Have you been receiving emails lately informing you that companies you do business with have updated their privacy policies? Maybe you haven’t paid much attention, or maybe you’ve just ignored it because they’re boring to read.
If you own a business, you may want to listen up. Your business may be affected.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) law that took effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.
Businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual global revenue OR 20 million euros ($23 million US), whichever is greater.
Do I Have Your Attention Yet?
This high fee is no doubt to get the attention of large companies like Facebook and Google, but it is reason enough to cause wide-spread panic among businesses around the world.
While GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.
At the heart of the GDPR is the protection of a person’s private information. It requires companies to know what they are doing with personal data, how companies are processing it, where it is being used, permit people to see what data companies have, find out how long companies are going to use it, and be sure to erase it when people want it to be erased or at the very least, when companies are done with it.
The personal data includes: name, emails, physical address, IP address, health information, income, etc.
While the GDPR regulation is 200 pages long, Web Privacy And WordPress GDPR Compliance – The Definitive Guide lays it out quite nicely. Or if you want to get into the nitty gritty of it all, go to the horse’s mouth and read about the law.
Does It Affect Me?
Your business is out there on the world wide web, so you can collect data from an EU citizen whether you intended to or not. Even if you consider blocking Europe, you are still not protected as the protection travels with the EU citizen.
Technically, GDPR applies to everyone handling the personal data of EU citizens, even if they are not based in the EU.
Starting from May 25, your website visitors have certain new rights. To give you a very short overview that omits a million details: they can request a copy of all of their data you are storing, both in human- and machine-readable format. They can request you to delete all of it. You need to have a good legal basis for gathering and using any data. Alternatively, you need to ask for consent for each purpose separately. Your customers must be able to withdraw the consent they’ve given at any time. And you are obliged to inform them of everything you do with their data, everyone you share their data with and all of their rights regarding GDPR.” The WordPress GDPR Framework
While GDPR is focused on websites servicing the EU, think about this. Are websites isolated to certain regions of the world, or do they reach every corner of the world? What countries make up the EU: EU Countries
If you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. It wouldn’t surprise me if the regulation gets adopted by other countries at some point down the road, so you might as well be prepared.
The regulation does not limit its scope to the physical location of the data being stored, only that the data is concerning EU citizens.
Think about ways that your site might be storing data:
- Is it a WordPress site?
- Does is have a contact form on it? (Visitors to your site fill out a form because they want to learn more about a service you provide.)
- Is there an opt-in form? (You offer a free item in exchange for a name and email address.)
- Is Google Analytics or other tracking software installed? (Your Google Analytics tracking code is grabbing all sorts of information from your website visitors, specifically their IP address.)
- Do you collect payments on your website?
That pretty much covers most of the websites I’ve seen.
Tools to Help with Compliance
I am not an attorney, but my research shows that using the following tools will at least demonstrate your business’ attempt to do the right thing and move your site toward compliance. In addition, even the experts don’t know exactly what will happen in the coming weeks, months, or years, so taking action now and keeping an ear on what the experts learn over time is a wise thing to do.
Privacy Policy
You can write your own privacy policy, or you can use a third party to create one. I love how powerful and easy to use iubenda is. You check off which plugins and tools your site uses and it creates a legal document that you can link to (mine is in my footer). This service is $27/year (that’s only a couple of dollars per month). Another option is shown under WordPress and GDPR below.
Cookie Notice
A quick and easy free WordPress plugin to enable compliance with EU cookie law regulations is Cookie Notice by dFactory
GDPR Compliance for Forms
A free and easy to use WordPress plugin to add compliance language to the most common forms, including comments, Gravity Forms and Contact Form 7 is WP GDPR Compliance.
WordPress and GDPR
WordPress version 4.9.6 is the first step in bringing GDPR tools to WordPress. In addition to ten bugs being fixed, this release heavily focuses on privacy enhancements. However, it is your responsibility to use those resources correctly, to provide the information that your privacy policy requires, and to keep that information current and accurate.
If you do not already have a privacy page, go to Settings > Privacy and create a new page where the policy will be displayed. WordPress provides a template with suggestions on what information to display.
To comply with the GDPR, sites need to provide a way for users to obtain their personal data and request that it be removed. Once a request for a data export or removal is received, site administrators can browse to Tools > Export Personal Data or Tools > Remove Personal Data sand send that user a verification request. For details and visuals, visit WP Tavern’s article, WordPress 4.9.6 Beta 1 Adds Tools for GDPR Compliance.
I hope I have helped you move toward compliance and not caused you to run for the hills. GDPR will affect all of us to some extent, especially if the US adopts it as well. It’s a good thing in the long run.
Leave a Reply