GDPR: What It Means and How to Stay Compliant
On May 25, 2018, the European Union (EU) enacted their new regulation on EU law with the General Data Protection Regulation (GDPR). GDPR “contains provisions and requirements pertaining to the processing of personally identifiable information of individuals inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area.” Its purpose is to harmonize data privacy laws across Europe, to protect and empower all European Union (EU) citizens data privacy, and to reshape the way organizations across the region approach data privacy.
“That’s all well and good but what does that have to do with me?” Says website owner Maxwell Haberdasher. “I’m a United States citizen, my website has a ‘Made in America’ sticker on the bumper, and I don’t market to EU users. Surely these new regulations won’t affect me.” I’m afraid to say, Mr. Haberdasher, that you are surely WRONG!
If your website collects any sort of personal data on its visitors, even if you aren’t doing it intentionally, there is still a chance that a member of an EU country could visit your site and have their data saved.
Examples of personal data include:
- The user’s name
- The user’s physical or email address
- The user’s phone number
- The user’s IP address
- And more!!!
Basically, if you can use a piece of data to identify an EU resident, or combine it with other data to identify them—that’s personal data.
EU citizens now have the right to access, erase, and correct errors in their personal data, object to processing of their data, and ask an organization to export their data (even directly to a competitor). With the GDPR, you are legally obligated to comply with their requests.
While you may not think that you collect any user data, it can be collected in more ways than you realize. Some of the more obvious ways include online forms, newsletter signups, and online purchases, but this data can also be collected through cookies, retargeting ads, and analytics. While some of this data is stored in your website database, other third-party services (like Constant Contact, Google Analytics, and MailChimp) will be collecting this information as well. As a website owner, you will need to know where this data is held, how to gain access to it and how to delete it when necessary.
While it takes some work to ensure your website is GDPR compliant, it’s not difficult to achieve. We here at Sutherland Weston would like to recommend the following updates to help ensure compliance:
- Develop an updated privacy policy that discloses how and why you collect personal data, how long it is retained, and who it is shared with. You should also make sure your consent provision is clear and unambiguous. Add in language about right to be forgotten and withdraw consent. If you’re transacting more things through your website you’re going to need to be more complex in how you update your privacy policies to meet your business requirements. The privacy policy should state that the site uses cookies to track activity (if that’s the case) and provides and enhances the user experience.
- Create a documented inventory of data that you track and keep on-site visitors.
- Create a documented procedure for furnishing a copy of the data upon request and for erasing the data upon request.
- Update your online forms and newsletter signups to include a checkbox that will allow users to Opt-In to storing their information and/or using their data for marketing purposes.
If you have any further questions about how the GDPR affects you and your website, or if you would like some assistance in making sure your website is GDPR compliant, please reach out to us and we will be happy to help.