GDPR Compliance for Website Owners

What is the GDPR?

The General Data Protection Regulation  (GDPR) is a law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also applies to the export of personal data outside the EU and EEA areas. (U.S. companies included)

This law and others like it will change the way businesses and organizations store and process personal information. Similar regulations are already being implemented here in the U.S. One example is the California California Consumer Privacy Act (CPPA) which was signed into law in June of 2018.

Even though it’s an EU thing, organizations and website owners everywhere need to pay attention

The GDPR was created to protect the rights of citizens of the European union with regards to the collection and use of their personal data. Organizations can be fined up to 4% of annual global turnover for breaching GDPR up to maximum of €20 Million.

GDPR Applies to More than Just Your Website

Remember, GDPR doesn’t just apply to your website. It applies to any and all information you collect about your customers, especially information that is stored online. This also includes mailing lists services (Mail Chimp, Constant Contact, etc.), bookkeeping software, POS Systems and more, so we advise you to do your research and make sure your business complies with GDPR and that you have a plan in place in case of a data breech.

Who Does the GDPR Affect?

  • Organizations processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. -- This includes data collected from forms, ecommerce systems, membership systems, mailing lists, or any other personal data gathered and/or stored online.
  • All organizations inside or outside of the EU that offer goods or services to EU data subjects residing in the EU (even if they are just visiting the EU).
  • All organizations that monitor the behavior of EU data subjects. -- This includes the cookies, browser information, device information, and other information your website requires for performance and personalized user experience. It also includes Google Analytics Data, and data needed to monitor the effectiveness of advertising.

** An ” EU data subject” is any person who is a citizen, resident, or simply a visitor to the EU.

GDPR Applies to More than Just Your Website

Remember, GDPR doesn’t just apply to your website. It applies to any and all information you collect about your customers, especially information that is stored online. This also includes mailing lists services (Mail Chimp, Constant Contact, etc.), bookkeeping software, POS Systems and more, so we advise you to do your research and make sure your business complies with GDPR and that you have a plan in place in case of a data breech.

8 individual rights under GDPR

GDPR grants eight specific rights to individuals their personal data:

1. Right to be informed

You must be transparent about how you use personal data. This is typically handled through your site’s privacy policy. (which you’ll likely need to update). In the event of a Data Breech, you need to have procedures in place to notify your customers within the 72 hour reporting timeline. This may mean appointing someone in your organization to oversee data protection and to help make sure your bases are covered..

2. Right of access

If a client requests their data, you must provide it to them in a commonly used format, such as CSV.

3. Right to rectification

You must allow a client to correct incomplete or inaccurate information.

4. Right to erasure

Clients can request deletion or removal of personal data when there is no compelling reason for its continued processing. Also referred to as “the right to be forgotten.”

5. Right to restrict processing

Individuals have the right to block processing of personal data. In such cases, you can store the data but no longer process it.

6. Right to portability

You must allow individuals to obtain and reuse their personal data for their own purposes. This means you must provide it to them in a common format, such as CSV.

7. Right to object

Individuals can object to having their personal information used. This includes for purposes of direct marketing, research and statistics.

8. Rights related to automatic decision making, including profiling

This rule specifies when you can use profiling and automated decision making. It also defines requirements that must be met, such as the individual providing explicit consent.
These rights are spelled out in further detail in the official GDPR guide.

For more specifics about GDPR and how it applies to your organization, see the Site Owner’s Guide to GDPR.

What We Can Do

We build custom WordPress websites, and in a recent update, some basic functions that meet some of the GDPR requirements were built into the WordPress core software. Namely, the ability  to download and anonymize a user’s information. But there are a few other things that need to be done, and we can help. We do not guarantee or imply that any steps we take will bring you to 100% compliance, but we can help you with some of the essentials.

1. Secure Your Website

In order to earn the trust of your website users, keep their data safe, and boost search engine rankings, your website should be equipped with an SSL Certificate. An SSL (Secure Sockets Layer) certificate is a security feature that authenticates the identity of a website and encrypts information sent to your server using SSL technology.

