This post does not constitute legal advice.
The European Union General Data Protection Regulation (GDPR) comes into force on May 25, 2018.
This European regulation insists upon people’s right to data privacy. It encourages companies to not collect unnecessary data, and it requires risk analysis, and says users must be allowed to have data deleted upon their request.
As a company, you must take reasonable measures to protect your clients’ personal data from being lost, divulged, or destroyed.
But my company is not in Europe. What does GDPR mean for me? Does it affect me?
In fact, the GDPR applies to any company or organization, no matter where it is located, that collects personal data from anyone who lives in the European Union.
- Anyone from the EU visits your site, and you have data tracking on through Google Analytics or another program, noting visitors’ IP addresses,
- Anyone in the EU makes a purchase from your website, and you collect their information for the purchase,
- Anyone from the EU signs up for your mailing list,
- Anyone from the EU makes a donation to your cause,
- Anyone from the EU fills out a form on your website containing name, email address, snail mail address, or any other personal information,
Then you need to comply with the regulation.
What happens if I don’t comply?
Failure to comply, particularly if you suffer a data breach, could result in large fines. It’s unclear at this point to what extent the US would cooperate if European authorities tried to fine a US company. Nonetheless, it’s unlikely you want to prevent all Europeans from visiting your US-based website. So in our opinion, the best thing to do is be aware and become compliant. Nothing in the measures is too shocking or stringent. It is common-sense privacy in data handling.
What does GDPR compliance involve?
“Privacy by design” is the buzzword for the GDPR. It’s also basic common sense. None of us would like our information passed around to various third parties, and we should all have the same respect for our contacts. That means keeping private information private and protected by not sharing it with other companies or people, and by keeping our web systems and databases up to date and secure.
How can I become GDPR compliant?
If you are collecting any information whatsoever, you should:
- Know what information you collect and where it is stored.
This policy should spell out what information you collect, for what purpose, how long the data is retained, and whether it is shared with third parties (hint: it should not be). It should inform your website users that they may request removal from any database/list your company retains. It should lay out the measures you will take if there is a breach (notifying users and authorities within a certain amount of time – the EU law says you should notify “data authorities” within 72 hours). You can check out more details here on what to include.
- If you are collecting site statistics, anonymize visitors’ IP addresses.
You might be using Google Analytics or another data collector to analyze your website traffic. The problem here is that some of these programs collect IP address, and the Court of Justice of the European Union has ruled that an IP address can be considered personal identifying information. For that reason, you would need consent to collect it. However, anonymizing the IP address (usually by removal of the last number pair), is an acceptable solution here, and can be easily set up through Google Analytics settings or a WordPress plugin managing those settings.
- Have a plan in place internally for periodically reviewing the data and removing any old data.
- Consider the possible risks for each type of data you collect and each area where it is stored.
How can you mitigate those risks?
- Do you share the information with any third party?
If so, you need to make your users aware of this, and you need to have those third parties also commit to protecting the information.
- Have a plan in place for notifying users rapidly if you become aware of a breach of their personal information.
- For email lists, users should ALWAYS opt-in.
Opting in should NOT be the default – a pre-checked opt-in box is now, more than ever, a no-no.
- Keep all software up to date to close any potential security holes.
- Larger companies may want to have a data protection audit performed by an outside company.
Where can I find more information?
- For basic questions, check out the EU GDPR website.
- Varonis has shared a helpful “cheat sheet.”
- If you use any type of email marketing, you might find this article of interest.
- Mailjet’s Legal and Data Protection Officer has shared their steps towards compliance.
- There are also companies that specialize in GDPR audits and compliance.