GDPR
This acronym has been floating around for a little while now, and it brings with it a lot of confusion and worry.
The fact that you can have up to 20Million Euros in fines is enough to make you faint!
I have taken some time to do some research and I have to say that every piece of information I find has been overwhelming and confusing, not to mention dry. The original is very very long.
Want to cut to the chase? Click here for the information in a Nut Shell
I am not a lawyer and this is not legal advice, but this is how I understand it and translate the information. If you want to take a stab at reading the actual bill that was voted in during 2016, then you will be reading through legalese that is 11 chapters and 99 articles long. Feel free to check it out here if you want all of the information. https://gdpr-info.eu/
For me, I don’t have the time, nor the attention span, to go through all of that – which would end up just making my eyes water and my head spin.
Here are the facts that everyone agrees to:
- If you collect or keep any personal data (even just a name) of someone in the UE, your business falls under the GDPR and you must comply to all 9 chapters of their regulations.
- There are strict guidelines to consent given to put anyone from the EU on your email list, in your database and your membership, or learning areas. They must give explicit consent to have their information taken and kept. Data can only be used for the reason given at the time of collection and is securely deleted after it’s no longer needed. If they signed up for a download – their information can only be used to send the download. From what I have seen you can not even follow up with them to check in on how they are doing with that freebie unless they have provided the appropriate consent. The only way around this is to include a box specificly giving express permission for you to email them about other information or offers. A little by-line and/or information in the privacy policy does not suffice anymore.
- If you keep information on them for memberships, learning platforms, shopping carts, analytics, etc., then you need to be sure that you have that information all spelled out in your privacy policies and agreements.
- SSL Certificates are no longer a ‘good idea’, they are a must. If you are having anything to do with information from others – you must have this in place to protect the transmission of the information - even if it's just a contact form.
- A checkbox must be present on contact forms, comment boxes in your blog, or any other forms (surveys, quizzes, etc.) stating specifically that they give you permission to take and store that information. Even if the contact us form does not keep the information – your email program does.
- Right to be forgotten. This means that anyone from the EU can ask that they be completely forgotten from your system as if they never existed in it. So if you are asked to do this – you need to make sure that every instance of any personal information has been completely removed from your databases. Your email lists, your memberships, your courses etc. There seems to be some confusion among professionals on how far that goes. After all – some information is required for accounting and tax purposes and business reports. So how this will all pan out is anyone’s guess.
- Make sure all personal information is properly protected. This is a no-brainer for any business regardless if you are working with people in the EU. All your data should be protected. Your site should be protected as well. If your site is not updated regularly, backed up and protected from hacking, then you should seriously consider this.
- If data is lost or stolen or accessed without permission – the authorities MUST be notified within 72 hours along with your clients or contacts in your lists whose information was accessed.
- Right to access. This means that if they come to you requesting the information that you have on them – you have to give them EVERYTHING you have collected. If you have information on your website, or in your email list, or your accounting platform – you need to be able to give them everything you have in an easily readable format.
Additional information that I have read:
- Some people feel that compliance is not a huge deal – and that it can be accomplished very easily. But there are also others on the other side questioning some of the compliance issues and some companies who are just dropping marketing and selling to people in the EU whose business is not stationed there.
- There seems to be some confusion regarding the data management when people ask to have them completely removed and the fines involved.
- You need to be able to adequately explain why you have the information you do. If you require all the information you have because they are taking a course with you – you need to be able to explain why you need each part.
Please Audit My Site for GDPR ComplianceDo you need to worry about it?
Here are a few reasons you may want to look in to this further and work to change your website and data practices:
- Do you have a WordPress community site that collects personal information for each user profile?
- Do you have a shop that has customers sign up for accounts to purchase anything from your site?
- Do you have a site where you ask people to sign up for your newsletter? Or do you have a free offering that people sign up for in exchange for their email to market to?
- Do you have analytic software on your website?
- Do you have comments turned on for your blog posts or your pages on your website?
- Do you have an existing email list (or more) that may have contacts that you market to?
If you have people from the EU visiting and interacting with you on your site - or with you, you will want to do something about complying.
How they will police it – I have no idea. That is a lot of companies in a lot of countries that could not be complying, but personally, I wouldn't want to take the chance.
These are recommendations for getting compliant:
- Review your processes and workflow regarding any data you collect.
- Update all of your legal documents to cover every single aspect of data collection and what it’s used for. If you don't have any privacy policies in place - now is the time to do it.
