What is GDPR and Why Do I Need It?
On May 25, 2018, a law was passed in the European Union for the General Data Protection Regulation (GDPR), that requires websites to clearly state how they gather information from their website visitors, and what is done with it, and how it is protected. Companies have two years to comply, but the fines are very stiff for non-compliance. (Wikipedia article here)
So what does this have to do with websites outside the EU? Like, probably, yours?
Because website access is not limited to the country it is hosted in, this regulation applies you and you are liable for anyone visiting from the EU that accesses your website, as well as a user from within an EU country that accesses your website.
I’ve wanted to write about this for awhile and have put it off, but it’s rolling forward now with more intensity, so here’s a brief synopsis:
Full disclosure: I’m not an attorney, but my assumption is that, for small-to-medium businesses, this is not rocket science and it may not be necessary to consult a law firm to perform this.
Here’s the lowdown:
- You must state what you use to collect user information:
~ Media sharing
~ Contact Forms
~ Mailing List enrollment
~ Survey results
~ User Account Registration
~ Third Party sharing (this includes a visit to your social channels)
- (*Google Analytics collects anonymous data, and does not reveal IP addresses or any location information besides City, State, and Country. But you still need to list it as an information source.)
- You must state HOW you use this data – each tool and each use.
- You must state how this data is protected: local computer only, encrypted server, encrypted database, etc.
- You must convey they are in control of this information and how they can request it be deleted and erased (conveying temporary deletion and permanent erasure).
- You must explain how you will provide assurance this information was deleted/erased.
- You must convey how you would handle a data breach (thank God none of you are storing credit card numbers – either on the website (a huge violation of PRI) or in a shoebox in your closet. This is up to the credit card processing gateway – or your eCommerce provider – to handle, store, etc.))
So this in most instances is not difficult to assemble. You’ll need to look into the practices of your mailing list provider, your external eCommerce provider (they should have a policy in place already), and what type of records you are keeping yourself, and where they are stored. And, you’ll need to make a list of the procedures you would follow in the case of an Erasure Request or a data breach.
I’m also available to speak to your association or group, where we can hammer this out in class and get it either on your website or ready to be reviewed.
It’s important to me that you be protected, so the costs for each of these is minimal.
Send me an email: tari at grace-studio.net