Is My Site GDPR Compliant?
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new regulation in the European Union aimed at protecting the privacy of European citizens. It affects the way websites collect personal data and how corporations should handle that data. Businesses conducting transactions within EU member states are required to protect the personal information of EU citizens. The regulation stipulates harsh penalties for businesses that fail to comply with new privacy demands.
The basic gist: Site owners must receive consent consent from individual visitors before retargeting, marketing, or mailing. Users must be able to opt out at any time. Sites must make it clear how visitors’ personal data will be stored and used (i.e., have a privacy policy). Site owners are responsible for data security and must follow established reporting protocols within 72 hours if a security breach takes place.
When is the deadline for compliance?
Sites must be in compliance by May 25, 2018.
What types of personal information are protected?
The GDPR’s definition of personal data is pretty broad. It includes IP addresses, location, and cookie data in addition to more specific information such as Social Security numbers, names, and mailing addresses. The GDPR also protects racial/ethnic data, health/genetic data, biometric data, political beliefs, and sexual orientation.
Do I need to worry about the GDPR?
You do if you conduct business in the EU and/or collect personal information from EU citizens. It is not necessary that you have a physical location in the EU to qualify.
GDPR-Compliant Steps You Can Take
Distilling “what you need to know” about the new web privacy regulations in the EU is challenging because much is still unknown. The regulation leaves a lot to individual interpretation, stating that corporations must provide “reasonable” levels of protection but failing to define what such protection might entail. Because of the areas still left grey and undefined by the GDPR, many organizations are adopting a “wait and see” approach regarding certain data collection issues.
Of course, please note that this blog post shouldn’t be taken as legal advice. I’d strongly encourage you to read the GDPR regulations yourself for all the details and to ensure that you are in compliance. Hire a GDPR consultant if necessary to help implement these changes.
With that in mind, here are a few steps you can take to prepare your website ahead of the GDPR compliance deadline:
Create a privacy policy for your website – Create and post a privacy policy if your website doesn’t have one. This policy lets your site visitors know how you collect their personal data and what you will do with it.
Ensure you have a legal basis for personal data collection – There are several options for collecting your visitor’s data under the GDPR. One of the ways you can do this is by requesting explicit consent from your site’s visitors.
Don’t forget third-party widgets and apps – If your site utilizes third-party apps and widgets, be sure to check these for compliance as well. Don’t neglect mobile apps as well.
Allow visitors to opt out of data collection – There are a number of tools available to get your site GDPR compliant by allowing your site visitors to opt out of data collection and be “forgotten” from your databases. Use tools that allow your site to explicitly receive and document user consent before marketing, retargeting, or mailing them.
Make sure your marketing campaigns are GDPR-compliant – The new EU privacy regulations also require corporations to ensure consent from site visitors before sending them marketing mailings. If your business uses email marketing tools such as MailChimp or Constant Contact, you may want to include a disclaimer next to the subscription button on your site, or a checkbox implying that the visitor signing up for your mailing list is providing consent for marketing emails.
Plan for future assessments – Build in a plan for re-assessing your site’s compliance regularly in the future.
Know how to report a breach – GDPR requires that sites properly report security breaches in under 72 hours. It may be a good idea to familiarize yourself with this process ahead of time.
Inform your clients and site visitors – Once you’ve established that your site is GDPR-compliant, let your site visitors know! A recent Varonis Systems survey found that 74% of those surveyed felt that sites compliant with GDPR would have a competitive advantage. Announcing your cooperation with the new regulations can increase client confidence while also serving as an opportunity to refine your company’s data security and management processes.
Looking Ahead: The Future of Internet Privacy Laws
As the discussion around Internet privacy and personal data collection continues to evolve, it’s a good idea as a site owner to stay ahead of new developments and ensure that your site is compliant with the latest applicable regulations. It’s always your job as a site owner to protect the safety of your visitors and to ensure that your website is in compliance with applicable regulations wherever you do business.
If you have questions about your site’s user safety and GDPR-compliance, contact our web design and consulting team at Go West to schedule a meeting.