- Make sure your data is portable if it’s needed.
- Install an SSL Certificate for your website.
- Check your website, themes, plugins, services and API’s and see what data they collect and store. (contact form plugins, comment plugins, marketing plugins like Mail Chimp and AWeber, Analytics, Tracking, Remarketing, eCommerce solutions, payment processors, community plugins (BuddyPress, LearnDash etc.), and third party API’s. They are stating that even Google Fonts may need to be considered and documented.)
- It is recommended to even appoint one person who is responsible for your data compliance and data protection.
- Put in place a process for notifying the correct authorities should your data ever be breached or compromised. You have a 72 hour window to give notice to the authorities and to the people whose data was compromised.
- Don't fall for the 'One-Size-Fits-All' WordPress plugins that state they will make you 100% compliant. They most likely don't know what they are talking about. Each website is different and has different requirements. No one plugin will be able to cover all areas for all websites.
- Add in disclaimers regarding cookies and what they are used for on your website and what information is stored or used.
- Contact everyone in your lists and have them express consent to have marketing sent to them.
- Hire a lawyer – A lawyer can provide you with legal advice specifically tailored to your situation – providing they know everything regarding this new regulation.
I don't want to worry about this, please check it out for me.What am I doing about the GDPR?
In all reality – a tighter reign on data is a very good thing. I find for me specifically that I will choose to implement most, if not all, of these items. However, for the small amount of business I currently do in the EU, I will not actively market or sell to people in the European Union.
With the confusion regarding the right to be forgotten, I don’t want to get caught up in loopholes while the EU figures out the fine tuning, or the lawyers finish understanding the entire document of regulations.
So I will be implementing items on this website to discourage signups and block my cart from purchases from Europe, for the time being. May sound a little extreme, but it is just not financially feasible for me since 99% of my clientele is in North America. I am not the only company that is doing this.
I have heard that Connect.Microsoft.com actually shut down because they were not GDPR compliant. If Microsoft can’t or won’t figure this out – how are solopreneurs and entrepreneurs supposed to get all their ducks in a row and be safe from a penalty? Later Microsoft changed the reason to it was retired in favor of new tools.
I will update our privacy policies, and remove old contacts from my databases that I no longer need, and I will update the way I add people to my lists.
All of this havoc can be a good thing as we, as a community online, we all move to a more secure environment of data protection. This may be extreme and feel a bit binding, but overall with the breaches I have seen over the last couple of years – it was definitely due.
We don’t know when North America will follow suit, so complying to some degree and adapting some of the things listed here could be a very good thing to do.
In A Nut Shell
- New regulations for dealing with the EU.
- If you collect ANY data from people in the EU you must be compliant to protect yourself and your business from up to a 20 Million Euro fine and possible jail time.
- Data means any personal data collected in an email list, membership site, online community, training portal etc.
- You can only use the data for exactly what you had them sign up for. If they sign up for a free download, you can only use that information for the free download. If you want to use it for your newsletter you must add a consent check box they need to check to show active confirmation that they are giving consent to have their information use exactly how you state.
- If you use a contact form, you must also have a check box allowing the submitter to agree to have their information sent and possibly stored in your business.
- Decided if you want to do business with people in the European Union or not.
- If you choose not to – put in place measures to keep people from the EU from signing up for any of your materials or purchasing your products.
- If you choose to continue to market and/or do business with people in the EU then get compliant to protect yourself. This plugin will assist you WP GDPR Compliance
- Install an SSL Certificate on your site
- Scan your site to see what elements on your site are collecting data and what type. You can use this program WP Security Audit Log or ask us to scan and give you a report of what programs are accessing.
- Update all of your privacy policies and terms of use to include everything you site uses and how it is used and why
- Make sure your data is portable. If someone asks to have all the data you have on them, you need to be able to supply it.
- Have procedures in place to delete people from your entire business should they ask to ‘be forgotten’
- Appoint someone to be your Data Protection Office (DPO) if you deal with a lot of data.
- Delete all old data
- Set up information on cookies that are used on your site and why.
- Add checkboxes providing explicit consent for any forms on your site (survey, contact form, comment form, etc.)
- Consult an attorney
Are you already GDPR compliant? The team over at Mailjet created a handy GDPR quiz. I also recommend checking out The GDPR Checklist.
Would you like some help with getting compliant? Click the button below. I can lend a hand. I am offering a site audit to check all known areas that are needed for compliance and provide a report, checklist, and recommended changes.