You have probably been bombarded lately with GDPR Compliance emails asking you to review updated terms and conditions and privacy policies for websites and newsletters to which you are subscribed. We have, too! This is due to the upcoming implementation of the EU’s “GDPR” (General Data Protection Regulation) on May 25, 2018. We’ve got a lot of detail below, but we’ll cut to the chase if you don’t want the nitty gritty:
- If your website does not target an EU country/customer, the GDPR regulations most likely do not apply to your website.
- Some of the requirements for GDPR compliance will likely be implemented at some point in other countries, including the US
- Requesting user consent is also of growing importance on websites. If you collect any information, including collecting a user’s email on a contact form, or even having Google Analytics on your website which anonymously tracks user behavior on your website, you should include information about how this data is used and ask for website visitor’s consent if they use/browse your website.
We are not lawyers! The information we are sharing is gathered from various sources regarding GDPR., some of which included collaboration with a law agency. However, it is intended for general information purposes only. It does not constitute a client-attorney relationship or personalized legal advice.
WHAT IS GDPR?
Generally speaking, the intent of the GDPR is to ensure that the privacy of internet users is protected by default, not as an after-thought. The GDPR puts a real focus on transparency but also on giving people granular control over what is done with their data. It lays out six guiding principles:
- Data shall be processed “lawfully, fairly, and in a transparent manner.”
- Data shall be “collected for specified, explicit and legitimate purposes.”
- Data processing shall be “limited to what is necessary” for the purpose.
- Data shall be accurate, kept up to date, and correct.
- Data shall be kept so it identifies a person “no longer than is necessary.”
- Data shall be “processed in a manner that ensures appropriate security.”
In addition, there are four rights that users have:
- Data portability: Under GDPR, an individual located in the EU may request that you send them any personal data in your possession. In this case, you would need to provide the requester with any personal data that you have in a commonly used, machine-readable format.
- The right to be forgotten: A person can request to be “forgotten”; that is, to have all of their personal data removed from your possession. If you are asked to do this, you will need to remove any personal data you have collected from the requester. You will also need to contact any third parties, such as Constant Contact or MailChimp, that process personal data on your behalf.
- Access: Any data subject can ask the controller of their information to confirm how and where their personal data is being stored and processed. The data subject also has a right to know how that data is shared with third parties.
- Rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
The WordPress Core team just pushed out a release that focused on these items. As part of your annual or monthly maintenance fee, we updated your WordPress Core with this new release. This update added functionality to be able to easily send a user the data you have collected on them. Located under Users/Privacy Tools, you can generate and send a downloadable file if someone requests their user data.
HOW DOES THIS AFFECT MY WEBSITE/MY BUSINESS?
Essentially, if you mention EU citizens on your site or market to them directly in any way, you must comply with GDPR. According to Forbes, “The organization would have to target a data subject in an EU country. Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.”
We realize that GDPR will not apply to most of you, but we believe that the requirements for protecting the privacy of users’ data will be considered best practices in the U.S. sooner rather than later. If you begin implementing these requirements now, you will be ahead of the curve when U.S. policies change.
HOW CAN I ENSURE MY WEBSITE IS COMPLIANT WITH GDPR?
Again, we are not lawyers! The information we are sharing is gathered from various sources regarding GDPR.
To comply with GDPR on your website, your users must have a way to confirm affirmatively that they agree to have their data collected for the purposes you set out. It must be documented that they gave consent, not that they simply used a form on your site. This means that each and every form on your site should have an input that makes it explicit that the visitor agrees to have their information collected. We can help you with these changes. However, note that unless your website must be GDPR-compliant (as noted above, targting EU customers), you do not need to implement these changes immediately.
Apart from promptly responding to requests from EU data subjects as described above, there are things you can and should do to help ensure compliance. Here are some suggestions to get you started:
- Inform your visitors and get their consent. Whenever you need to collect data from a user, make sure to clearly state, among other things, why you need it, what you plan to use the data for, whether it may be shared and with whom, and the lawful basis on which you are relying to collect such data. For example, if you have a newsletter or mailing list, make sure that the purpose of your sign up form is very obvious so they know what they are signing up for.
- Evaluate third-party apps and vendors for compliance. If you are using any third-party services to gather or process customer data (such as Constant Contact, Mail Chimp, etc.), you will need to check with those companies to verify they are GDPR compliant and will assist you with, among other things, users’ data removal and portability requests.
We’ve created a special service to address some privacy issues which relate to GDPR. If your business targets the EU, we recommend that you work with a lawyer to ensure compliance. These steps will take care of some basic privacy and consent issues which, while not required in the US, will be helpful in preparing for future regulations relating to user privacy. The service we are offering includes:
- Check your forms: Each of the forms on your site requires (for GRPR) should have (for best practices in general) either a disclaimer or a consent checkbox.
This service is available exclusively for our Basic Maintenance clients. Click here to sign up for this service
We hope that this takes some of the mystery out of GDPR. If you have any further questions, please contact us. We thank you for your business!
Using our service does not guarantee compliance to GDPR. By using our service, you agree to this disclaimer. Our services are NOT meant to constitute client-attorney relationship or personalized legal advice. Design TLC is not eligible for any claim or action based on any information or functionality provided by the tools we use. For compliance audit or further help contact legal professionals. As each business and situation is unique, you might need to modify, add or delete information in these templates. In addition to this, you will need audit all your processing activities for achieving compliance to GDPR. Compliance to GDPR is an ongoing process. We are here to get you started.