Updated 5/15/18, added link to Guide to the General Data Protection Regulation (GDPR) (ico.org.uk)
On May 25th, the General Data Protection Regulation will be fully in effect and enforceable. This regulation protects European Union (EU) citizens’ personal information by giving them the right to control that data. With all the recent concerns over data privacy, everyone should be aware of the GDPR and how it can affect you (and your website), even if you’re not an EU citizen.
We’ve compiled answers to some common questions, but we recommend that you research on your own. A quick disclaimer to avoid giving our lawyers heart attacks: We are not lawyers and this information does not qualify as legal advice. This information is intended to give you a head start on being informed.
Also called information privacy or data protection, data privacy is the term used to describe how information is collected and distributed, and the legal ramifications attached. Anytime you give a website your personal information, data privacy laws protect and regulate how that information is handled.
From now on, any EU citizen has the right to access the personal information they’ve provided to any website, and also request that data to be removed from storage. This is great news for all of us, since by nature of association, all website visitors may receive the same benefits. However, if you own a website, you’ll need to make sure that all your ducks are in a row to avoid some potentially hefty fines.
In short, yes. If your website is targeted to an international audience that includes the EU, then compliance is an absolute must. Even if you don’t, the regulation is extraterritorial in scope, meaning it can be enforced to protect EU citizens even if your company (and website) is based elsewhere. It’s questionable whether this applies if you only do business in the US or with countries outside the EU, so it’s better to be safe than sorry.
First off, consult your legal team or seek out legal advice on how to proceed. Once again, we’re not lawyers, so all we can provide is earnest suggestions. On that note, here are a few pointers to help you get started:
Ignorance is bliss, but plausible deniability won’t cut it. You probably already know what personal information your website explicitly requests (on contact forms, newsletter requests, etc.), but your site most likely collects other data in the background. If you have Google Analytics or other analytical software, like retargeting, installed on your site, the GDPR may consider some data collected through these means as personal information too.
This is good practice for any site, but it’s more important than ever. If your website has user accounts and logins, then be sure those users can manually delete that account. Do you send out a regular or semi-regular email newsletter? Don’t forget to provide a link for recipients to unsubscribe. And like we mentioned above, give visitors a way to submit a request to have all of that deleted on their behalf, as well as any other data that your website may have collected.
All the information above may feel negative, but there’s a silver lining to all this. By being aware and considerate of your visitors’ privacy rights, you’re contributing to a better and safer internet. Everyone deserves to know that their private data stays private, and the GDPR is just one step of many towards protecting user rights.
Want to know more? Check out these links for more information on the GDPR and how other companies are keeping you safe: