GDPR came into effect in 2018. While not a new regulation when comparing against the rapid rate of changes in the internet world, it still has some lasting impacts on websites.
It is always good to refresh our understanding of what GDPR is and steps to make sure if your website is compliant (or needs to be) and to grasp the consequences of noncompliance fully.
What is GDPR and Why Should You Care
GDPR, which stands for General Data Protection Regulation, is a European-wide law passed in May 2016 and enforced in 2018 to protect Europeans from internet websites processing personal data. The law also aims to establish the rules relating to personal data's free movement.
So, if this is European law, you may be curious how this affects you and your website.
Fair question.
The GDPR has a considerably large scope. If your website collects any personal data from people in the EU, you must comply with the GDPR. So if you sell commercial goods or services to the EU, you may want to pay close attention.
Failure to comply could result in significant fines.
What is considered personal data with GDPR?
GDPR Article 4, the GDPR gives the following definition for "personal data":
'Personal data' means any information relating to an identified or identifiable natural persona ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Expanding a bit further, GDPR applies to personal data processed either electronically or by manual filing systems and written records.
In layman’s terms: This can be any data linked to an individual and thereby identify them. Data can include first name, last name, email addresses, geolocation, and browser history - to name just a few.
Will they really care?
Right, so I "have to" comply with EU laws on a US website, but what will they really do?
I hear you.
It's tempting to believe that this won't actually affect your website and business. However, the European Union will enforce a law in territory that it does not control. So, don't risk it. I personally wouldn’t want to pay hefty fines to some rule-enforcer overseas. That does not sound like a good time or a good use company budget.
All right, so what now?
If your website is processing personally identifiable information of individuals from the EU, it has to be done so with the following criteria in mind:
- Processed lawfully, fairly, and in a transparent matter. (Make sure you get their explicit consent to process their information).
- Collected only for specific, explicit, and lawful purposes.
- Adequate, relevant, and limited to what is necessary.
- Accurate and kept up to date.
- Kept only for as long as it is needed and no longer.
- Protected in a manner that ensures its security and integrity.
Legal terminology all GDPR compliant websites must follow is included in Article 5 of the GDPR’s principles.
Best Practices
If you anticipate your website to have EU visitors, the GDPR has specific requirements for obtaining the consent and what constitutes valid consent.
For US websites to achieve GDPR compliance, here is a quick checklist to audit if your site is GDPR Compliant (or headed in that general direction):
Be Transparent
Show full transparency into how you're collecting personal data, why, how it's being processed, and who will be handling it is a must for GDPR compliance. You then need to justify and document the legal basis for collecting the data. GDPR outlines six instances that constitute "lawfulness of processing."
You need to not only be transparent with the law but with those affected.
Update your Privacy Policy Periodically
Perhaps once a year or every other quarter, and make it clear to customers and visitors with information like why you're collecting the data, how the data is handled, who has access to it, and how you're protecting the data.
There is a ton of documentation online that can help you internally audit whether or not your website is up to speed with GDPR compliance. However, we find that without working knowledge of the industry, it can be quite cumbersome to fully understand (not to mention it’s quite time-consuming!)
Have a data breach plan.
It’s sickening to even think about the fall-out of what could happen to your business and your customers' security if there was ever a data breach. But, to not have a plan is just ill-prepared. Some questions to ask as you begin preparing a plan are: who needs to be informed of data breaches? Who communicates with users if/when a data breach happens? What are protocols and legal liability?
If you’re interested in learning more or checking to find if your website measures up, reach out to JH anytime for more information.