On May 25th, the European Union implemented their country-spanning General Data Protection Regulation (GDPR). Even if you’re not sure what it is or how it affects you, you’ve probably seen the results of this directive in action. New cookie consent notices pop up on home pages, and countless companies sent out emails with updated privacy policies. You may have noticed Anderson Technologies has gone through this process recently. All of this is due to GDPR.
What Does GDPR Change?
GDPR gives citizens in European Union (EU) countries clear rights to their data regardless of who is collecting it or where that entity is located. Some of these rights include:
- The right to know what happens with their data.
- The right to be shown all data collected on them.
- The right to update or modify that data.
- The right to be forgotten or to have all data relating to them deleted.
It also places the burden of informing and obtaining consent to collect data on the entity collecting it. This means it is illegal to use email lists from a newsletter to send promotional advertisements without the user specifically agreeing for you to do so. Most importantly, visitors who refuse to allow their personal data to be collected must receive the same experience as those who allow the collection of their data.
It also demands that those who collect or process personal data do so with data protection at the forefront through means such as pseudonymization, full anonymization of data, and encryption. It becomes the business’s responsibility to protect personally identifiable data and to know that all vendors and third parties with access to it have equivalent security measures in place.
Companies can be fined for failure to comply with GDPR guidelines.
Does GDPR Affect Your Company’s Website?
There is a good chance some aspect of GDPR affects you even if you don’t actively do business in the EU. Personal information can include names, addresses, email addresses, and IP addresses. To collect any of this, even through the use of cookies, explicit consent is required. It’s hard to find any website with zero visitors from EU countries. If even one EU citizen’s data is gathered, then the GDPR relates to you.
The good news is…
Unless you’re actively working with the EU, in which case you’ve probably already implemented compliance standards, only a few sections of the GDPR affect you. And if you don’t collect or transfer any personal data through cookies, contact forms, newsletter sign-ups, or analytics, then it doesn’t matter how many people from the EU visit your site.
The bad news is…
Personal data is collected in ways you might not think about, and just because someone is already signed up for your services or newsletter doesn’t mean their previous consent is compliant. Some means of data collection you might not think about are Google Analytics or share buttons on your site that connect to social media. Also, passive consent (i.e., pre-filled check boxes to sign up for emails or providing an email address that will be used for marketing in order for the user to download an eBook) is no longer allowed.
All consent must be optional and freely given.
Is the EU Going to Come After You?
Keep in mind that if you are seriously concerned about GDPR compliance and the responsibilities your business has in regard to the data you collect, you should contact a lawyer who specializes in GDPR compliance for full legal guidance. The information here is meant to provide a general understanding regarding GDPR and shouldn’t be taken as legal counsel on compliance issues.
For most US-based small businesses that do not have working relationships within the EU and do not intend to court them as potential clients/vendors, the immediate risk of not being 100% compliant after May 25th is minimal. That’s not to say you shouldn’t take practical steps to become compliant if the law affects you. Non-compliance can have steep fines of up to 10-20 million euros or 2-4% of total global turnover—whichever is higher. But those are for serious violations and a last resort after contacting the business about non-compliance and issuing warnings to resolve any problems.
What’s important is that a reasonable effort to comply within the means of your business is made with user privacy and data protection in mind.
Making Your Website GDPR Compliant
The first thing you need to know is whether or not you collect data from EU citizens.
In order to do that, you need to know what data, if any, you collect. This can include analytical data, physical and email mailing lists, names/IDs in comments or forums, and IP addresses. Then it’s time to get consent. Depending on what you collect, there are tools available to help. If you run a WordPress site, this guide can be helpful in figuring out what issues WordPress has already resolved and what issues you need to address.
- Cookie Consent Bar — You’ve probably seen a lot of these lately. If your site installs any cookies, whether for the functioning of the website, collecting analytical data, third-party cookies for plug-ins, etc., then the user must not only be notified, but allowed the option to not have them activated. There’s no need to figure out how to do this all on your own. If you’re not sure if you need a consent bar, Jeffalytics created a flowchart to help figure it out. There are also plenty of plug-ins and add-ons available that will do this for you, and some of them are free. Not all these plug-ins are user-friendly or even fully functional, so your developer should verify that cookies are not added until the user hits accept. Cookies required to run the site can be excluded from the block as long as your Privacy Policy explains why.
- Consent Checkbox Beneath Forms — Whenever you directly collect information, such as asking for name and email address when signing up for a newsletter, it is a good idea to have a checkbox stating that by clicking it the user understands how you are going to use and store their data. If you want to use that email for promotional materials, you can’t without their consent. You can offer a checkmark box for this option during the sign up, but it cannot be pre-checked or a requirement to sign up. The user must check it themselves.
- Google Analytics — Not surprisingly, Google has already done a lot to bring themselves into compliance, but the tools they offer are not in complete compliance since most are meant to collect personal data. So what can you do to fix this without sacrificing all that valuable data? You need to turn on IP Anonymization. Google made this process easy for users by anonymizing all but the final set of numbers in users’ IP addresses. This means you will lose some geographic data, but generally only in local areas. You will still know the country and city of origin.
- Opt-Out — All users must have the option to not only request all the data you collect on them but to ask you to change or delete the data if they wish. This process should be made clear in your privacy policy and quickly implemented upon request. It’s important to keep a record of all contact with users about their personal data and log when data was modified or deleted.
- Privacy Policy — It is important that you have a privacy policy on your website that explains in easy-to-understand, non-legal terms all aspects of your data collection and retention. This is intended to present users with the what, when, how, and why of your data collection, and to inform them of their rights over the data. This is also a good place to display a list of cookies used on your site and their functions. Many of the cookie consent bar plugins provide a short code that will generate this list for you. Your privacy policy should also explain how the user can contact you in order to exercise their rights over the data you collect on them. All communication should be simple to perform and recorded by your business. If you don’t have a privacy policy yet or aren’t sure what needs fixing on an existing policy, NIBusiness Info has a free, fully explained and customizable example available for download.
- Notification of Breach — Perhaps the biggest change from current data practices is the GDPR’s requirement that if your data has been breached, it must be reported within 72 hours of you learning of it. The GDPR also states that the individual whose data is compromised as a result of the breach must also be notified “without undue delay” if the data poses a considerable risk on the rights the GDPR provides EU citizens. This is not required, however, if the data has been made unusable to unauthorized access through means such as encryption.
GDPR may be frustrating to implement, but its goal is to change the way companies look at data collection and retention. It’s just as important in GDPR to know how you protect your customers’ data as it is what data you collect. Security, accountability, and understanding are goals every business should strive for when handling user data. Even if you don’t do business with the EU, it’s a good idea to perform a network security audit to see how safe your company’s data is and if there is room for improvement.
If you’d like help making your website GDPR compliant, contact Anderson Technologies by phone at 314.394.3001 or by email at info@andersontech.com.