Preparing for the General Data Protection Regulation

Strategy
SiteCrafting Employee Mark Neidlinger Mark Neidlinger
03/01/18

Preparing for the General Data Protection Regulation

The European Union has passed a set of regulations that may affect your website. This new regulation, called the General Data Protection Regulation (GDPR) dictates how and when you can store data about website visitors and applies to all companies processing personal data of subjects residing in the European Union.

Whether or not your website will be required to comply with these regulations is a decision you will need to make (perhaps with consultation from your legal team) based on the reach of your website and who you market to.

There are a number of areas that are affected by the GDPR and we’ve listed them below in their simplest form and possible solutions.

Provable Consent

We have all seen the checkboxes that are pre-checked for you to receive a newsletter when you are purchasing a product online. That is no longer acceptable under GDPR. Signing up for communications (or any other data processing) must be specifically opt-in and you must be able to verify that the consent was given by the user.

In addition, visitors must be able to withdraw consent at any time (i.e. easily unsubscribable).

Privacy Policy

Another key part of the GDPR is the clear and detailed description of your organization’s privacy policy. Most sites have a “privacy policy” or “disclosures” link in the footer, and, while that is a great start, greater attention must be paid to the content of the written policy.

Your policy should include exactly what data you collect about visitors (e.g. ip address, contact information, etc.), who you share that with, and what you use it for. Additionally, you should include some method for visitors to request a copy of the data you collect about them, as well as a method to request the removal of their personal data from your systems.

Delete Me

Under the GPDR, a visitor has the right to request an erasure of their data. This means if an individual asks you to remove their data from your systems you have to comply, including all current records, backups, and anything else that references their personal data.

We don’t recommend the complete removal of all data as that may affect order history, inventory, etc. However, if a request is made, we might suggest overwriting any of the visitor’s personally-identifiable information, like their name, address, or phone number with stock pseudo-data (e.g. John Doe, 1234 Street, etc.).

Breach Notifications

The GDPR requires that your organization have suitable processes defined and in place in case of a data breach. Depending on the severity of the breach, you have a legal obligation to report a data breach (of identifiable data) within 72 hours.

Timing is Everything

Officially, the GDPR takes full effect on May 25, 2018. If you feel that your organization must comply with these new regulations, please contact SiteCrafting as soon as possible to discuss a plan for bringing your site into compliance.