Has your inbox been inundated with subject lines that read “We’re Updating our Privacy Policy/Terms & Conditions” lately? Dollars to donuts it is because a new regulation taking effect on May 25, 2018 has everyone getting their ducks in a row. That law is the GDPR and it’s a big deal, so I figured I would share some insight. Of course, this post comes with a disclaimer that I am *NOT* a lawyer, so if you have particular questions relating to your business, I would highly recommend enlisting the help of a legal professional. This post is merely meant to provide some backstory and make you aware of the new regulation, but is not intended to be legal advice.
Phew. Ok, now that we got that out of the way…
So, what IS the GDPR?
It is the General Data Protection Regulation whose purpose is to protect personal data collected by businesses and organizations. Because personal data protection laws vary by country, the European Union decided to get all their member countries on the same page and thus, the GDPR was born. It should be noted that the law will also have merit with non-member countries, such as members of the European Economic Area (EEA)…the UK, for example.
The GDPR is intended to provide the foundation for the methods by which organizations around the world must protect personally-identifiable information of those living in the EU. The law also imposes limitations on what data can be used and how it is processed by a company.
But if this is an European law, why should I care?
Here’s the thing about the web: it doesn’t have borders. Citizens of the EU may very well visit your website, sign up for your newsletters or even purchase your products through your online store. And then you’re on the hook for making sure their personal data is secure. Don’t want to bother with compliance? You could face fines of up to 24 million dollars. Yowsers.
OK, you’ve got my attention. What do I need to know?
Protection is the name of the game. Protect the individual’s personal data. What counts as personal data you ask? Good question. Personal data is any information relating to an identified or identifiable individual— any info that could be used either on its own or in conjunction with other data, to identify someone. In this day and age, that goes beyond the obvious social security numbers, names, addresses, email addresses, etc. and extends to data like IP addresses, behavioral data, location data, biometric data, financial information, and then some. For this reason, Google (as an example) sent out an email to clients using Google Analytics, informing them that they have new GDPR guidelines in place to keep in compliance with the new law.
Individuals will also have a broader scope of rights under the new regulation. Individuals have the right to be forgotten, meaning they can request that a company erases their personal data; the right to object which says an individual can prohibit certain data uses; the right to rectification allows individuals to request that incomplete data be completed or that incorrect data be corrected; the right of access gives individuals the right to know what personal data is being used and how it is processed; the right of portability states that individuals may request that their personal data held by one organization be transported to another.
The GDPR also stipulates clear consent. Think of this as an opt-in, instead of opt-out, approach. As an example, you aren’t supposed to add someone to your mailing list just because they made a purchase within your store, unless you specifically state that they will be added to the aforementioned list by making a purchase. Good practice would be to have them check a box, giving consent to be on the mailing list, prior to clicking that purchase button. All opt-in notices have to be clear and in language most everyone can understand, i.e., no “legalese” please.
Additionally, organizations and companies must disclose data breaches within 72 hours of becoming aware of the breach. It starts to get a bit murky here, with some jargon about data controllers and processors. Essentially, a controller is the entity (in many cases you, as the business or organization) who dictates how and why personal data is processed. A data processor is a company who collects the data. In some cases, they may be one and the same, but in some instances, they are separate. For example, say you use an email marketing platform and collect email addresses in a database on their servers. You both must be GDPR compliant. Data controllers will be liable for the actions of their selected data processors. This is why Google sent out that email to its users. They are the processor and you are the controller.
Wow. I need a glass of wine.
I know, it’s a lot to process. But the good news is that many of these companies (or data processors, if you will) with whom you work have GDPR compliance either already in place or in the works. You may not even need to do anything different, but like the after-school specials of my youth taught me, “the more you know…”
Can you help me make sure I’m compliant?
While I would definitely recommend consulting with a legal professional if you have concerns about compliance, I do have some tips and recommendations that you can use to get started.
One of the leading reasons that websites get hacked or experience some sort of security breach is due to outdated code. Make sure you:
- Update your plugins
- Update your themes
- Delete any unused plugins or themes
- Update WordPress or your CMS to its current version
Not sure if you need to update or how to do it? Shoot me an email and let’s take a look.
I’m happy to help get your site up to date, optimized, backed up and secure.
Phew.
I hope I didn’t overwhelm, but I think it’s all important info with which to be familiar. Again, for the record, none of this is meant to serve as legal advice. I’m merely shedding some light on a topic that may or may not pertain to you. If you need more info, please seek out someone who has at least attempted to pass the Bar Exam (though preferably passed it. Neither of which apply to me. I’ll happily keep my nose buried in code instead of legal precedent.)