What is GDPR and does it apply to your website?

May 25, 2018 is the deadline for European Union’s “General Data Protection Regulation (GDPR)”

Do USA websites have to comply with GDPR requirements?
Yes, if you collect data from European Union citizens.
Examples: eCommerce website, Contact forms and online Comments that are used by EU citizens.

What is the GDPR?
The collection of personal data and the processing of that personal data.
The aim of the GDPR is to give citizens of the EU control over their personal data and change the approach of organizations across the world towards data privacy.

What is Personal Data?
Personal data pertains to “any information relating to an identified or identifiable natural person” – like name, email, address or even an IP address; it is better to think that any piece of data can be considered personal data

What is processing of personal data?
Processing of personal data refers to “any operation or set of operations which is performed on personal data”. Therefore, a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user.

Who does the data belong to?
The person it identifies

How to comply with GDPR requirement
Where do you collect personal data?
— — Website Contact Forms
— — Website Post Comments (if require personal data to submit)
— — Email Signup Forms 
— — eCommerce

Requirement: Tell the user who you are, why you collect the data, for how long, how it is stored, who receives it, how to manage it.
Solution: Have a Privacy Policy page with detailed information that can be linked to from all other website pages.

Requirement: Get a clear consent (where possible) before collecting any data.
Solution: Website Contact Forms – add a required checkbox specifying permission is being given to collect and store data supplied in the Form.
Example: add checkbox with text “I give Example Company my consent to collect and store the data provided in this form”. Checkbox is required so form will not Submit until it is checked (do not precheck the box)

Requirement: Let users access their data, take it with them or delete it.
Right to Access, Right to Be Forgotten and Data Portability
— The right to access provides users with complete transparency in data processing and storage – what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing, and storage of the data. Users will also have to be provided a copy of their data.
— The right to be forgotten gives users an option to erase personal data, and stop further collection and processing of the data. This process involves the user withdrawing consent for their personal data to be used.
— The data portability clause of the GDPR provides users a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller.
Solution: Do not store data on the webserver. Have Contact Forms sent direct to an email address. Note: still need to detail in Privacy Policy how data is stored remotely. Otherwise, need to provide users with access to their data and a way to change or delete. Depending on how the data has been collected in the past, this could be the most challenging item to solve.

Requirement: Let users know if data breaches occur. (Business is required to monitor the security of their website)
Solution: WordPress websites: use a plugin like Wordfence to receive notification of a breach and then send out relevant notification (need to have user email list)

Potential Liability if not in Compliance?
Not complying can result in administrative fines up to Euro 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. 

More Information
Infographic: http://ec.europa.eu/justice/smedataprotect/index_en.htm