As our friends/overlords at Facebook would be quick to inform us, digital privacy is one of the biggest issues we face today. After spending decades mindlessly checking boxes that shared personal information with all manner of organizations, consumers are starting to realize that giving someone eternal access to their personal information in exchange for insight into what dessert they are was perhaps not an entirely fair exchange. Well, now the hammer is coming down on businesses and data. Set your eyes on May 25 of this year when the General Data Protection Regulation (GDPR), created by the European Commission is set to take effect.
Although GDPR covers a wide range of regulations and can seem complicated, it’s really all about maintaining user control of personal identifying information (PII). Here are three major aspects of GDPR that you, and your North American business, need to keep in mind as you work towards GDPR compliance…and a few resources to help you on your way.
(Extremely Obvious Disclaimer: Not only am I not your lawyer, I’m not a lawyer at all. This blog post isn’t intended to serve as legal advice. Also, as a rule, don’t take legal advice from web strategy blog posts at any time.)
1) All European Union Citizens Own His or Her Data
GDPR is very clear that EU citizens own their personal information. As “owners”, GDPR requires that users must opt-in to allow specific uses of any personal data. This is a departure from the opt-out options you commonly see today. Furthermore, it’s up to the company to clearly inform users of what exactly their personal information will be used for. Take special note of the word “clearly” in the previous sentence. Companies need to use clear, everyday language when obtaining user consent. Fine print and legalese aren’t going to cut it! Finally, EU citizens must be able to revoke access to their information just as easily as they granted it.
2) EU Citizens Have the Right to be Forgotten
Since EU citizens aren’t giving you their data (they’re only licensing it to you) they retain the right to revoke that license easily and quickly. Your privacy policy will need to spell out exactly how users can remove their PII from your database. Also, even if your users don’t revoke your access to their PII, the onus is on you as the organization to keep their information for the minimum time necessary. So, sorry guys, no holding onto data for decades without permission!
3) You Probably Need to Update Your Privacy Policy (and your internal procedures)
Do you currently have a privacy policy for users to access on your website? Is it something that you created when you first launched your website and you haven’t given a second thought to since? Well, it is time to give some serious thought to that sucker. GDPR requires a legal reason to collect and store data, and your privacy policy is where you’ll communicate that reason to your users. Furthermore, it’s your responsibility to implement internal procedures and safeguards to ensure that you are protecting your users’ PII to the best of your ability. Your privacy policy will inform EU citizens of their rights, how your organization will use their data, and how your organization will keep their data safe, while your internal procedures will make sure you’re following through on your end of the deal. And a last, very important note, you’ll need to update your policy whenever you make changes to your site. Found an awesome new online tool? That’s fantastic! Better get to updating that policy…
4) And Now Some Resources
“But my business isn’t in the EU!” you exclaim whilst hoarding PII from 15 years ago. I hate to be the one to break it to you, but any business that collects information from EU citizens must be GDPR compliant. And, for those of you plugging your ears and ignoring me, ignorance of the law is not a viable defense. Plus, chances are good that similar rules will start popping up on this side of the pond sooner rather than later…and wouldn’t it be nice to be ahead of the curve? If you’re ready to get GDPR compliant but aren’t sure where to start, here are some resources to help you along the way:
- GDPR: Act Now Before It’s Too Late: This article provides an excellent overview of GDPR, and includes a useful checklist for any business owner trying to determine if they are within GDPR compliance
- WP GDPR Compliance, Cookie Notice by dFactory, GDPR: This trio of WordPress plugins do an admirable job of covering all the major GDPR bases to get your website GDPR compliant.
- iubenda GDPR guide: iubenda provides an exhaustive explanation of the nuances of GDPR compliance and can also assist you in generating new privacy policies for your own website.
Hopefully, if you’re reading this, you’re ready to make the transition to GDPR compliance. If you’re not, what is holding you back? Is it that you’re starting to realize that keeping up with the ever-changing regulations, standards, and policies surrounding your website is more than you can handle right now? Or, are you realizing that your website needs more than a new privacy policy to compete?