A Simple Overview of GDPR

GDPR went into affect on May 25th, 2018, and has website owners around the world scrambling to figure out how the law applies to them. This article can provide an overview of what GDPR is, why it matters to you, and whether you can ignore it. This article is not meant to provide all the information you need to comply with GDPR. Instead, it’s to give you a place to start from so you have an idea of what you might need to do with your business to comply.

I am NOT a lawyer. You should seek specific advice for your website/business from a lawyer.

Who Should I Ask About GDPR?

There are two steps for dealing with GDPR.

Talk to your lawyer then your web developer.

First, you need to talk to someone who can interpret the law. You don’t want your web developer trying to interpret how the law applies to you – not with the massive fines involved. Most likely your web developer, like White Fox Creative, has no background in law; while we can point you in the right direction, make sure you seek professional advice. If you’re not sure who to contact, we list some options at the bottom of this post.

Second, once the law has been interpreted by a lawyer as to how it applies to your specific business, you’ll need someone to implement the law. This is where your web developer comes in. You might need to add disclaimers to your online forms or document where personal information for your users is being stored or even if you are collecting personal information from your users.

Ideally, your web developer should work with your lawyer to make sure you are following the law.

But What Does GDPR Deal With?

GDPR was passed in the European Union (EU) in 2016, but it only just recently became enforceable on May 25, 2018. It specifically deals with what customer information you collect, how long you keep that information, the right of the customer to be “forgotten” (have their information deleted from your system), the ability of them to port their information, and what you have to do if you are hacked and their information is stolen.

If your website or business might interact with EU citizens, you should be GDPR compliant.

Specifically it pertains to businesses or websites that operate within the European Union. In reality, though, anyone’s website can be visited by a citizen from the EU. If your website is visited by a citizen of the EU and you don’t take care of their information correctly, the European Union can work with the law enforcement in your country to fine you. Of course this depends on the country, so not all people are equally effected.

What if I Don’t Comply?

The fines are in the millions if a business doesn’t comply, so this is not something that you want to ignore.

Is it Good or Bad?

Personally, I’m hopeful about GDPR. Some lawyers are pointing out the vagueness of certain aspects, so we’ll have to see what exactly gets enforced and how effective it is in protecting people. But after the hacking of major companies in the US that controlled millions of people’s personal information, I would like to see more protections for the users enacted on this side of the pond.

A Few Terms

There are three main terms to know with GDPR.

Controller: this is the person in your organization who is in charge of the data. Whoever is responsible for making sure the company is adhering to GDPR.

Processor: This is the person who is doing the tasks related to the information. For example, this person is responsible for deleting information when users request that.

Data Protection Office: For companies that are collecting large amounts of personal data, you should have a data protection officer. This position is about thinking critically about the data you have and how best to protect it and organize it.

Taking a Closer Look At GDPR

There are four basic data rights that GDPR deals with. You should make sure a lawyer walks you through each item below as it pertains to your business or website.

I am NOT a lawyer. You should seek specific advice for your website/business from a lawyer.

Informed

You must inform people of what data you’re collecting and saving, how long you’ll save that information, and what you’ll be doing with that information. This seems fairly straight-forward to me.

Perhaps the most interesting portion of this section is that if you obtain their information from someone besides them, you have to make sure they receive the same privacy information within a month of getting their information.

Read More >

The Right to Be Forgotten

What user information do you have, where do you store it, and how do you delete it?

Initially I thought this was the easiest part of GDPR. Not quite. The right to be forgotten is essentially the idea that if a client/customer/potential customer asks you delete their information in your system, you must do it in a timely manner. To make sure this happens, you’ll need to offer a way for customers to contact you to ask to be forgotten.

But it also requires organization on your side. For example, you need to know what information you have, where you store it, and how to delete it. You’ll also need to decide who takes on this responsibility.

There’s a minor caveat to this part of the law, though. You can keep any information you are required to keep for taxes or by law. To sort out which information you can keep and which you have to delete, you should talk to your tax accountant and a lawyer.

Read More >

Data Portability

This part of the law deals with the ability of the customer to port or move their information from your system to someone else’s, even a competitor’s. This is any personal data they provide to you. It also has to be provided to them in an easy to use and common format, such as a .csv file. This only applies to their personal information, though, not information that is anonymized.

Read More >

Breach

The part of the law that deals with a breach of security is one of the most important. While they are all time sensitive, this one’s timing is particularly sensitive. Within 72 hours (holidays and weekends included), you must notify authorities of a security breach. Regardless of who sees the breach, it must be reported within 72 hours.

You should put together now (before a breach happens) what you must do in case of a breach. Do you know what authorities you have to notify? Who in your company handles this? How do you get a hold of someone in case of holidays? Getting hacked is stressful enough so make sure this document is kept someone accessible to anyone within the company who might need it.

Privacy Notice

You should have a privacy notice on your website covering how you deal with user’s information, what you collect, and who they need to contact in case of questions or other issues.

Some Other Items

There are quite a few items contained in this law, and this article only covers a few of the larger ones.  Here are a few items you might be wondering about:

Make sure you have a lawyer look over your company in specific to make sure you comply.

• Taking information from inside of the EU and moving it outside the EU is complicated. Consult a lawyer.
• Transaction Emails (emails that are part of delivering a service or product) don’t need consent. But if it has marketing in it, consent is most likely required. If in doubt, ask for consent.
• All marketing emails must have written consent. Make sure you can track when people consented and to what they consented to.

I Don’t Collect Any Information Except Google Analytics

If you’re a small business outside of the EU and don’t do business inside of the EU, this law might not effect you much. I would still recommend updating your Privacy Policy and taking with a lawyer (see below for a recommendation).

Google Analytics don’t show or collect IP addresses, so you won’t need to do any settings within Google Analytics.

However, you should review their new Data Processing Amendment.

Read More >

Contact a Lawyer

Jodi at Red Clover Advisors recorded a fantastic video about GDPR for those wondering. She has been a privacy expert for more than 19 years. You can find her contact information on her website at RedCloverAdvisors.com.

You can also buy her DIY GDPR Kit to help you figure out what you need. Don’t forget to also talk to a lawyer!

Bottom Line

The two main items you should focus on going forward is how to minimize the risk of a hack or other exposure of people’s information, and to only collect the information you really need for the length of time you need it.

Only collect information you need and protect that information.

Next Step To Do items:

1. Assign someone to handle GDPR compliance within your organization (Controller)
2. Assign someone to handle the information in your organization (Processor)
3. List out everywhere you store information about your users (what items are there, how long, people with access, etc)
4. Figure out how to delete information or how to download information within these systems
5. Make sure any “opt-in” marketing programs can provide evidence that people did opt in.
6. Reach out to any current people and confirm they want to be on the list. Those who don’t respond or don’t actively say yes should be removed from your list.
7. Do you share information with any third party? Sort out the privacy and GDPR issues involved here.
8. Review your security of the information you have.
9. Make a Data Breach Plan.

Helpful Links

Use a system to help with GDPR Compliance with BetterCloud >

Watch BetterCloud’s Youtube Compliance Video featuring Jodi, a data privacy expert. You can also directly find more information about Jodi on her website at RedCloverAdvisors.com.