The EU’s GDPR (General Data Protection Regulation) is coming up pretty quick. May 25, 2018 will be here before you know it. This law was actually approved back in April 2016 however had a grace period of two years before it went into full effect. Trying to understand all of the information out there is about like trying to understand tax laws with its 11 chapters and 99 articles. Most of the time it leaves you cranky and your head throbbing.
The quick rundown of GDPR
- Identifiable data is protected. Any data that can be used as identifiable for a visitor falls under the GDPR. This includes and not limited to name, email address, sex, race, age, address, phone number, and birth date.
- It requires that consent is given. If you have the opt-in box checked by default, you need to change it so it is unmarked by default.
- Parental consent will be required to process any and all personal data of children under the age of 16, can vary per member state in the EU (country) but it will not be below the age of 13.
- It gives the visitor the right to know what information is being stored about them and why it is being stored.
- It gives visitors the right to have their information to be removed at their request.
- If any data is ever lost, stolen, accessed without permission, the authorities must be notified within 73 hours of the breach becoming known along with every single person whose data was accessed.
- Any new site must be made with privacy in mind. Data requests should be strictly controlled and only given when required.
- Data can only be used for the reason it was given at the time it was given. Then it must be securely deleted when the data is no longer needed.
- A visitor can request their information at any time, transfer that data, or have it removed.
- It also allows national authorities to impose fines on companies breaching the regulation.
While this is an EU law, it affects every single person on the web in one way or another. For all of us in the United States who feel that the DGPR does not apply to them, the first thing you need to know is that if your site has a form, e-commerce, blog subscription, comments, or even a contact me, you will need to have your site GDPR compliant. If your site can be reachable by someone in the EU and it is collecting any type of information, that means you! Also, please do not consider just blocking EU IP addresses as that does not really work either. With the help of VPN’s, your site can still be accessible to the EU and still falls in the realm of the GDPR regulations. If you fail to comply, the EU can still fine you up to €20 million per infringement or up to 4% of the annual worldwide turnover. That can put a small site/business out-of-order.
What you can do to become GDPR Compliant
First things first, please take a look at the information you are collecting. Inspect your forms, checkout pages, comments, Google Analytics, IP addresses, etc. Make sure you cover all the ways you collect information in your Privacy Policy.
Now, most of you already have a Privacy Policy on your site, or at least I hope you do. You can find my standard one here. I have adopted two now though as the other is the GDPR complaint Privacy Policy. Please make sure you review your Privacy Policy to ensure it is compliant.
If you have any opt-in boxes or forms with boxes, you must ensure that they are UNCHECKED by default.
Another item that all sites will need is a Data Viewing and Removal option for visitors. You can find mine on the GDPR Personal Data page. A visitor to your site will now be able to remove their data from your site at any given time.
If you have questions, talk to a lawyer. Find one that is well versed in GDPR. In the long run, it is always better to pay a lawyer a few hundred dollars than possibly millions in fines.
Tools to make compliance easier
In my research of how to handle the GDPR changes for my clients, I have found two options to assist in being GDPR compliant.
First, if you do not have a Privacy Policy on your site and you have no idea where to start, then I suggest this plugin: GDPR Framework. The first thing I noted with this plugin is you must be on at least PHP version 7.0 on your server. It is very easy to set up and gives you a compliant Privacy Policy. It is what I used to build the GDPR complaint Privacy Policy I have on Can’t Speak Geek. It also has the data removal form built-in as well. You will need to make both pages (Privacy Policy and the removal form page) but GDPR Framework will build the content for you. The data removal tool is auto built via a short code.
If you already have a rockstar of a Privacy Policy and just need the data request and tracker then I suggest using the plugin GDPR Compliance. It seems to be the most stable and is well supported. Their UI is very user-friendly and it will scan your site for any items on your site that needs attention to be GDPR Compliant. The plugin currently supports Contact From 7, Gravity Forms, WooCommerce, and WordPress Comments and claim on their site to support more at a future date.
Both plugins are free in the WordPress plugin repository and easy to configure. Please do your due diligence before choosing any option to become GDPR Compliant.
TL;DR: Get your website ready for GDPR. If you have questions, ask someone. Don’t just sit back and do nothing. It could become a very costly issue.
DISCLAIMER: Using my guide does not guarantee compliance to GDPR. This post gives you general information and ideas, but is NOT meant to serve as complete compliance package. Compliance to GDPR is a risk-based ongoing process that involves your whole business. Can’t Speak Geek is not eligible for any claim or action based on any information or functionality provided by this post or this website.