You might be hearing a lot about General Data Protection Regulation (GDPR) lately and wondering what it is and why you should care. And, you have undoubtedly received a flood of emails recently from websites and apps about updates to their privacy and cookie policies. You, like most people, have ignored or politely hit delete. But if you own or manage a website, it’s time to pay attention because these new European privacy rules may just impact you when it goes into effect May 25, 2018.
What is GDPR?
GDPR is a long-overdue update to a 1995 European Union (EU) Data Protection directive. Since the world –and particularly technology – has changed so much since 1995, the EU wisely passed legislation to better protect its citizens. This is a great thing for EU citizens because it gives them a lot more rights regarding protection of their data, and adds clarity, transparency and repercussions to websites who are not conformant. But, it also requires changes to processes and websites throughout the world, so it’s important to understand more about it.
Who does GDPR apply to?
The first thing to know about GDPR is who this applies to – because that is critical to understanding how much your business may be impacted. This EU regulation applies to businesses throughout the world who handle personal data (e.g., names, addresses, email addresses, ID numbers) of European citizens when they are physically located in the EU. In other words, if someone is on your website while in the European Union and they are a European citizen, GDPR protects them.
So, if you are a local pizza shop in Glastonbury, CT, conforming to GDPR probably isn’t too much of a concern of yours. But if you are large financial institution with customers throughout the world, GDPR conformance absolutely a priority. What’s more, failure to comply with GDPR has the potential of significant fines – up to 20 million Euros (about $25M US) or 4% of revenue – whichever is greater. How that will be enforced is still to be determined, but knowing what to do is a great place to start.
Basics of GDPR for Website Owners
For those affected by GDPR, it’s highly recommended to ensure your legal and compliance partners are brought in immediately. They must familiarize themselves with the intricacies of GDPR and inform you of action items from there. That said, below are key points to know.
Data Audit: If you haven’t already done so, you should conduct a data audit to understand what personal data is stored regarding your website. As part of this you should identify the types of data you are collecting, where the data it’s located, what you do with it, how long it’s stored and whether you’ve gathered explicit consent to have and use data. This is something that will be a team effort, so be sure to wrap in the appropriate marketing, technology and legal/compliance personnel.
Opt-in: Data owners are required to have an opt-in choice presented to visitors before a company can begin storing, processing or transmitting personal information. For site owners, a real-world example might be a form with a “sign up for our email” checkbox checked by default. Under GDPR, visitors will need to select that box to indicate consent. Also, ensure that if you have separate email marketing lists, you are fully transparent about what lists the visitor is subscribing to. And of course, your emails must all have an unsubscribe link.
Cookies: If you don’t already have information about how cookies are used on your site to track activity (e.g., Google Analytics) then that’s important to add that as well. Make sure to include information about third-party site cookies too, if relevant.
Advertising: If you haven’t already noticed, Facebook’s made a lot of changes in terms of data management recently. Bottom line: ensure your site is clear about data collection related to advertising you are running, including Facebook and others.
Data Breaches: In the event of a data breach, GDPR states that they must be reported within 72 hours after awareness of the breach. Additionally, individuals must be individually contacted if they could face an adverse impact.
Third-Parties: Check with any third-party sites you integrate with to ensure they are meeting GDPR requirements too. This includes third-party forms, live chat functionality and more. While you are at it, check with your email provider to find out their GDPR compliance adherence.
SSL certificate: If your site does not already have an SSL certificate, you need one. There are numerous reasons to have an SSL but if you have a form and are collecting PII, this is yet another reason to acquire one and have your site data protected.
Pseudonymization or anonymization – Try saying that ten times. If your website has the ability to sign into user accounts (e.g., ecommerce) then read on. GDPR has established regulations regarding how this information is identified and encrypted, and this can get complicated (and expensive) quickly. It’s best to talk to your web development team to understand what you need to do, if anything, to be GDPR compliant.
Remember, GDPR is a great thing for European citizens and provides a level of data protection and consequences for those who don’t comply. If you feel your business may be impacted by this, or want to be proactive just in case, a great place to start is by talking to your legal and compliance team and Data Protection Officer (if you have one) in your organization, to develop a series of action steps that make sense for your business.
The information in this article should not be constituted as legal advice. It is a complication of information gathered from many web sources on the topic of GDPR. You should always discuss data protection and website compliance matters with the appropriate person at your business, using the information in this article as an initial guide.