What is GDPR and Why Do I Need It?

24 Octwebsite care

On May 25, 2018, a law was passed in the European Union for the General Data Protection Regulation (GDPR), that requires websites to clearly state how they gather information from their website visitors, and what is done with it, and how it is protected. Companies have two years to comply, but the fines are very stiff for non-compliance. (Wikipedia article here)

So what does this have to do with websites outside the EU? Like, probably, yours?

Because website access is not limited to the country it is hosted in, this regulation applies you and you are liable for anyone visiting from the EU that accesses your website, as well as a user from within an EU country that accesses your website.

You know those annoying little popups on websites that say “This site uses cookies, etc. etc.”, and you have to Agree to enter the site (actually I think you can still enter the site, but that little footer-flag will stay there until you shut it off by agreeing)? That’s GDPR in action.

I’ve wanted to write about this for awhile and have put it off, but it’s rolling forward now with more intensity, so here’s a brief synopsis:

Basically, it’s giving the user the right to know – in clear and understandable terms – you are/may be collecting data from them, how you use it, how they can request and receive confirmation their information is deleted from your database or list, and how they will be informed if there is a data breach where their information is inadvertently shared. This is contained in a Privacy Policy document they can view at any time (I put mine in the footer).

Full disclosure: I’m not an attorney, but my assumption is that, for small-to-medium businesses, this is not rocket science and it may not be necessary to consult a law firm to perform this.

Here’s the lowdown:

  • You must state what you use to collect user information:

~ Media sharing
~ Contact Forms
~ Mailing List enrollment
~ Survey results
~ User Account Registration
~ Third Party sharing (this includes a visit to your social channels)
~ Analytics*
~ Cookies*

    • (*Google Analytics collects anonymous data, and does not reveal IP addresses or any location information besides City, State, and Country. But you still need to list it as an information source.)
    • (*It is doubtful you use cookies to identify much of anything, but cookies are used to remember ‘Remember Me’ field information, for instance.)

 

  • You must state HOW you use this data – each tool and each use.
  • You must state how this data is protected: local computer only, encrypted server, encrypted database, etc.
  • You must convey they are in control of this information and how they can request it be deleted and erased (conveying temporary deletion and permanent erasure).
  • You must explain how you will provide assurance this information was deleted/erased.
  • You must convey how you would handle a data breach (thank God none of you are storing credit card numbers – either on the website (a huge violation of PRI) or in a shoebox in your closet. This is up to the credit card processing gateway – or your eCommerce provider – to handle, store, etc.))

So this in most instances is not difficult to assemble. You’ll need to look into the practices of your mailing list provider, your external eCommerce provider (they should have a policy in place already), and what type of records you are keeping yourself, and where they are stored. And, you’ll need to make a list of the procedures you would follow in the case of an Erasure Request or a data breach.

The answers to these will be written into your Privacy Policy page. As I mentioned, it may not be complete, especially if you are a larger company with distributed locations, but it will be a start and will show good faith. Get this in place on your websites, and consult your attorney if you feel it might be too basic to cover all you do with visitors and customers.

 

The Promo

I am available to work with you to put this in place on your website. For WordPress websites, this starts with a GDPR plugin that has settings and a Privacy Policy page that can be edited.

I’m also available to speak to your association or group, where we can hammer this out in class and get it either on your website or ready to be reviewed.

It’s important to me that you be protected, so the costs for each of these is minimal.

Send me an email: tari at grace-studio.net