The General Data Protection Regulation (GDPR) is an EU regulation that is about to go into effect on May 25th. I’ve gotten a lot of questions from my Website Maintenance members about it recently, so I thought I would send out a general FAQ for GDPR (holy acronyms). FWD to any fellow Website owners.
Disclaimer: I’m a Web Designer, not a lawyer. I’m basing most of this advice off of guides I’ve read online. You could find this same advice with a Google search. It shouldn’t be taken as legal advice or a comprehensive guide to the GDPR.
Does GDPR affect me if I don’t live in Europe?
If you do business or collect data from anyone in the UK or EU, this affects you.
When does it go into effect?
May 25th, 2018.
Will “Brexit” affect the way Britain implements the GDPR?
When Britain splits from the EU, they will adopt all existing EU legislation to the British law books, including the GDPR. So, no, Brexit will not have an effect on this.
I’m collecting data?
If you sell things online, allow people to contact you online, or have an Email list…the answer is probably.
-
- personal data: “any information relating to an identified or identifiable natural person” – like name, email, address or even an IP address.
- processing of personal data: “any operation or set of operations which is performed on personal data”. Even storing an IP address is technically considered storing personal data.
You should list all of the ways that you collect data, both “first party” (your own Website/server) and “third party” (an Email list, Mailchimp form, etc).
Then ask:
-
-
- What are you using the data for?
- Where is that data being stored?
- Do you still need the data?
-
Do I need to change the way I collect Emails?
Any newsletter opt-in on your Website has to have provable explicit consent under the new rules. That means that somebody must tick a box that says they agree, and what they agree to. Said box must not be pre-ticked to automatically “accept” subscription.
Can I add people who contact me through my Website to my Email list?
Only if you have specific permission for adding them to your Email list. Simply contacting you alone is not enough.
What if I use Mailchimp/Aweber/Etc.?
Most of these big providers will be GDPR compliant by May 25th if they already aren’t. You should check the Privacy Policy of any third party you use to collect data.
I use ActiveCampaign (Read my review…ActiveCampaign: An Inexpensive Alternative to Infusionsoft and HubSpot) and they are GDPR compliant.
How do I need to change the way I collect/keep my data?
Mainly, this is about transparency. People should know what they are opting in to and it should be just as easy to opt out as it was to opt-in, if not easier.
What about Website analytics (Google analytics, etc.)?
Those are fine. Google is GDPR compliant, and is good about anonymizing information.
Anything else I need on my Website?
If you don’t already have an SSL certificate installed and configured, you should.
Do I need to update my privacy policy?
After listing the ways you collect and store data and checking to make sure any third party apps are GDPR compliant (eliminating any that aren’t), you should update your privacy policy to include, specifically, how, when, what, and why you collect data; and how, when, what, and why you use it.
GDPR also makes it so that you must give people an easy way of contacting you to erase all of their data. That means all of it. No back-ups, “no nothing”.
So put your contact info in your privacy policy and mention that, as per GDPR, you will erase all data associated with a person if they request it.
What happens if I break these rules?
It’s not pretty. The average person could not easily afford the penalty. It’s better to just do your best to be compliant.
Send this to any fellow Website owners. There hasn’t been a ton of buzz about this in the US, but it’s starting as we cross the 2-month mark.
Let me know if you have any specific questions about your own site as it relates to GDPR.