SSL certificates can be obtained from a variety of sources. They may require an annual renewal fee depending on the type of SSL you need. However, most of our clients just need a standard SSL certificate. Our hosting & maintenance plans, include a Free SSL certificate with no annual renewal fees. (There is a one-time fee for installation.)

We can also install a free SSL certificate on your site as part of a GDPR Compliance Upgrade Package. (As your account manager for details.)

2. Publish a Privacy Policy

We can add a privacy policy (which you must provide) to your website. Below is a lit of a few privacy policy generators and online legal services we have found. You can can also use an online legal service or ask your attorney what they recommend.

3. Provide Access to Personal Data

Your website stores information entered by users in its database. If a user requests a copy of their information, it can be downloaded from the backend of your website. You can do this yourself if you have backend access to your site or we can do it for you.

A easier option is to make it possible for the users to download it themselves from the front end of your site and have you notified when they do. This is something we set up for you as part of a GDPR Compliance Upgrade Package. (As your account manager for details.)

4. Erase Personal Data

If a user requests that their information be removed from your records, it can be deleted or anonymized from the backend of your website. You can do this yourself if you have backend access to your site, or we can do it for you.

A easier option is to make it possible for the users to delete or anonymize their own information from the front end of your site and have you notified when they do. This is something we set up for you as part of a GDPR Compliance Upgrade Package. (As your account manager for details.)

5. Obtain Consent to Store Personal Data

On most websites, users are able to submit information in one form or another. Some examples are contact forms, user registrations, ecommerce purchases, email subscriptions, post comments, or any forms or applications that gathers data.

These forms should require the user to agree with your Privacy Policy. Additional checkboxes can also be added for things like Terms & Conditions, agreement to receive email newsletters, or other permissions or consents you may require from your users.

8. Add Cookie Consent

Almost every website uses cookies to customize and improve user experience in whatever browser or device they are using to navigate your site. Cookies may also be used for other purposes. (See All About Cookies)

Another step towards GDPR compliance is “cookie consent”. This is a notification that the users receives the first time they visit your website. You’ve probably seen this yourself as more website owners are taking steps to become GDPR compliant. A cookie consent prompt can be added to your site as part of a GDPR Compliance Upgrade Package. (As your account manager for details.)

How to Generate a Privacy Policy for Your Website

One of the most essential steps to becoming GDPR compliant is to have a Privacy Policy prominently displayed on your website. There are many privacy policy  “generators” out there. Some are semi-free, (meaning there’s usually a catch) and some are more comprehensive and may require a fee to obtain. As with most things in life, you get what you pay for, so it’s not a bad idea to use an online legal service like Rocket Lawyer or Legal Zoom, or better yet, ask your attorney for their recommendations.

Privacy Policy Generators:

Legal Services

If you do not have an attorney, you may want to consider a service like LegalZoom. For an annual or semi annual fee (around $31 to $36/mo in Tennessee) you can consult with attorneys in all sorts of matters. You may pay extra to have a document drawn up, but worth the extra cost to make sure your bases are covered. And many documents can be downloaded for free if you are subscribed. See LegalZoom for more information.

For more specifics about GDPR and how it applies to your organization, see the Site Owner’s Guide to GDPR.

GDPR Compliance Upgrade

GDPR compliance is a daunting task, and the requirements seem overwhelming, even for leaders in our industry.  As website producers, we try to stay on top of technology and news that affects our industry. And when we become aware of situations that affect our clients, we want to let them know so they can do their own research and make informed decisions about their website or online presence as a whole. 

We also want to provide solutions where we can, so we have put together a GDPR Compliance Upgrade package to help you meet some of the basic requirements of GDPR.

PLEASE NOTE: The above content should not be construed as legal or tax advice. Always consult with an attorney or tax professional regarding your specific legal or tax situation.

GDPR Compliance
Play Video

Additional Resources:

For more information about GDPR, visit eugdpr.org. Here are a few other relatively simple descriptions and resources we’ve found:

Share This:

Made in Memphis

© 2018 | New Urban Media