Businesses are scrambling to comply with a new policy in the European Union. If you have a website or an email list, you absolutely need to be concerned about this new policy. This article goes over some of the basics of the new policy, and explains what you as a business owner need to do, to ensure that you don’t receive a hefty fine.
What is the GDPR?
The General Data Protection Regulation (GDPR) is the new data privacy law that will come into effect in the European Union on May 25, 2018. The regulation addresses data protection, privacy, and data rights for people in the European Union. The GDPR has been in the works for two years. The regulation also gives individuals specific rights over their personal data – including the right to access their data, to correct their data, to restrict their data, and to delete their data. While the discussion on GDPR has been surfacing recently, the policy has in fact been in effect since April 27, 2016 – though it now will be enforceable as of May 25, 2018.
The GDPR introduces a new set of digital rights to EU citizens. It is a regulation, which means that as of May 25th all businesses and individuals that collect personal data from people within the European Union must comply. Local and national governments cannot opt out of the GDPR, and penalties for noncompliance can be up to €20 million, or 4% of a company’s worldwide business – whichever is greater.
When the GDPR takes effect, it will impact how companies handle personal data about their customers.
Who is Affected by The GDPR?
It is very important to note that you do not have to be in the European Union in order to be legally bound by the GDPR. In fact, if you have a website, and if your website collects any type of personal data from individuals in the European Union, you must be compliant with the GDPR.
The GDPR protects the data of those in the EU, and in general if you have a website, you are affected by this regulation – even if your business is located in the United States.
What Does This Mean in Plain English?
If you have a website, then you need to be ready to protect the data of people who interact with it. You must let your website visitors know if you collect data about them, and you must record when that data was collected. If a website visitor asks you to give them the data you have about them, you have to be able to do so – which means, you need to be able to let people know what information you have about them, and when/where you collected that information. This includes, but is not necessarily restricted to:
- Web Page Contact Forms
- Lead Generation Forms
- Email Newsletter Signup Forms
- Cookies
- Website User Account Creation
- E-Commerce Transactions
- Website Registrations or Subscriptions
- Blog, or Other Website Content Commenting
- Website Polls, Surveys, or Forms
- Any Website Application that Collects IP Addresses
- Google Analytics
- Third-Party Software Website Integrations
What is Considered to be Personal Data, and How Do Websites Collect It?
According to the GDPR, Personal Data is any information that could identify an individual. This could be a number of different things: name, address, email address, address, birthday, social media account, phone number, IP address, or even a cookie ID.
Some websites make it very obvious that personal data is collected – but others may not.
- If you have an E-Commerce website, and collect payment and/or shipping information to process orders, you are collecting personal data on your website.
- If you have a membership section on your website, or allow users to login with Facebook or Google, you are collecting personal data on your website.
- If you have an email sign-up form on your website, you are collecting personal data on your website.
- If you have a contact form on your website, you are collecting personal data on your website.
- If you have a WordPress website with a blog, and you allow users to comment, you are collecting personal data on your website.
- If you have Google Analytics installed, you are collecting personal data on your website.
- If your website uses cookies (which pretty much every WordPress, SquareSpace, Wix, or other website does), you are collecting personal data on your website.
Yes, You Are Collecting Personal Data On Your Website.
Chances are pretty good that you are collecting personal data on your website. Feel free to give us a call at 763-350-8762 if you want to verify this.
I’m Not In The EU. Do I Need To Do Anything On My Website?
Yes.
Even though your business is not in the European Union, and even if you don’t market to the EU, it is probably possible that someone in the EU could stumble across your website. You could take drastic measures, such as trying to restrict anyone from the EU from accessing your website, but this would likely be more cumbersome and expensive to your business than it would be to comply with the GDPR. The point is that if your website makes it possible for someone from the EU to submit their information in any fashion, whether that is an email subscription or a simple blog comment, you need to take action.
