It all has to do with GDPR. Maybe you've heard of it?
If not, you should learn about it if you do any business online or even if you just have a website. You may be at risk. Read on to find out why.
What is it?
GDPR stands for General Data Protection Regulation which is a data privacy law enacted by the European Union.
Don’t stop reading because you think it doesn’t apply to you – because it will affect people around the world, not just in Europe.
Here it is in a nutshell:
* It will affect anyone who handles personal data such as names and emails (in addition to other kinds of individually identifiable information) of EU citizens.
* It adds new obligations for anyone who processes that data and makes them responsible for the safety of the information and accountable for the way it’s used.
* It applies to ANYONE who collects personal data; not just businesses.
* The fines for non-compliance are huge – up to $24 MILLION or 4% of GLOBAL revenue (whichever is higher).
So it’s pretty wide-ranging, could easily apply to you and the penalties for non-compliance are astronomical.
Let’s go a little deeper into just what it does.
Basics of the GDPR
It tightens EU laws about what you can do with someone else’s personal data and it gives that person more control over how their data is collected and used.
But what is “personal data”? It’s anything that can identify them. That includes name, address, email, user name and even the IP address their computer uses when they’re online.
Companies and websites that collect personal data have to ask for permission more often and have to be more careful about how that data is shared. It might surprise you how often data is shared – for example, it could be shared to an email provider or for analytics or for tracking advertising. Have you ever looked at a product online and then saw the same thing in your Facebook feed? If it seemed like you were being followed, you kinda were.
Anyone or any company that processes personal data has to be able to explain why they need it and what they’re doing with it.
If you have an opt-in form on your website, be sure to explain how you will be using that person’s email. Compare “Receive this free report.” with “Receive tips and recipes directly to your in box, starting with this special report on how to reduce your dependence on insulin injections.” With the first example, they’ve given you permission to send the report and nothing else. In the second example, you can also add them to your mailing list.
Data collected should also be limited to what is required to achieve the stated objective. In the above opt-in form you could ask for an email address and possibly their name. Asking for the person’s age, gender and phone number in addition is excessive.
Sometimes there is a legitimate interest to collect data without asking for consent. In such cases, openness and transparency about what data is collected and how it’s processed will help it be a fair use.
Once data is collected, it must be kept accurate and up-to-date. Whether someone contacts you to update their email or you get regular bounce backs, you should take reasonable steps to update that data.
The data must also be kept secure.
Will the GDPR affect you?
The GDPR is designed to protect consumers in the EU. It doesn’t matter where the person who collects their data is based. If they can give you their data in any way, you need to be compliant.
It doesn’t matter whether or not you offer anything for sale to someone in the EU. The important point is whether you are a “Data Controller” – which is someone who decides:
* to collect data,
* what kind of data is collected and
* why it’s collected.
If you have a website, you may not even realize you are a “Data Controller.”
You could, for example:
* Use Google Analytics to understand how visitors are using your website.
* Enable the Facebook pixel to track page views and show targeted ads to visitors when they log into Facebook.
* Collect email addresses. It may be to send a newsletter or updates. Or it could be in exchange for a piece of content or a small item, with the intent to send other emails in future (often in an autoresponder with occasional sales pitches).
* Have a website built with WordPress or another Content Management System. With blog comments enabled, the software will require commenters to register using their names and email addresses before they can comment. The software will set cookies when they register or login. There may also be plugins that collect personal data.
* Have a hosting company that tracks visitor’s IP addresses which is a good thing because it can protect websites from hackers. However the GDPR considers IP addresses as personal data.
* Provide a service – and even blogging is considered a “service” because it’s providing information.
Do you do any of those things? If so, you could be subject to the GDPR – and the enormous fines for non-compliance.
What should you do?
First, determine if you are at risk and whether you want to take proactive steps to protect yourself or wait and see how the regulation will be interpreted. Which you choose depends on how clearly you fall within the regulations and your tolerance for risk.
Another option is to take some basic steps and then make revisions and additions as more information becomes available.
Because the regulation protects people of the EU specifically, you could block any traffic from there. That might be an option for a local business, such as a plumber who only works in Chicago.
If you’re not just local, blocking might not be a good idea as 25% of all website traffic comes from Europe.
If you decide to take proactive steps, first determine what data you collect. The most obvious would be the names and emails via contact and optin forms. But don’t forget data collected by systems such as Google Analytics, Facebook pixels, WordPress (or other CMS) and any plugins.
Also determine the minimum data you need to collect and stop collecting anything above that. If you can’t justify collecting something, don’t ask for it.
Check your security:
* Make sure any login credentials are kept private.
* Use strong usernames and passwords.
* Use reputable plugins.
* Keep all forms of data storage (eg external hard drives) protected physically.
* Make notes of how you secure any data you process.
Also check with your hosting company to see what security processes they have in place. Get a written statement from them that they are GDPR-compliant.
Even if the GDPR doesn’t apply to you, it would be wise to start taking steps to protect the personal data of all of your visitors. It not only makes good sense, but I wouldn’t be surprised to see other similar regulations spread throughout the world soon.
Contact us if you need some help making your website compliant with GDPR.
Disclaimer: This post is for informational purposes only, and you should not consider it legal advice. We recommend that you seek legal and other professional counsel to determine exactly how the GDPR might apply to you.