I’m sure by now you’ve seen “GDPR” in the headlines. The GDPR, or General Data Protection Regulation is a set of new laws intended to strengthen and unify data protection for all individuals within the European Union (EU). It came into effect on May 25th 2018. It is new legislation relating to personal data and how it’s stored.
If your business is not based in the EU, you’re probably thinking you don’t need to worry about it, right?
It’s European legislation but it will affect website owners outside of Europe. If your website is visited by people in Europe (or your code is used by websites that do), the GDPR covers you.
The penalties for non-compliance are pretty harsh – up to 4% of global annual turnover or €20 Million (whichever is greater). If you run a small business that collects data for sales and/or a mailing list, that’s a LOT of dolla!
Ok… So Now I’m Freaking Out!!!
Don’t panic!! No one is going to come knocking down your door if you weren’t compliant by May 25th. The only way you can get in trouble for not being GDPR compliant right now is if someone complains to the EU’s Information Commission Office (ICO) about you. You’ve got time to get up to speed.
Let’s clarify a couple of things;
- The law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.
- A financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organisation just collects "personal data" - EU-speak for what we in the U.S. call personally identifiable information (PII) --as part of a marketing survey, then the data would have to be protected GDPR-style.
So the moment a user accesses your site from an area where the GDPR is in effect, you’re subject to the GDPR. Server location is irrelevant - user location is what’s important. So, if a user from somewhere in the EU accesses your website from their home turf, you are required by law to comply with the GDPR. If your website visitor leaves the EU, flies to the Cayman Islands and they visit your site, the EU has no authority. It’s all down to where they access your site from.
There is really no circumstance in which you can afford to assume compliancy. Even if your business has no intention of selling to citizens of the EU, the instant they land on your website, you have to be able to comply. There’s no excuse for not acting upon it (despite how boring data protection legislation is!)
How the GDPR Affects Website Owners
There are six main ways in which this will affect you as a website owner:
- How you collect data via forms (contact forms, newsletter signups etc.)
- How you collect analytics data
- What you do with that data
- Where the data is stored
- How you communicate with your customers and contacts
- The code you use – plugins and themes.
The GDPR for WordPress site includes a summary of site owners’ obligations in regards to collecting data related to EU citizens, here are the main points:
- Tell the user who you are, why you collect the data, for how long, and who receives it.
- Get a clear consent [when required] before collecting any data.
- Let users access their data, and take it with them.
- Let users delete their data.
- Let users know if data breaches occur.
Each point is subject to all sorts of caveats and exceptions as to how much you need to do, but this is a good starting point.
The GDPR Portal provides a heap more detail on all of this. Here are the main points relevant to website owners;
- Increased territorial scope: This means that the legislation affects not only businesses and organisations operating in Europe, but also those ‘processing the personal data’ of people living in the EU. Which is most websites around the world.
- Consent: We all know how important consent is! If you’re collecting data the person whose data you’re collecting must consent to you doing so. This doesn’t just apply to data gathered from forms but also to data collected in the background such as IP addresses, but only to the level that it can be associated to an individual.
- Right to access: Individuals will have the right to access to their data and to information on how it’s being processed and used.
- Right to be forgotten. An individual will have the right to have their data erased, and for it to no longer be disseminated.
- Privacy by design. This means that instead of bolting on data privacy, it will have to be incorporated into the design of a system from the outset.
So… What Do I Do?
Check back here in a few days to read out post on How To Make Your WordPress Website GDPR Compliant.
Get compliant and good luck!
Disclaimer: I’m not a lawyer and CODE Websites is not a law firm. This post does not constitute legal advice and does not replace any advice you obtain from a lawyer or other legal expert. If you’re not sure, check with an expert on data law.