You have probably been bombarded lately with GDPR Compliance emails asking you to review updated terms and conditions and privacy policies for websites and newsletters to which you are subscribed. We have, too! This is due to the upcoming implementation of the EU’s “GDPR” (General Data Protection Regulation) on May 25, 2018. We’ve got a lot of detail below, but we’ll cut to the chase if you don’t want the nitty gritty:
- If your website does not target an EU country/customer, the GDPR regulations most likely do not apply to your website.
- Some of the requirements for GDPR compliance will likely be implemented at some point in other countries, including the US
- Requesting user consent is also of growing importance on websites. If you collect any information, including collecting a user’s email on a contact form, or even having Google Analytics on your website which anonymously tracks user behavior on your website, you should include information about how this data is used and ask for website visitor’s consent if they use/browse your website.
WHAT IS GDPR?Generally speaking, the intent of the GDPR is to ensure that the privacy of internet users is protected by default, not as an after-thought. The GDPR puts a real focus on transparency but also on giving people granular control over what is done with their data. It lays out six guiding principles:
- Data shall be processed “lawfully, fairly, and in a transparent manner.”
- Data shall be “collected for specified, explicit and legitimate purposes.”
- Data processing shall be “limited to what is necessary” for the purpose.
- Data shall be accurate, kept up to date, and correct.
- Data shall be kept so it identifies a person “no longer than is necessary.”
- Data shall be “processed in a manner that ensures appropriate security.”
- Data portability: Under GDPR, an individual located in the EU may request that you send them any personal data in your possession. In this case, you would need to provide the requester with any personal data that you have in a commonly used, machine-readable format.
- The right to be forgotten: A person can request to be “forgotten”; that is, to have all of their personal data removed from your possession. If you are asked to do this, you will need to remove any personal data you have collected from the requester. You will also need to contact any third parties, such as Constant Contact or MailChimp, that process personal data on your behalf.
- Access: Any data subject can ask the controller of their information to confirm how and where their personal data is being stored and processed. The data subject also has a right to know how that data is shared with third parties.
- Rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
HOW DOES THIS AFFECT MY WEBSITE/MY BUSINESS?Essentially, if you mention EU citizens on your site or market to them directly in any way, you must comply with GDPR. According to Forbes, “The organization would have to target a data subject in an EU country. Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.” We realize that GDPR will not apply to most of you, but we believe that the requirements for protecting the privacy of users’ data will be considered best practices in the U.S. sooner rather than later. If you begin implementing these requirements now, you will be ahead of the curve when U.S. policies change.
HOW CAN I ENSURE MY WEBSITE IS COMPLIANT WITH GDPR?Again, we are not lawyers! The information we are sharing is gathered from various sources regarding GDPR. To comply with GDPR on your website, your users must have a way to confirm affirmatively that they agree to have their data collected for the purposes you set out. It must be documented that they gave consent, not that they simply used a form on your site. This means that each and every form on your site should have an input that makes it explicit that the visitor agrees to have their information collected. We can help you with these changes. However, note that unless your website must be GDPR-compliant (as noted above, targting EU customers), you do not need to implement these changes immediately. Apart from promptly responding to requests from EU data subjects as described above, there are things you can and should do to help ensure compliance. Here are some suggestions to get you started:
- Inform your visitors and get their consent. Whenever you need to collect data from a user, make sure to clearly state, among other things, why you need it, what you plan to use the data for, whether it may be shared and with whom, and the lawful basis on which you are relying to collect such data. For example, if you have a newsletter or mailing list, make sure that the purpose of your sign up form is very obvious so they know what they are signing up for.
- Evaluate third-party apps and vendors for compliance. If you are using any third-party services to gather or process customer data (such as Constant Contact, Mail Chimp, etc.), you will need to check with those companies to verify they are GDPR compliant and will assist you with, among other things, users’ data removal and portability requests.
- Check your forms: Each of the forms on your site requires (for GRPR) should have (for best practices in general) either a disclaimer or a consent checkbox.