Is Your Site Ready for GDPR?
I’m sure your inbox has had a few emails in it mentioning GDPR. What is GDPR, exactly? It is a European law that protects European citizen’s personal data and the way it is used on the Internet. You’re in the United States and your website focuses on US-based people, so this doesn’t apply, right? Maybe, but you still need to take certain measures to let the Internet know you’ve acknowledged and taken some steps for GDPR. My hunch is that it’s just a matter of time before other areas implement similar security measures so let’s get prepared now.
What Does GDPR Mean?
There are several components to the GDPR and we encourage everyone to read all the details. For this post, we are going to focus on items most relevant to our clients and their websites. According to GDPR, all European citizens will have the rights to the following:
- Breach notification: if there is a data breach, data subjects must be notified within 72 hours of when the breach was identified.
- Right to access: if your website has any contact form or means of tracking user data (cookies for Analytics), the data subject has the right to know what you are doing with that information. Also, they have the right to request all the personal information that you have on them. If a request is made, you MUST provide a record of all personal information to the data subject or else you could be facing a financial penalty.
- Right to be forgotten: the data subject can request to be forgotten. This means you must erase their data completely from your records as well as any third party records you may have provided their information to.
Steps to Take to Be GDPR-Compliant
There are some steps you should take to ensure your website is on the up and up.
- Forms: if you have an email signup form, contact form, or any other form that signs a user up to receive email, you need to add a checkbox for users to check so they are giving you their consent to be emailed. If you already have a checkbox, make sure that the default setting is blank or set to “no.”
- Forms Part 2: if you already have a checkbox where viewers are accepting your terms and conditions, don’t think this covers you for GDPR. You need to separate the two out – create a separate checkbox for the consent to be contacted.
- Name the Third Parties: in many Terms & Conditions pages, businesses simply say that data may be shared with third parties. This is no longer acceptable. The third parties need to be named individually. These third parties should appear as options on your forms and the user should be able to check/uncheck the people or businesses they wish to share their information with/be contacted by.
- Updated Terms & Conditions: the T&C page on your website needs to address GDPR specifically. You must specify what you do with user data when you receive it. You must also address how and why you collect the data that you do.
- Current Email Subscribers: email all current subscribers and ask them to reconfirm that they wish to continue receiving emails from your business. If you use MailChimp or Constant Contact, it will be easy to have your users resubscribe/unsubscribe.
- eCommerce Sites: these days, most eCommerce websites pass payment information to their merchant account and do not store any personal data. If your website stores personal information after the data has gone to the merchant account, this will need to change. This requires an overhaul of your entire payment processing system. If you are using an eCommerce platform such as Magento or Shopify, look at their sites to find out how they are addressing GDPR.
Conclusion on GDPR
GDPR goes into effect at the end of May so you still have some time to become GDPR-compliant. While I don’t agree that a European law should be allowed to be forced upon other areas of the world, I DO think that providing transparency and the request to have your data erased is a good thing. I believe it will be a matter of time before more regions implement similar measures and eventually, it becomes the standard.
If you have questions, concerns, or need help getting your website to be GDPR-compliant, contact Digital Bombers today!