The new General Data Protection Regulation (GDPR) came into effect on May 25 and many website owners were scrambling to get their website GDPR-compliant before the deadline. But it’s not too late if you haven’t started.
What is GDPR?
GDPR is a data protection law designed to harmonize data privacy laws across Europe in order to protect EU citizens. The aim of the GDPR is to give EU citizens control over their personal data and to change the way organizations across the globe handles data privacy.
What does it have to do with you (or anyone outside the EU borders)?
Well, you may think the GDPR only impacts websites within the EU borders, but you need to think about because the GDPR is not just bound by region, but also to anyone doing business or holding data for EU citizens. So, if you are selling products to, collecting email addresses from, or even any sort of information exchange at the cookie level of a person in European market, you will need to comply to the GDPR regulation. In other words, don’t assume it’s not going to apply to you – no one is exempt.
Way to make your website GDPR-compliant
There are many changes you can make to your website:
1. Forms: Active Opt-in
If you have a newsletter signup form on your website, make sure the default setting is “NO” or blank. In fact, every request for user data, including cookies, must be active opt-in.
2. Unbundled Opt-in
If you are asking for any type of consent on your website, each item must be set out separately. For example, previously you might have one checkbox for accepting terms and conditions and acceptance of consent for usage of data collected. Now, you will need to provide a separate checkbox for each and every different consent.
3. Easy to Opt-out
You must inform the user their right to withdraw their consent and provide easy ways to do so.
4. Named Parties
If you are sharing the collected information with third-party organizations, you must list each party for which consent is being granted. For example, if you will be sharing the user’s data with your financial institution, subsidiaries, legal representatives, etc. you need to name all parties involved.
6. Online Payments
If you are an ecommerce business, you will most likely be using a payment gateway. If you are collecting personal data before passing the details on to the payment gateway, you will need to modify your processes to remove all personal information after a reasonable period of time (say, 60 days). The GDPR law is not explicit about the number of days, so it’s up to your own judgement as to what is deemed reasonable and necessary.
7. Third Party Tracking Software and Applications
If you are using third-party tracking software or applications (such as web analytics), you need to make sure these tools are GDPR-compliant. After all, Iit is your responsibility to ensure that everything on your website is GDPR-compliant.
What about Google Analytics? Google Analytics has always been an anonymous tracking system and no personal data is collected, so Google Analytics is safe.
How seriously should I take GDPR?
The deadline to comply with the new GDPR regulations was May 2018. The penalty for non-compliance can be up to €20 million or up to 4% of the total global annual earnings, whichever is higher. And yes, there are going to be Supervisory Authorities carrying out audits on websites and issuing warnings for non-compliance. But it’s not too late if you haven’t started, and this is something that’s certainly better late than never.
Luckily, if you have run WordPress on your website, there are plugins you can use to perform a security audit on your website.
For more information on the GDPR, you can visit the official website, www.eugdpr.org.