What is GDPR and Why Should I Care?

Does your website collect visitors’ names, email addresses, or any other personal information? If so, the GDPR, which comes into effect in May 2018, likely affects you.

GDPR stands for General Data Protection Regulation. It was created to protect and empower all EU citizens’ data privacy, and to change the way organizations across Europe approach data privacy. The EU Parliament approved it on April 14th, 2016, and has an enforcement date set for May 25th, 2018—at which time those organizations in non-compliance may face heavy fines. It replaces the 1995 European Directive (95/46/EC) on ePrivacy which included the famous “cookie law” that prompted all those cookie warnings that began appearing on websites a while back.

What if I don’t host my website in Europe?

GDPR isn’t just something for European companies and orgs to be concerned about. It was designed to protect the rights of EU citizens, regardless of where they are in the world or where the websites they visit are hosted. In other words, if your site has any international traffic and is visited by any European citizens (and how would you know?) this regulation affects you, and your organization could be at risk of heavy fines for any violations.

What kind of heavy fines?

According to the official GDPR website, organizations can be fined up to 4% of annual global revenue for breaching GDPR, or €20 Million (nearly $25 million USD). That’s the maximum penalty. There is a tiered penalty system however, so you could only be on the hook for 2% if, for example, you don’t have your records in order or you failed to notify the supervising authority and data subject to a security breach of your database (within 72 hours).

What constitutes "personal data?"

Personal data includes any information related to a person that can be used to directly or indirectly identify them. That means it could be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or an IP address. Here’s the official definition:

'personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Article 4, GDPR

What do I need to do to prepare for GDPR?

There are a few things you’ll need to look at in order to ensure your organization is ready when it comes into effect, and you won’t be liable under GDPR.

Display a privacy policy

Your site must include a privacy policy, and it should be clear, easy to find, and detail exactly what data is being collected and stored by visitors on your website. It should also describe exactly where and how this data is being stored, and what it’s being used for.

Explain signup forms

Any webforms, including contact forms, email newsletter signup forms, white-paper request forms, membership applications, etc., should have a statement clearly explaining what the data being requested will be used for. For example, if you’re collecting email addresses as part of a membership signup process, and you intend to email those people later with “special offers from our partners”, you need to spell that out on the signup form.

If your signup forms include an option to receive communications of any sort, such as marketing messages, you need to be crystal clear as to what the recipient will receive by opting in. Additionally, users must have to explicitly select the option to opt in; boxes cannot be ticked by default, and users must not be asked to select to opt-out.

No “bundled consent”

Similarly, "bundled consent" is not allowed. For example, you can’t ask for a user's email address in exchange for access to a piece of content on the site and state that, by accessing the content, the user agrees to receive marketing messages. As in the case of a signup form, you need to provide a checkbox so the user can choose if they want to receive communications or not, and the user can only be sent communications if they opt-in.

Provide an option to delete info

You also need to make it just as easy for someone to delete their account (and all their data you’ve been storing) as it was for them to sign up. This is sometimes referred to as “the right to be forgotten”. Similarly, you need to allow users to see all the personal data you have collected, and provide them with a way to export it.

Depending on the size of your organization you may also need to appoint a privacy officer, or a person who is responsible for addressing requests.

What else?

Google Analytics is a 3rd-party service that runs on almost every website on the internet, and it’s not only tracking people on those individual websites, it’s tracking them as they move across the web. With the old “cookie law,” websites in Europe just had to inform users if they were using cookies to track their activity. Under GDPR, websites will need to get consent. That might mean requiring consent before from visitors before loading the Google Analytics script. This would equally apply to any social network buttons like those from Twitter, Facebook, and LinkedIn. In an effort to do their part as a data processor, Google Analytics is working to update their system to be compliant with GDPR but there are some settings that site owners will need to adjust to ensure they are also doing their part. In particular, turning on IP Anonymization is required. Google Analytics uses IP addresses for geolocation reporting, so this will likely impact the accuracy of your reports.

What happens next?

There is still some uncertainty around just how far-reaching this legislation actually is, and how it will be enforced. As the saying goes, time will tell. But the legislation is real and companies like Facebook are making big changes at great expense in order to protect themselves from the financial penalties, not to mention the bad press, that may come if they fail to protect the privacy and data of European citizens. Perhaps the bigger question is, why aren’t they doing the same for everyone else on the planet?

Resources and articles used to research this post

http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf

https://www.eugdpr.org

https://events.drupal.org/nashville2018/sessions/think-your-website-gdpr-compliant-think-again

https://www.adaptive.co.uk/blog/gdpr-compliance-drupal-websites

https://www.thewebguild.org/news/gdpr-essentials-for-web-developers-and-site-owners

http://europa.eu/rapid/press-release_IP-15-6321_en.htm

https://adactio.com/journal/13364

http://www.blastam.com/blog/5-actionable-steps-gdpr-compliance-google-analytics