It was virtually impossible to read the news last year without being inundated with stuff about the European Union’s General Data Protection Regulation (GDPR). If you didn’t do anything about it at the time, here’s what you need to know for your website to be compliant with these new regulations.
It only applies to EU citizens. So, if you only do business in Canada, you can simply ignore GDPR. However, if you have international visitors and deal with their data, you’ll need to ensure you’re compliant.
GDPR went into effect May 25, 2018.
GDPR is all about personal data. According to the legislation, personal data can consist of “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
For the purposes of the rule, a website that may get traffic from EU visitors is considered a “controller” of the data. This website needs to ensure that the data is handled in a particular way. Penalties for lack of compliance include potential fines of up to 4% of annual global revenue or 20 million euros ($23,714,240 U.S. dollars), whichever is greater.
Here’s what websites need to do to be compliant:
-
- If you collect any of the data above, your website should have an “Accept” banner in the same way that websites ask users to “Accept” the use of cookies
- Forms should be clear in the purpose they’re collecting the data
- Forms must be truly opt-in, including not having any boxes pre-ticked
- Opt-out and unsubscribe options in email communications should be obvious and easy to find
- Individuals have the right to request that their data be erased from your servers at any time. In practice, this will likely never actually happen, so the only important thing is to ensure that you have the ability to delete information as needed from your servers
In general, you need to be more careful with who you’re marketing to. This is something you want to do anyway, as U.S. marketing rules are also headed in the same direction (albeit much more slowly). Basically, collecting customer data even when the customer himself or herself has submitted that data does not entitle you to market to that customer, unless the customer has explicitly agreed to be marketed to.
Another thing that’s covered under GDPR is the sharing of data. If you have customers you market to, and then offer this list for purchase by other companies, you might have an issue. The only way you can do this while staying in compliance with GDPR is by explicitly stating to your subscribers that their information may be shared with third parties, and then letting them opt out all over again.
If all this is confusing, don’t worry — nearly every business, small to large found it incredibly confusing last year too. There are experts in the field that can help. Also, if you’re running a simple WordPress site and don’t want to hire consultants just to ensure you’re compliant, check out these simple WordPress plugins that can help with GDPR compliance.
Have any questions about GDPR? Shoot us a message! We’re not international lawyers, but we may be able to point you in the right direction.