On May 25th, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) went into affect. This Privacy/Data protection law stretches beyond the European Union’s member countries and will directly impact your website.
Why should I worry?
Thankfully, the GDPR is not a cause for fear. It is a sensible approach to data collection and letting your website visitors know how you are using and protecting their Personally identifiable Information.
This sensibility is why the rest of the world will start adopting this type of law and why every website should start taking the steps to becoming compliant.
I’m too Small to Care
You might think that this isn’t important because you only have U.S. based visitors and your business is not really large enough to be noticed. This kind of thinking should be avoided! The U.S. is connected to the global community through the internet. This means that you may be getting visitors from the EU without knowing it. Ignorance is no excuse for breaking the law.
What’s my next step?
Disclaimer: Our expertise is not in the Law. Nothing on this website or article should be considered legal advice.
Ok, so what are the rules?
If you are a large company with users from the European Union, contact a lawyer that clearly understands the GDPR and what you need to do specifically for your company.
If you are a smaller company with most of your website visitors in the U.S. and collect info through a contact form or through cookies then here are a few things you can start doing.
What is PII?
Personally Identifiable Information (PII) is anything that can be connected back to a specific person. For example, when a person visits your website, your browser collects information and stores it in a cookie.
This cookie might have the visitors IP address, or email address. This cookie is normally stored on the visitors computer but your website uses it when it needs to.
The more blantant use of PII is a contact form. This contact form when submitted will be sent by email to you (where you store it) and may also be stored inside of a database (if you are using a form that has that ability). Please note that if you are using a web based service for your contact form, like Woo-foo or MailChimp, you are responsible for how that data is managed once the visitor submits it even though you may not have it stored in/on your website. Check with your service and see what they are doing to be GDPR compliant.
Another way you collect visitor data and don’t really know is through Google Analytics. Google Analytics quietly collects information about a visitor and stores it in their website under your account. This could be demographic information as well as your visitors actions as they view your website.
Your company is responsible to make sure that the information stored in your Google Analytics account is compliant with the EU’s GDPR.
Here are some examples of PII: Name, Address, Telephone Number, IP address, an online identifier (e.g. user name), health info, income, ethnic or cultural info.
What’s at risk?
M-O-N-E-Y. If you are found to be non-compliant then your are at risk of being fined. Although, not at first. You will get a warning. You will then get a reprimand. Then a Suspension of data processing and if you don’t get your act together, you can be fined EU2,000,000 dollars or 4% of global annual turnover.
This last heavy duty fine is aimed at big business who generate revenue and are refusing to get with the plan. This would include companies with a global reach like, IKEA, Facebook, automobile companies or any company that has that kind of money to be taken.
What’s most important?
Here are a few must-have’s regarding becoming GDPR compliant:
Explicit Consent – if you are going to collect info through a form or cookie, you must get explicit consent and offer clear language as to what you are asking. With a contact form, you must have a check box that is not pre-checked.
WordPress has added this to the Comment section to their blogging web software and two personal data items in tools:
Rights to Data – this is the who, what, where, why and how your website visitor’s data is processed and stored. They have the right to download their personal data and the right to be forgotten when they ask (you must provide a way for them to request it).
Breach Notification – you are obligated to report some types of data breaches to the appropriate authorities within 72 hours, unless it is considered harmless and doesn’t appear to pose a risk to an individuals data. If the breach is high risk, then you must report this to the individuals affected as well and quickly. Please contact a lawyer if you have any kind of breach and you are unsure of how to deal with it.
Data Protection Officers – this only matters if you are a public company or you handle large amounts of personal information. You must then make someone a data protection officer. This isn’t required for every company, but if you are not sure then you should contact a lawyer.
If you think your company needs to do more and is at risk for fines, contact a lawyer.
Is WordPress GDPR compliant?
Yes, with the release of WordPress 4.9.6, the WordPress core is GDPR compliant.