GDPR (The General Data Protection Act) goes into effect on May 25th, 2018. If you haven’t been preparing already, you might be wondering whether you should be paying attention.
The most important thing to know is that the GDPR, while it is only agreed upon in the European Union, applies to some companies and organizations outside of the EU. Specifically, it applies to you if you sell things to people in the EU or “monitor the behavior of” people in the EU.
Monitoring the behavior of people in the European Union may not sound like something your organization does, but think again. That includes “processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
If you collect email addresses, names, IP addresses, bank or credit card data, photos, or anything else that could be used to identify an individual, you’re processing and holding personal data.
You can be fined 4% of your annual revenue, up to twenty million euros, for breaking the rules.
Are you HIPAA compliant?
If you’re HIPAA compliant, then you’re meeting GDPR standards.
If that hasn’t been on your mind, you should review the way you currently use and store personal information.
Europeans can ask you to delete their information. They can also ask you to send them all the information you have on them. You must provide this information and you may not charge anyone for the information.
You should store as little information about individuals as possible, and you need to get consent to collect information in a very clear way. No long, hard to read privacy policies are allowed.
For the typical WordPress website, “I have your name and email address, which you just used to send me this request,” is about all you’d have to say to an information request. However, if you keep a database of supporters or you have an ecommerce website, you might have a lot more information on your visitors. If you do remarketing using the information gathered at your website from people in the EU, you certainly fall under the GDPR rules.
Another change is that a data breach must be reported to all affected individuals in the EU within 72 hours.
Can you avoid this issue?
If you don’t have much (or any) traffic to your website from the EU and you don’t collect much personal information, you don’t have to spend a lot of time on this. Those four visitors from Belgium in the past year probably didn’t even share their names and email addresses with you.
You could, if you have a local business in the U.S., block traffic from the EU, scrub Europeans off your database, and ignore GDPR completely.
However, the rules could well become part of U.S. privacy regulations in the future, and they’re not arduous. Maybe it’s time to go ahead and clean up any privacy issues your website may have.
Some things you should do:
- Make sure that any personal information you collect is voluntary and consensual. That means that you can’t require people to share personal information in order to use your website. You can’t say, “Your use of this website means you agree that we can collect information with cookies.” This is especially true since we all know that most people don’t read privacy policies. People must give specific consent, rather than having to tell you they don’t want their information collected.
- Don’t share personal information freely. If you keep a database of personal information about your clients in your website, give access to that database only to people who need it. With WordPress, this kind of control is usually built in. WooCommerce, for example, allows you to be very specific about what kind of information each type of user can see. If you’ve been casual about that before, this could be a good time to change that.
- If you share personal information, you need to be specific about who you share it with and why. That common statement saying, “We sometimes share information with trusted partners” won’t do.