First, this is not legal advice and I am not a lawyer. It’s always a good idea to check with your lawyer on these kinds of things.
GDPR stands for General Data Protection Regulations. This is new legislation that works to protect the data of individuals in the European Union (EU) and Great Britain. The EU has said they could fine businesses for up to €20 million or 4% of global annual revenue for violating the law.
Some of you may have heard about this GDPR law that will be taking effect on May 25 but some of you may not. We’re going to start out with what GDPR is and how it will most likely affect you or your business.
Wait, you say! I’m not in the EU, so I’m good. Unfortunately, no. That’s not the case. This law applies to any business or organization who offer goods or services to people within the EU. What this means is if someone comes to your site who is in the EU and you collect personal data on them then it applies to you.
Now, this data includes a lot more than name and address. It includes all of the following information:
- Physical address
- Email address
- Phone number
- Last 4 of their credit card
- Shipping tracking number
- IP address
If you use Google Analytics to track people coming to your website and it collects their IP address it applies to you.
If you allow people to comment on your site and someone adds their email address to comment, it applies to you.
If you have an email newsletter subscription form or a contact form on your site, it applies to you.
So, at this point, we are going to assume it applies to most websites. What do you need to do about it?
Audit your website.
List everywhere you collect data, what you collect, and why you collect it.
Create a document that lists your policies and procedures for what you do with that personal data. Part of this law is being able to provide individuals all the data you have on them if they request it. You also need to be able to make changes to data or delete data if requested. You will need a process for how all of this is handled. You will also need a plan for if you have a data breach.
Create a privacy statement that explains what you collect and what you do with it.
Add opt-in boxes to any place you collect information so people can opt-in to you storing their data.
An already checked box or assuming your customers are okay with everything you do with their data isn’t going to cut it anymore. Individuals on your site will need to physically check the box saying they agree with you storing their data.
Now, this is a very brief summary of what all goes into compliance with this law. I’ve listed a few articles below that do a much more detailed job of explaining everything in detail that you need to know. I’ve also listed a couple of WordPress plugins that might be able to help you as you figure if you are GDPR compliant.
Do you have any questions or need help figuring out if your website is compliant? Hit reply and let me know how I can help!