- Update your website’s Privacy Policy. Regardless of whether you do business with EU citizens, it is required by law that your website have a privacy policy for users to access. You should update your website’s privacy policy to clearly state what types of information you collect. If your website collects cookies (it most likely does), it is a good idea to list the cookies collected in your Privacy Policy.
- Require website visitors’ consent before they can submit any information. Every contact form, or comment field, on your website must have a required box that is not checked by default, informing visitors that filling out the form is giving you their personal information.
- Keep a record of when, and how, you receive customer information. If your website utilizes contact forms, be sure that you are keeping a record of when those forms were submitted, in the event that one of your users asks what information you have on file about them, and when you obtained it.
What Else Needs To Be Done?
Review all personal data you currently have on file. In general, you should be aware of what information you have about individuals. We recommend you go through your website contact forms, your email newsletter lists, your CRM or lead management systems, and make note of how many people you have information about, and what information you have saved. Ensure that information that you do save is stored in a secure environment, and can be deleted upon request. Delete all non-relevant information, or information that you do not need to keep.
Make it easy for people to request their data and opt out. Typically, this means a statement on your privacy page that makes it very easy for your users to contact you. Your users need to be able to ask exactly what information you have on file, and when you obtained that information – and your Data Protection Officer needs to be able to give them that information. You need to make it easy for users to find this information – typically, this means making sure that your privacy policy is accessible from every page on your website. You must also make sure that users have a clear “unsubscribe” option in every piece of email marketing you send them. If you aren’t using an email service like MailChimp or Constant Contact to manage your bulk mailing campaigns, now is the time to set that up.
You May Need To Appoint A Data Protection Officer. According to the GDPR, companies that handle and process large amounts of data from users in the EU must appoint a Data Protection Officer. A Data Protection Officer will oversee how your organization collects data, and how they store and process it.
A Data Protection Officer is a formal role, with job descriptions mandated by the GDPR. Not all companies necessarily need to have a Data Protection Officer in place, but if you do a fair amount of business with people in the EU, you should consult your attorney to talk about this position, and how your business may be impacted by it. Your business’s need to employ someone with this role does not depend on how large your business is. Rather, it depends on how you process personal data of residents that live in the EU. A small, 3-person team that collects data from 5,000 EU residents per day will need to have a DPO on staff.
A data tree produced by DPO Network Europe may help you determine if you need to appoint a Data Protection Officer – but in general, you should consult an attorney to determine if this applies to your business.
Ask Users To Resubscribe To Your Email List. MailChimp, Constant Contact, and other newsletter list management services are recommending that you ask everyone on your email list to resubscribe to your newsletter prior to May 25, 2018. You will need to have GDPR compliant forms for newsletter signup on your website as of May 25th.
I’m Still Confused. What Do I Really Need To Do?
The short of all of of this is that European government is doing a lot to ensure that personal information about its citizens is safe and secure. Just because you are a US-based business doesn’t mean you get a free pass. Whether intentional or not, by virtue of having a website online you are inviting people all over the world to share their personal information with you.
Our first recommendation is that you consult your business attorney to see if your business needs to make drastic measures to tighten up your privacy policy and keep data secure. There are some very minimal things you need to do on your website, which we’ve gone over before.
Can You Help?
Yes, we can. Again, though, I want to reiterate that we are not attorneys, so while we can make updates to your website to help with compliance, we cannot provide legal advice nor can we be responsible for any outcome. As a business owner, you own your website. We recommend seeking legal counsel, and then letting us know what changes you would like implemented on your website.
Making a website GDPR compliant is a task that could take considerable amount of time. We value each and every one of our customers, which is why we have invested a significant amount of time into notifying businesses about this regulation. It would be great if we had a quick fix for this, but the reality is that GDPR compliance is going to take our staff quite a bit of time, and these are website updates that fall under standard development rates. We are handling compliance on a per-case basis, by request, in the order requests come in.
Give us a call at 763-350-8762 if you want us to assist you with making your website compliant.