What is the GDPR—and, how does it affect my website?

tbh creative team collaboration
Notice an influx of privacy policy notifications lately? Getting lots of emails referencing something called GDPR? There’s a good reason companies big and small have been trying to get your attention.

The European Union’s General Data Protection Regulation goes into effect May 25, 2018, and it significantly enhances the level of personal data protection extends to European Union (EU) citizens.

The GDPR replaces the 1995 EU Data Protection Directive (DPD), and—although the GDPR is an EU law—if your company collects or processes the personal information from EU residents, you’ll need to have a plan in place to comply with the new regulation.

This guide outlines how the GDPR may impact your company and your website, and you will learn how to start making sure your website is in compliance.

GDPR Frequently Asked Questions


Who does the GDPR affect?
The GDPR affects any company that collects and/or processes the personal data of EU citizens. For example, you may not actively sell to Europe, but if there is a chance that a citizen of the EU could submit a form on your website, you must handle that data within the regulations of the GDPR.

What does the GDPR consider personal data?
According to the European Commision Data Protection, personal data includes:
  • Name
  • Address
  • Localization
  • Online identifiers (IP address, cookie data)
  • Health information
  • Income
  • Cultural profile
  • and, more.
If I don’t work with European customers, do I have to do anything for GDPR?
If there’s a chance that you may collect or handle an EU citizen’s information, the GDPR affects you. Depending on your business situation, we recommend talking to a legal professional.

What happens if I don’t comply with GDPR?
Non-compliance can bring penalties and fines of €20 million or 4% of your company’s global annual turnover, whichever is higher.

How is my website affected by GDPR?
The GDPR focuses on informing individuals about how their data is being used and stored, or, data transparency. Whether you collect customers’ personal information through online forms, an e-commerce store, or otherwise, you will need to make sure that your policies and documentation support this transparency.

What steps should I take to make my website compliant?

Step 1: Understand how you are collecting and using data

If your company collects data from any residents of the EU, figure out where you’re storing any personal data (and with which applications or tools).

Do you use a WordPress website? Is your online store hosted by WooCommerce? If you use a third-party data processor, take steps to understand how they use and store your customer data.

Do you manage and store your website form submission data internally? How (and for how long) do you store this data? Make sure you have a policy in place that clearly explains how you use and store that customer data.

Step 2: Establish—or, reevaluate and document—data collection and usage processes

Do you have security measures in place to protect personal data from your customers? Determine if you are storing all your form submission data internally and set policy is regarding purging it at regular intervals?

Make changes to your Google Analytics set-up

If you use Google Analytics, the GDPR considers Google to be your data processor.

The good news? Google has taken the implementation of GDPR as an opportunity to change their policies for all users, regardless of whether or not they conduct business with citizens of the EU. This includes updating their agreements and terms of service, reiterating their commitment to promptly informing customers of data breach incidents where applicable, and allowing users to determine how long their data is stored, and when it is deleted.

Learn more about choosing how long your user-level and event-level data is stored. You can use this feature in tandem with your privacy policy and data collection and storage updates.

Do you use HubSpot, MailChimp, Salesforce, etc.?

These services are third-party data processors, too. While most large organizations are already making changes to their systems to become compliant, it’s worth taking the time to understand what they’re doing if you use their services.

Even if a third party is processing your customer data, you should be ready to answer questions from customers about how their data is being used and stored. If your customers request that their information is erased or handled differently, you’ll need to have a plan in place to make sure that happens.

Step 3 — Update your privacy policy

Ensure your data privacy policy is up-to-date with the new regulations (and that your team follows it). At TBH Creative, we took this opportunity to reevaluate our own privacy policy. We ensured that it includes:
  • A clear description of the type of personal data we collect
  • Explanation of our customers' rights to their data, including the ability to have us purge their information upon request
  • Our contact information
  • Information about how we will handle a security breach

Step 4 — Document a data breach response process

Document a 72-hour plan in the event of a data breach to alert your contacts. How will you notify your customers? What third parties will you need to work with?

RECOMMENDATION: You should always consult your company's legal counsel to answer any specific questions, and to determine what your organization needs to do to be GDPR compliant.

    Consumers want transparency, and the GDPR requires it

    There is no one-size-fits-all approach to ensuring GDPR compliance, which is why it is vital for any business that has contacts or customers in the EU to take steps to become compliant.
    These new rules may seem scary, but they reflect some best practices in digital marketing, such as:
    • Be clear about how user information is collected, used, and stored
    • Require opt-in consent for the use and storage of personal information
    • Don’t buy lists of names and contact information
    • Provide users with the option to be removed from your database
    • Alert your contacts in the event of data breaches
    “The GDPR, among other things, requires companies and site owners to be transparent about how they collect, use, and share personal data. It also gives individuals more access and more choice when it comes to how personal data is collected, used, and shared.”—WordPress Support

    Still have questions? Check out this list of additional resources:

    Need help with your digital marketing strategy? Talk to us
    Tatum

    About the author | Tatum Hindman

    Tatum is the president of TBH Creative and is responsible for building long-term client relationships. She enjoys the strategy behind web design and collaborating with clients to define and execute online marketing goals. She likes to blog about hot topics in web design and digital marketing, as well as share tips for strengthening your online presence.

    View more posts by Tatum

    Receive articles in your inbox