EU states or in any other country. So if there is any possibility that your website can be viewed and used by a citizen of the EU, you need to comply.  If you have more than 250 employees, or if you have fewer than 250, but your data collection and processing impacts EU citizens, that you also must comply.  A recent survey showed that 92% of U.S. brands “consider GDPR a top data protection priority.”
 
Even in the small chance, the GDPR does not apply to you, it would be advisable to take notice and make needed changes, as change is coming globally sooner if not later.
 

What types of data does the GDPR apply to and protect?

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

 

What Steps should you take to comply with GDPR?

I. Form Submission Notice:   Each form needs to disclose why and how you’re using collected data. For example,  if you have an email signup form on your website, you now need to explain what you will use that content for. For example: “This form collects your name and email so we can email you our monthly newsletter. For more information, please see our privacy policy.”  And oh yes, every website now needs a privacy policy, regardless if you’re selling online or not. If they do provide their data, they need to clearly understand what you use that data for, know how it’s protected and be able to contact you if they want it deleted, or have access to remove it themselves.
 
II. Add a Privacy Policy to your website:  If you have a privacy policy, that is a great first start, but with the new regulations, you will need to simplify your data privacy statements so that your customers, even those without a legal degree, can understand them and agree to them with trust and confidence. If any changes are made to your privacy policy, you need to notify users in an obvious and accessible way. Make sure your existing or revised privacy policy is compliant with current GDPR regulations, and if you don’t feel qualified to write this yourself, please contact your lawyer for confirmation of compliance. (Sample Privacy Policy)
 
III. Notice of Cookies or Retargeting:  If you’re using retargeting pixels, cookies or any other tracking service, you now need to disclose that right from the first page view, with a message similar to this on a pop-up, “This site uses cookies. To see how cookies are used, please review our cookie notice. If you agree to our use of cookies, please continue to use our site.”  Only when they take traceable and deliberate action to agree, then they can continue to view your website, otherwise, they’ll go elsewhere.
 
Under GDPR every user needs to provide opt-in consent before marketers are allowed to track, retarget or mail those users, this also applies to existing users. It also must be easy for users to revoke their consent at any time and have a clear understanding of who is using their data and what it is used for.
 
IV. Protection of Collected Data:  Once that data is collected, you must have a policy in place to keep that data secure, prevent data breaches and regularly audit and cleanse that data. It also reemphasizes the need for an SSL for your website, which ensures all data collected is encrypted.  If you are breached, the GDPR requires a 72-hour reporting window to properly report a breach to all users affected. It would be recommended to hire a third-party Information Technology company specializing in data protection to ensure data security, data breaches, and GDPR compliance.
 

Making your WordPress Site Compliant:

When you update your WordPress to the latest version, WordPress 4.9.6 will add some needed features.  And after you update, you’ll get this message on your dashboard:

“Personal Data and Privacy:  Personal Data Export and Erasure. New Tools have been added to help you with personal data export and erasure requests. Privacy Policy: Create or select your site’s privacy policy page under Settings > Privacy to keep your users informed and aware.”

If you have the Akismet Plugin added and updated, as most WordPress sites do, you’ll get this message with the latest message:

Akismet & Privacy. To help your site be compliant with GDPR and other laws requiring notification of tracking, Akismet can display a notice to your users under your comment forms. This feature is disabled by default, however, if you or your audience is located in Europe, you need to turn it on.  Please enable or disable this feature.”

If you have a WordPress site there are several excellent plugins you can add to your site to ensure GDPR compliance, including:
 

  • GDPR by Trew Knowledge:  This plugin is meant to assist a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR.
  • WP GDPR Compliance by Vans On:  This plugin assists website and webshop owners to comply with European privacy regulations known as GDPR. This currently supports Contact Form 7 (>= 4.6), Gravity Forms (>= 1.9), WooCommerce (>= 2.5.0) and WordPress Comments.
  • Call Startup Production to get assistance on verifying if your website is compliant, and what is needed if not.

 


Other articles that provide more information:

Share:

No Comments Yet.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.