What is GDPR and why it’s important?
GDPR is an acronym for General Data Protection Regulation and is a new regulation in the EU, that dictates how companies should collect, process, and store personal data. Even though the law regulates EU market only, it directly affects your company if you process any of the data of the EU citizens. Why is there so much fuss about GDPR? Because non-compliance with GDRP will lead to serious fines up to 20 million EUR. No business would want for that to happen. GDPR comes into force on the 25th of May. You still have some time to get ready but you’d better hurry up.
Ultimately, GDPR is a positive change for the EU citizens who will have more control over their personal data. For businesses, GDPR brings challenges but it also enforces unified procedures which might be beneficial for the business. Companies that strive to comply with GDPR tend to be viewed more positively by their customers.
There are two main aspects of GDPR – personal data and processing of personal data. Here is what these terms mean under GDPR:
- Personal data which is “any information relating to an identified or identifiable natural person” as defined by the publication of the regulations in the Official Journal of the European Union.
- Processing of personal data which is “any operation or set of operations which is performed on personal data”
How is the law going to be enforced?
GDPR is a strict law but one may wonder how exactly the EU is going to check the compliance. The EU plans to set up Supervisory Authorities (SA) at each member state. SA will carry out the functions of supervisory and controlling authorities including:
- performing of audits of the business and websites
- issuing warning for non-compliance
- issuing corrective measures and defining the deadlines
SAs will most likely form a network and will work together in identifying and correcting the non-compliant behavior.
The implications of law have been observed all over the world with companies updating their privacy policies and sending out email blasts to reassure customers of their compliance with the law. Almost 76% of US companies report that they will spend more than $1 million on GDPR. This shows that US companies have a very large pull of EU customers and that they are concerned about the implications of the law.
How to make your website GDPR compliant?
GDPR is a complex law with complex terminology and a plethora of new information. It’s best to study the law and common practices as well as receive legal advice before you decide on concrete measures. However, these are the most common measures that the companies take to become GDPR compliant:
- The right to access defines the rights of the users to access the information including what kind of data is being collected, where the data points are located, and the legal basis for collecting, processing, and storage of data. Users can also request a copy of their data at any time.
- The right to be forgotten gives users the right to erase their data. Once the user withdraws the consent, all the data relating to the user must be erased and further collection and processing should be stopped.
- The data portability defines users’ right to download their data and transfer it to a different controller.
You’re also advised to only store the data that’s absolutely necessary. By limiting data collection and the number of data points, GDPR encourages companies to adopt safer policies.
By publishing a new policy you can cover most points mentioned in GDPR. But you also have to make sure that there are procedures in place for data retrieval, data portability, and consent withdrawal.
We have seen many companies engaging in automatization of data removal and portability, as well as those who simply ask users to email them for their request to be fulfilled.
2. Breach notifications
Of course, it’s best to avoid data breaches altogether. But if for some reason, it’s not possible, you’ll need to notify all those affected by the breach within a short period of time.
3. Implications of GDPR onto WordPress plugins
Surprisingly for many site owners, you are responsible for all the personal data you collect including the data collected through plugins. Make sure every plugin you use is compliant with GDPR. So far only a limited number of plugin developers announced their plans in relation to GDPR. If your plugin providers aren’t compliant with GDPR it’s your responsibility to establish a data flow and inform about the processing of data.
4. Explicit consent
Another important implication of GDPR is the changes that the law brings to how consent is collected. For example, a checkbox that is preselected isn’t enough anymore. You have to provide the users with the opportunity to give explicit consent, which they can do by checking the box manually or clicking the “accept” button.
Opt-ins should also be unbundled meaning you need to clearly set out the acceptance of terms and conditions, and then separately set out the consent for other ways of using data. Granular opt-in is preferable and the users must be able to give consent for different types of processing.
5. Clean up your mailing lists
If you’ve ever purchased email lists from third parties you need to stop now. Continuing to use email lists received from third parties is a direct violation of GDPR.
The industry standard is a double opt-in – after the user provides their email, they finalize their subscription by clicking a confirmation link in the follow-up email. Even though double opt-in isn’t a GDRP requirement, it’s an industry practice that will help you prove that proper consent was obtained.