Preparing for the General Data Protection Regulation
The European Union has passed a set of regulations that may affect your website. This new regulation, called the General Data Protection Regulation (GDPR) dictates how and when you can store data about website visitors and applies to all companies processing personal data of subjects residing in the European Union.
Whether or not your website will be required to comply with these regulations is a decision you will need to make (perhaps with consultation from your legal team) based on the reach of your website and who you market to.
There are a number of areas that are affected by the GDPR and we’ve listed them below in their simplest form and possible solutions.
We have all seen the checkboxes that are pre-checked for you to receive a newsletter when you are purchasing a product online. That is no longer acceptable under GDPR. Signing up for communications (or any other data processing) must be specifically opt-in and you must be able to verify that the consent was given by the user.
In addition, visitors must be able to withdraw consent at any time (i.e. easily unsubscribable).
Your policy should include exactly what data you collect about visitors (e.g. ip address, contact information, etc.), who you share that with, and what you use it for. Additionally, you should include some method for visitors to request a copy of the data you collect about them, as well as a method to request the removal of their personal data from your systems.
Under the GPDR, a visitor has the right to request an erasure of their data. This means if an individual asks you to remove their data from your systems you have to comply, including all current records, backups, and anything else that references their personal data.
We don’t recommend the complete removal of all data as that may affect order history, inventory, etc. However, if a request is made, we might suggest overwriting any of the visitor’s personally-identifiable information, like their name, address, or phone number with stock pseudo-data (e.g. John Doe, 1234 Street, etc.).
The GDPR requires that your organization have suitable processes defined and in place in case of a data breach. Depending on the severity of the breach, you have a legal obligation to report a data breach (of identifiable data) within 72 hours.
Timing is Everything
Officially, the GDPR takes full effect on May 25, 2018. If you feel that your organization must comply with these new regulations, please contact SiteCrafting as soon as possible to discuss a plan for bringing your site into compliance.