And What Does it Mean for Your Website?
You may have noticed a lot of updates to your favorite apps and websites in the past year. Companies are revising their privacy policies and adding opt-in buttons on their sites explaining how visitor data is used. Many note that they are changing policies to comply with GDPR. But what does that mean?
GDPR is the General Data Protection Regulation. The European Union (EU) passed the regulation in 2016, and it went into effect in May 2018. The regulation is designed to protect EU residents’ personal data. It gives users more control over how their data is used and what companies with access to user data can do with that information.
What does this mean for your US-based company and website? While GDPR is not a US regulation, if there is any chance you’ll collect data from an EU resident you need to comply with GDPR or risk stiff penalties.
GDPR contains many provisions, and the EU has a website explaining the regulation: https://eugdpr.org. Among the changes are the right to be forgotten, allowing a user to request their information be purged and breach notification requiring companies to notify users whose information is stolen within 72 hours.
Ready to tackle GDPR? Below are four steps to make your website compliant.
1. Understand how your tools collect and use data
If you collect data from EU residents (or haven’t yet but certainly could), find out where you’re storing personal data. Review third-party sites you utilize for things like hosting or ecommerce and check their data policies. Most large companies like Google Analytics and MailChimp have already worked to become GDPR compliant.
Investigate your user data processes by asking questions like: Where is user data stored? How long is it kept for? Is it safe?
2. Create or review data collection processes
Once you have a picture of your data collection, document a clear policy that lets users know how their data is collected and used. If a customer asks about how his data is used you need to be able to answer clearly, or better yet point him to a policy posted publicly on your website. If the customer asks his data be handled differently, or purged completely, you need to have a process in place to do so.
3. Revise your privacy policy
Anyone collecting customer data should have a privacy policy available on their website – if not, you should add one ASAP regardless of whether your customers are in the EU. There are free templates available online to create your own, but consulting with a lawyer is always a safe bet to ensure a strong and accurate policy.
A good privacy policy should state:
- What information your company collects, such as personal information, user analytics or cookies.
- How your company uses user information, such as ecommerce transactions, customer service, marketing newsletters or data given to third-party companies who need customer analytics to provide services like marketing.
- The user’s rights to her data, and how she can have her data removed.
- Your contact information for users with data privacy concerns.
4. Create a data breach plan
If your data is ever compromised, you need a plan in place to quickly protect your customers and maintain their trust. How will you contact your customers? What steps do they need to take to protect themselves (e.g. change password, watch for credit card fraud)? Which third-party vendors do you need to contact to fix the breach?
At IDMI.Net we are committed to creating websites that protect user privacy and keep business compliant with standards and regulations. GDPR is the most significant data privacy regulation in 20 years, and we’re here to help you update your website to best serve your audience. For more on improving your website’s data privacy, contact us today.