Author: Deborah Dapson
On May 25th, 2018 enforcement of a new regulation in the EU called the General Data Protection Regulation (GDPR) began. In case you haven’t heard about it, this new regulation, which is meant to enhance an earlier data security regulation established in 1995, expanding the previous requirements to further protect users, specifically European Union members. The GDPR aims to prevent data breaches and protect the security of private data. The 1995 regulation (Data Protection Directive) assures privacy through a set of common sense rules (giving notice, using data only for the purpose stated, user consent, data encryption/security, disclosure of who is collecting user data, user access to their data and data collector accountability) the GDPR added
Unlike The EU, The USA Does Not Have A Formal Centralized Data Protection Regulation or Act; So, If That’s the Case Do We Need To Be Concerned?
The short answer is yes.
The expanded regulation has pushed the scope of their regulations to anyone who collects data on EU citizens regardless of their home country, meaning if you have a call to action or offer on your website that requires a user enter data about themselves, even if it is just an email address and because anyone in the world can enter their data to get your offer you are subject to the regulation. Additionally, there doesn’t have to be a financial transaction involved.
So, What Do We Need to Know If We Have A Globally Reaching Website?
If you are going to be gathering data for business or non-profit transactions, you will need to follow the regulations that I listed above, and the following other changes the GDPR brought about. These include tighter controls on how consent is given—small print and/or legalese is not allowed; data breaches must be reported within 72 hours; even more access for users, who must be told whether their data is begin used, where and why and must be given an electronic copy of the data being used; the user has the right to ask for their information to be erased—” the right to be forgotten.;” the users’ right to move the data from one data collector to another, in other words, once your data has been used to set up an account, you can get an electronic copy ( say a spreadsheet or csv file) and send it to another company; those who want to collect data must design their software such that it collects only the data needed to do what is needed and to only allow those who need the data the right to view it and finally there must be a(n) officers in the company collecting data who can report to the regulation office.
All Right, I May Process Data from EU Citizens, What Do I Need to Do?
The simple answer is that you’ll need to make sure that you follow the rules above, but I’ve only given you a thumbnail. The process to compliance is relatively complex, you must access all your data and be able to say where it is stored, you must ensure that it’s encrypted, that your request for consent is clear and specific, that you’re carrying an SSL certificate on your site, that you have your policies written on your site and they are clear and specific, that you report any data breach within 72 hours. Be ready to access data to give to a user at any time and create ‘fair processing notices’ describing exactly what, where and how you’re using the collected data.
As a website designer this is something that I must pay close attention to, particularly with sales and coaching sites, where data collection is a requirement for business to occur. Nearly every other day, it seems, we hear of yet another big data breach—causing us to run to our device and begin changing passwords, while fretting over possible identity theft.
If you’re concerned (and you should be) that you may not be compliant, please contact me, I can help you, especially if you are using WordPress as your platform.
Deborah Dapson has been working in marketing and communications for over 15 years and working in website and graphic design for the last 7 years. Her passion is to help small business and non-profits.