If the answer is yes (hint: it probably is), then you should be aware that Europe’s new sweeping data privacy laws, GDPR, will affect you.
But not to worry, we’ve got you covered:
In this post, we’re going to go over everything you need to know about the looming implementation of GDPR, including how it will affect your approach to data collection through your website.
We'll also make sure you're well informed on how to make sure that affect isn’t negative.
Let’s get started!
But first, a quick disclaimer:
This post was created to provide general information and should not be relied upon as legal advice.
Ok—now we’re ready.
GDPR stands for General Data Protection Regulation. It’s a data privacy and protection regulation slated to officially begin on May 25, 2018.
In Europe, there hasn’t been a whole lot of regulation around data protection since the pre-internet days, when GDPR’s predecessor, the 1995 EU Data Protection Directive was created and enforced.
Needless to say, data protection in Europe is getting a major upgrade.
GDPR is designed to provide better protection of personal data—or personally identifiable information (PII) —to people living in the EU. In order to do so, the regulation imposes new, specific obligations on “controllers” and “processors” of personal data, enforcing major fines if companies fail to be compliant.
When it comes to data privacy, GDPR is a massive step forward in eliminating personal data breaches and establishing a need to receive consent from a user before collecting and using their data.
EU residents will now have the power to request a copy of any of their stored personal data. They can also request to be “forgotten” by entities that hold their data.
GDPR is essentially requiring any company that currently collects personal data to implement required policies and security protocols, asking for consent in all instances where the collection of personal data may occur. These regulations are being strictly enforced, with fines up to the greater of €20 Million or 4% of the company’s yearly revenue. That’s quite the chunk of change.
If companies do experience data breaches, they are now required to report them to data protection authorities.
GDPR isn’t exclusively enforceable on EU-based companies.
It may be a regional regulation, but it has a global reach.
GDPR protects against the collection, use and disclosure of personal data from EU residents. Through their websites, companies from anywhere in the world can collect data and use it.
Have you ever pulled up your analytics report and seen—even once—visits to your website from a European user? Odds are you have. And because of that, GDPR affects you.
Are you sure?
Personal data is defined as any data that “covers any information that relates to an identifiable, living individual.”
So basically, something as basic as a name or email address is considered to be personal data, as well as more complex things that one would normally associate with identity theft, like Social Security Numbers.
Does your website collect names and email addresses? Thought so.
Here’s what you need to know:
Here are some basic guidelines you should follow to make sure your website is GDPR compliant:
Reading this article was an excellent first step. Now make sure decision makers in your organization know about GDPR so they can act to protect your company. It’s also important to make sure your staff knows about the regulation.
Ask yourself some key questions which will uncover whether or not you have anything to worry about when it comes to GDPR’s implementation:
Make sure that whenever your website is asking for personal data, it’s also clearly asking for consent. This is absolutely crucial to the new GDPR regulations.
Does consent mean that you have to make users check a box for consent every time they fill out one of the forms on your website? Potentially, but not in ever case.
According to the UK's Information Commissioner's Office (ICO), "Consent is appropriate if you can offer people real choice and control over how you use their data." If you can't necessarily offer a choice, then a user's explicit consent, beyond their implied willingness to fill out of a clearly labeled form, is not really necessary.
What does that mean for your website?
If you're collecting data without being clear on how that data will be used, you will need to immediately rectify the situation by allowing users to opt in and choose how their data will be used.
If you're collecting data through forms that tell users how it will be used, and allowing users the option to unsubscribe, you will be in much better shape when GDPR rules officially take effect.
GDPR will give people whose data has been collected new rights. That includes the right to request to be “forgotten” and the right to request a copy of their personal data being held.
GDPR gives companies 72 hours to report data breaches to the necessary authorities. Be sure you have a plan for doing this in the unfortunate case of a breach.
GDPR enforces different regulations depending on whether an entity can be classified as a “controller” or a “processor.”
A “controller” is any entity that decides what type of information gets collected, how it gets collected and how it’s used.
A “processor” is the entity that processes data on behalf of the controller.
More on that below:
At Sweor, we are committed to ensuring that our Minneapolis web design clients are protected when it comes to GDPR.
We have conducted all of the research and preparation necessary to be prepared for the upcoming change, and want to make sure we educate our clients on how GDPR could affect their digital strategy.
Have more questions on how to become GDPR compliant? We’re happy to help!