Navigating the GDPR
*Note: I am not an attorney. This is intended to be an encouragement, but should not take the place of sound legal advice. You are responsible to research the GDPR for yourself!
Let’s start with what the GDPR is. GDPR stands for General Data Protection Regulation. It is a set of laws and guidelines that were accepted by the European Union and that take full effect on May 25, 2018.
Forget all of the hype you may have heard, and let’s look at this from my usual practical implication approach.
This is about protecting the privacy of people who use our websites. One of the rules simply states that this should be the #1 priority of a website owner when creating a site.
Wow. Okay, so maybe that hasn’t been our first priority in the past, but when you think about it…doesn’t that sound like a good thing? What if all of these big companies that have been slurping up our private data like it was soda pop actually took that concept to heart? The webworld would be a much better place.
The European Union wasn’t being idealistic when they made this a goal. They knew some greedy power-hungry companies wouldn’t do it willingly. So they added a catch. Do it or be fined. And not a small fine, either. Since the worst offenders are BIG companies, they added BIG fines.
And of course those big fines are terrifying small website owners.
Yes, you need to comply with the GDPR even if you are small. But understand: you want to comply not because you are worried about a big fine, you should comply because you are worried about your customers. You want them to feel safe using your site, right?
People are going to get used to the new rights they have under this new legislation and they’re going to want to work with people who value their privacy. You want them to work with you? You want them to feel safe.
It doesn’t matter where you are in the world. If you offer services to any citizen of the European Union, this legislation applies to you.
The bones of the law make good sense. Even if you don’t work with citizens of the EU, you may want to do this just because it is a good idea.
Let’s cut to the central rights that the GDPR grants to people (The GDPR calls them data subjects…but I’m going to call them people. Yes there are some legal technicalities that this is glossing over. See the important Note at the top of this post.):
People have the right to be notified within 72 hours if their data has been exposed in a breach. Wouldn’t that be nice? Can you name 3 companies who were breached lately who didn’t notify people for more than 72 hours? How did you feel when you found out that your data was out there on the internet? Or did you not know that it was? I’ve had to notify a couple of people that their username and password combination has been flagged by my security software because it was freely available on the internet. That is never a fun conversation to have.
Right to Access
People have the right to know what you’re storing about them and where you are storing it.
Right to be Forgotten
People have the right to request to be removed from your website and have you delete everything you know about them. Everything. This reminds me of a writer who had posted an ill-conceived comment on a website. Years later, her agent had an issue with her public profile because guess what the #1 search result was for her name? Yep…that inappropriate comment was costing her sales! She really wished that could be forgotten. Now it can. It also means that when you ask someone to take you off the mailing list, they’d better do it!
I’ve got to admit that this one has me baffled. If a person asks for the data that you have on file for them, you have to give it to them in a format that they can take elsewhere. This doesn’t apply to any of my clients’ websites, because why would you ask someone for a copy of your email address??? But when I think of it in relation to a big company like Evernote, it begins to make sense. It begins to make a lot of sense. I’m not sure how site owners are complying with this one, but it is interesting.
What this means for website owners:
There are a few key rules for website owners. These must be followed and if possible documented in such a way that your documentation is clear and easily understood.
Privacy by Design
That’s what I started this blog with. You simply must make customer privacy your number 1 priority.
What does this look like? You should immediately look at your website and look at what data you store about people. If you don’t need it, delete it. The goal of the law is not to make it so that you can’t have data. It just says that you need a valid reason to keep that data. If you don’t need it, don’t ask for it.
The law also has some verbiage that makes some subjects more sensitive than others. Things like religion, sexual orientation, and politics are all sensitive subjects. If you’re going to store that sort of data about someone, you’d better have a VERY good reason and you’d better protect it like it could cost someone their life. Why? Because in some parts of the world that information COULD cost someone their life.
Data Protection Officers
Each website must have someone who is responsible for protecting people’s data. That person can’t be a secret. You have to make contacting them easy. In larger companies, it seems like there may be additional requirements, but it seems to me that for small one-person-run websites, the owner needs to take responsibility for this job the same as the owner of a one-person-business takes responsibility for all the other jobs. You can outsource this and hire someone to do it for you. However, that person needs to not have any conflicts of interest related to the job and they need to have the ability to do their job.
This means that if the data protection officer sees you doing something wrong, they need to be able to immediately stop you from doing it. If that means that you need to shut down your website, they need the authority to do it.
Unless I hear otherwise, I’m recommending that all of my small clients take on this role and take it very seriously. Back to: customer privacy has to be your number 1 priority!
I’m sounding like I’m stuck in a loop, but that’s the heart of this legislation.
Consent is Required
You can’t just check a pre-check a box and have people added to your mailing list. That box needs to be unchecked. People need to know what they’re signing up for and they need to check the box themselves.
Be Clear about What you Collect
This is actually the hard part. You have to look at your website and see what data you are collecting. Then you have to review your plugins and make sure that data isn’t being sent away. Use anti-spam technology? That data is being sent away. This doesn’t mean you can’t use anti-spam. It just means that you have to tell people that you are using it and let them know who you are sending what data to. You need to tell people where that data is going to be stored, for how long, and what the people getting that data are going to do about it.
But wait — these aren’t just ANY privacy policies. These are special. These are new. These are easy and fun to read.
Seriously? These are legal documents. Legal documents aren’t fun to read. No one reads privacy policies. We just check the box and grimace.
Not any more. Under this law — this legalese riddled HUGE, unreadable law that no one is really 100% sure they fully understand — under this law, those privacy policies must be easy to understand. You will probably already have noticed that major companies are sending out updated privacy policies. Have you read any of them? If you are a website owner (or a human) you should read them. Take notes. Those companies have paid a lot of money to have those policies written for them. They’ve worked hard to meet this requirement. You should read the privacy policies. You’ll notice a difference between modern (GDPR) ones and what you’ve seen in the past.
Delete What you Don’t Need
If you don’t need something, delete it. If you don’t have permission to have something, delete it. Get active permission from your users.
If someone asks you to delete their information: do.
Treat people’s information like it is the most precious part of your website. Make data privacy your #1 priority. Use SSL and plugins like WordFence to keep that data safe. Do everything in your power to prevent data breaches. Keep only what you need and make sure people know what you have and where you are storing it. Make sure they agree to your having that information. Tell them why you need it. If someone asks questions about their privacy, answer them promptly.
The intent of this law is to start with a warning. If you get a warning, take it seriously. Make visible efforts to comply with the law — not just the minimum compliance, but actively comply with the spirit of the law.
I’ve seen scary things like this on the internet before…and we survived. Commerce did not end. You don’t have to close your website. You don’t have to stop doing business. No one is 100% sure what compliance with the GDPR will mean. I’ve read a lot of reports saying that no one is in 100% compliance yet. Basically, everyone is confused and we’re all trying to figure this thing out. Comply with the law to the very best of your ability. And if you get a warning, take it seriously. Watch out for the scammers that will gravitate to this sort of situation and try to make it scarier than it needs to be so that you will give them money.
You don’t have to panic.
You just have to make data privacy your #1 priority.