If you have a website or in anyway collect data, I am sure you have heard of GDPR. That term is being thrown around in the Media and likely you have been bombarded by emails concerning its implications. Much of the talk and information that I have seen and heard regarding GDPR, is simply not true. Then what exactly is GDPR?
What is GDPR?
GDPR stands for General Data Protection Regulation, which is a new consumer data protection framework that has gone into effect in Europe. GDPR is concerned with ensuring that organizations have a legitimate, legal purpose for the collection and processing of personal data. It effectively will change how companies handle consumer privacy and give people rights to their own stored data.
GDPR is a series of European laws setting out the digital rights for citizens of the European Union. It builds on an earlier policy, called the Data Protection Directive, which Europe adopted in 1995. Many of the ideas outlined in GDPR came from the earlier regulation, and an even older set of principles called the Fair Information Practices, which covers the ways consumer information should be used. While at its core it’s a data privacy law, it also gives people the right to ask for their own data as well as the ability to find out how their data is being stored. Under GDPR you have to clearly explain (i.e. no Legal ease is allowed) how data is stored and used. Additionally, permission must be obtained from the owner of the information before such information is collected.
This is a European Law; how does it impact American Businesses?
Currently GDPR only applies only to EU citizens, however it is applicable to any website that collects personal data on EU citizens. This means if an EU visitor stumbles upon your site and you are using cookies or collect data through a webform then your site is subject to GDPR and your company needs to comply. Any sales, marketing or advertising that involves personal data of an EU citizen falls under the GDPR.
What are the GDPR Penalties?
The GDPR introduces new requirements for companies in several key areas:
Right to data access. EU citizens have the right to request and receive detailed information on what data your company possesses on them, where that data is stored and how it’s utilized.
Data portability. EU citizens have the right to ask that your company transmit their data to another company, making it easier for them to switch to a competing service or product provider.
Right to rectification. EU citizens have the right to change any incorrect information about themselves that is stored and accessed by a data controller.
Right to be forgotten. EU citizens can demand you all their information you company has on them be deleted (called “data erasure”) and revoke any consents they might have given you previously.
Breach notification. Data controllers and processors are required to notify EU citizens within 72 hours of a data breach that might compromise their privacy.
GDPR fine can be heavy and it depends on the infractions. The fines are administered by the individual member state supervisory authorities. They look at the following criteria to determine the fine:
- Nature of infringement – how many people are affected and the damages they suffered
- Intention – was the infringement negligent
- Mitigation – actions taken to mitigate damage to data subjects
- Prevention measures
- History – past infringements of GDPR
- Cooperation – how cooperative has the firm been with the supervisory committee
- Data Type – the types of data infringed upon
- Certification – Has the firm attained any GDPR certifications or awards
- Other – other mitigating factors in the data breach
GDPR fines can differ based on the circumstances above. GDPR fines can, on the low end, be up to 10 million euros or 2% of previous years worldwide revenue, whichever is greater. On the high side it would be 20 million euros or 4% of the firm’s previous year’s worldwide revenue, whichever is greater.
How do I prepare my website?
So how do I prepare my website for GDPR standards? First you should ask yourself a few data privacy questions:
- Do any visitors you are collecting data from reside in the EU?
- Do you have a data breach notification process?
- Have you given your website visitor the right to refuse the collection of personal information?
- Have you given your website visitor the right to access their information?
- Do you have a process for erasing a visitor’s data at their request?
- Is the data you hold onto to process absolutely necessary?
Now that you have asked and answered those questions here is what you can do to comply. If you don’t need or want to market to EU residents you can block an EU ip address from visiting your site. That is one step, but generally not the one taken, because EU residents seeing your website can often be very beneficial. One thing you can do is separate or segment out your database for EU and non-EU customers. This would separate out your database for email automation, CRM and digital advertising. This can get real complicated for large companies. However, for small to medium size companies that mainly use the web for informational purposes or sell products only in the United states (which compose my client base) these are the steps that need to be taken.
- If you are using cookies for any data collection, and let’s face it, most companies use such for analytics or advertising, then you need to place a cookie acceptance warning on your website.
- If you are collecting any personal information and are not using it or have no purpose for it, then delete the information
- Let the customer know how to contact you
- Tell the client what data you keep and why
- Let the client know about any 3rd party programs that may collect data
- Tell your visitors how to request their own personal data
- If you are collecting leads from forms that you control, use the double opt in process
- Does your forms collect personal data, make certain that consent is obtained from the EU visitors regarding the submission of their information.
- Make sure all marketing materials have opt out methods
Are GDPR and PCI DSS the same?
These two data security standards are very different and have separate compliance standards. However, if you are PCI Compliant you are on your way to being GDPR compliant. PCI Data Security Standard is the protection and security of cardholder data. If you are subject to PCI compliance, then that data is also subject to GDPR for EU residents. PCI is detailed and focuses on the encryption and safe handling of only credit card data. GDPR focus on personal information that can be used in analytics, web forms, or any type of advertising.
Do you need to become GDPR compliant?
If you want to make your website GDPR compliant please give Site Ascension a call or fill out our contact form. We can get your site in compliance with GDPR quickly.