The European Union’s General Data Protection Regulation goes into effect May 25, 2018, and it significantly enhances the level of personal data protection extends to European Union (EU) citizens.
The GDPR replaces the 1995 EU Data Protection Directive (DPD), and—although the GDPR is an EU law—if your company collects or processes the personal information from EU residents, you’ll need to have a plan in place to comply with the new regulation.
This guide outlines how the GDPR may impact your company and your website, and you will learn how to start making sure your website is in compliance.
GDPR Frequently Asked Questions
Who does the GDPR affect?
The GDPR affects any company that collects and/or processes the personal data of EU citizens. For example, you may not actively sell to Europe, but if there is a chance that a citizen of the EU could submit a form on your website, you must handle that data within the regulations of the GDPR.
What does the GDPR consider personal data?
According to the European Commision Data Protection, personal data includes:
- Online identifiers (IP address, cookie data)
- Health information
- Cultural profile
- and, more.
If there’s a chance that you may collect or handle an EU citizen’s information, the GDPR affects you. Depending on your business situation, we recommend talking to a legal professional.
What happens if I don’t comply with GDPR?
Non-compliance can bring penalties and fines of €20 million or 4% of your company’s global annual turnover, whichever is higher.
How is my website affected by GDPR?
The GDPR focuses on informing individuals about how their data is being used and stored, or, data transparency. Whether you collect customers’ personal information through online forms, an e-commerce store, or otherwise, you will need to make sure that your policies and documentation support this transparency.
What steps should I take to make my website compliant?
Step 1: Understand how you are collecting and using dataIf your company collects data from any residents of the EU, figure out where you’re storing any personal data (and with which applications or tools).
Do you use a WordPress website? Is your online store hosted by WooCommerce? If you use a third-party data processor, take steps to understand how they use and store your customer data.
Do you manage and store your website form submission data internally? How (and for how long) do you store this data? Make sure you have a policy in place that clearly explains how you use and store that customer data.
Step 2: Establish—or, reevaluate and document—data collection and usage processesDo you have security measures in place to protect personal data from your customers? Determine if you are storing all your form submission data internally and set policy is regarding purging it at regular intervals?
Make changes to your Google Analytics set-upIf you use Google Analytics, the GDPR considers Google to be your data processor.
The good news? Google has taken the implementation of GDPR as an opportunity to change their policies for all users, regardless of whether or not they conduct business with citizens of the EU. This includes updating their agreements and terms of service, reiterating their commitment to promptly informing customers of data breach incidents where applicable, and allowing users to determine how long their data is stored, and when it is deleted.
Do you use HubSpot, MailChimp, Salesforce, etc.?These services are third-party data processors, too. While most large organizations are already making changes to their systems to become compliant, it’s worth taking the time to understand what they’re doing if you use their services.
Even if a third party is processing your customer data, you should be ready to answer questions from customers about how their data is being used and stored. If your customers request that their information is erased or handled differently, you’ll need to have a plan in place to make sure that happens.
- A clear description of the type of personal data we collect
- Explanation of our customers’ rights to their data, including the ability to have us purge their information upon request
- Our contact information
- Information about how we will handle a security breach
Step 4 — Document a data breach response processDocument a 72-hour plan in the event of a data breach to alert your contacts. How will you notify your customers? What third parties will you need to work with?
RECOMMENDATION: You should always consult your company’s legal counsel to answer any specific questions, and to determine what your organization needs to do to be GDPR compliant.
Consumers want transparency, and the GDPR requires itThere is no one-size-fits-all approach to ensuring GDPR compliance, which is why it is vital for any business that has contacts or customers in the EU to take steps to become compliant.
These new rules may seem scary, but they reflect some best practices in digital marketing, such as:
- Be clear about how user information is collected, used, and stored
- Require opt-in consent for the use and storage of personal information
- Don’t buy lists of names and contact information
- Provide users with the option to be removed from your database
- Alert your contacts in the event of data breaches
“The GDPR, among other things, requires companies and site owners to be transparent about how they collect, use, and share personal data. It also gives individuals more access and more choice when it comes to how personal data is collected, used, and shared.”—WordPress Support
Still have questions? Check out this list of additional resources:
- Get started with HubSpot’s GDPR Compliance Checklist covering how to be compliant
- Check out Shopify’s straightforward explanation of how GDPR might affect your business
- Use Google Analytics? Learn how to make sure your data exchange and interactions with Google are GDPR-compliant
- Consult the full GDPR regulation