The General Data Protection Regulation (GDPR), will come into effect across Europe on 25th May 2018.
What Does It Do?
GDPR provides European Union citizens better control over the collection, use, and storage of their personal data online. It also requires companies and site owners to be transparent about how they collect, use and share personal data. Non-compliance with GDPR can result in fines of 4% annual revenue or 20 million euros – whichever is greater, though before that happens there is a multi-tiered warning system in place.
Who Should Be Concerned?
Customers and visitors care about their privacy protection. Taking the steps to provide additional security, access and rights to their data is a good business practice that should should be appreciated by your user base, so it makes good business sense to follow GDPR even if you don’t have to. If you are based in Europe, advertise to Europe, perform analytics on or collect data about Europeans, have interests or property in Europe, advertise/market to Europeans or perform any other actions that specifically targets European citizens then you should prepare to roll out full compliance for GDPR as it will 100% apply to your business. If your website is written in US-English and your target demographic is Americans or just generic “anyone” – without any specific targeting of Europeans, you have much less to worry about with GDPR and for the most part can skip the headache of implementing GDPR in your systems.
Are American Small Businesses/Bloggers Affected?
If your website is written in the language of and targeting NON-EU countries (or just America for that matter), you don’t have to implement GDPR – you can implement GDPR policies as a benefit to your customers/visitors. The benefits of GDPR as a voluntarily adopted policy is to increase trust with your site and provide the public with clear statements to understand what you do with their data and give tools for them to control their data. If your eCommerce site sells/ships/advertises to EU, countries you should implement GDPR. If your blog (or part of it) is written in an EU country’s language, you should implement GDPR.
How does WordPress fit in with GDPR?
There are three main ways in which GDPR can affect WordPress site owners:
Themes and Plug-ins:
Being a WordPress site owner, you solely are responsible for all data collection and storage methods used by a theme, plugin or third-party software. Hence, it’s crucial to audit all third-party plug-ins and themes before the release of the new regulation. A full audit of your plugins/theme/widgets and any scripts running on your site should be performed, key culprits to inspect will be newsletter optins, advertiser tracking pixels/scripts/plugins and any other forms that ask for users to submit personal data.
If your WordPress site is using WooCommerce or any other similar eCommerce platform, using opt-out options and pre-ticked consent boxes to collect any personal data will now be considered a violation of GDPR. Meaning, active involvement of the users on your WordPress site, including all marketing materials like newsletters, is now imperative to meet the new regulations. According to the new regulation, some perfect examples of lawful consent requests are clicking an opt-in button or link online, selecting from an equivalent yes or no option and responding clearly to an email requesting consent.
Helpful Plugins For WordPress:
- WP GDPR: This plugin creates a page where users can request access to their personal data, stored on your website.
- WP GDPR Compliance: This plugin assists website and webshop owners by providing common tips to comply with some popular plugins such as Gravity Forms, Contact Form 7, WooCommerce, and WordPress native comments.
What Kind of Information Does GDPR Apply To?
The GDPR applies to any personal data (in any format) that can be used on its own or in conjunction with any other data to identify a living person. The new regulation extends the definition of personal data to count information like an IP address as personal data. Some data known to be personal include:
- Physical address
- Email address
- Mobile number
- Social security number
- Location data
- IP address
- Online Behavior (Cookies)
- Profiling and Analytics Data
Additionally, the GDPR also applies to sensitive personal data that needs to be more carefully handled and could potentially link back to the identity of a person, such as, but not limited to:
- Health status
- Sexual orientation
- Religious beliefs
- Political views
- Financial data
- Behavioral data
- Biometric Data
- Genetic Data
The new law will apply to both personal and sensitive personal data.
What Rights Does GDPR Give?
The right to know:
When collecting or processing your data, companies now have to tell you clearly and plainly what it will be used for, the legal basis for any processing, with whom it will be shared, how long it will be stored for, whether the data will leave the EU, how you can withdraw your consent, and the contact details of the relevant Data Protection Officer.
The right to control consent:
Consent must be given explicitly by the user for company to store/use/pass on your data (in most circumstances, there are exceptions*). The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
The right to correct data and move it around:
If you think a company holds incorrect data about you and you want to correct it, they must carry out your request without undue delay. If a company provides a service that relies on your data, for example, and you want to use a different company for that service, you can request that your data be moved from one company to the other. This is linked to requesting all your data from a company.
The right to be erased or forgotten:
You can withdraw your consent for data processing at any time and the company must stop the processing, unless they’re relying on another legal basis for the processing (the public interest, for example). You can also request data be erased. Again, it must be erased unless another EU right clashes with the request. Controversial statements made by people in the public eye, for example, may not automatically be deleted if the public interest is best served by keeping them online.
Right to restrict processing:
According to this right, an individual will be able to restrict or suppress the processing of his/her personal data. In such a situation, you will be allowed to store user’s personal data, but will not be able to use it. This right applies only in certain circumstances.
Right to be informed about data breaches:
In cases of data breaches, the organization must legally notify both supervisory authority and concerned people within 72 hours of becoming aware of the breach. Failing to notify a breach may attract a significant fine up to 2% of your annual revenue or 20 million Euros.
Check out the full text of the GDPR law here: https://gdpr-info.eu
Need Professional Help?
Has GDPR crushed your confidence? Don’t want to deal with it? We can help! GDPR is a massive set of regulations that can confuse the best legal specialists, that’s why we’re offering a GDPR Compliance Audit and GDPR Implementation.
Basic GDPR Compliance Audit: $250
GDPR Full Compliance Implementation: $500
If your site meets the requirements of needing full GDPR compliance we’ll perform the Basic Audit and setup cookie consent popups and data control pages/forms for your users as well. This package comes with 12-months of updates and support, so any changes to the regulation during that time will be covered and implemented by us.
Data Protection Officer: $200/month
If your site has to deal with the monitoring or processing of large amounts of personal data, consider contracting us as your Data Protection Officer – we’ll be responsible for all data protection related activities and ensure the continued compliance of your site with the GDPR regulations, as well as serve as the contact point for GDPR inquiries. Learn more about Data Protection Officer’s responsibilities here: EU Data Protection Officer.