GDPR, the General Data Protection Regulation, went into effect on May 25, 2018. Even though this regulation was created in and mainly for people in the European Union (EU), it has effects world wide. If you conduct business online, EU citizens may interact with you whether it’s on your website, on social media, via newsletter, or any other online channel.
You are responsible to provide the protections to those EU citizens regardless of the location of your own business. The penalties for non-compliance can be huge: up to 4% of worldwide turnover or 20 million Euros (whichever is greater).
Because the law has several requirements, and in order to better help businesses stay GDPR compliant, we’ve created this FAQ to help.
When does GDPR take effect?
GDPR is effective as of May 25, 2018. The law was actually passed in 2016, so individuals and businesses who say “I didn’t know about this” will not likely get a pass.
What is the point of GDPR?
GDPR is intended to allow users easier control over personal data. In this day and age of hackers and breaches, a simplified code for managing information should help..
How is GDPR good for business?
Before GDPR, there were standards for privacy and data management in multiple companies. By streamlining the rules, the commission writing the regulation aimed to reduce compliance costs (and headaches) for businesses.
What does GDPR require of my business?
There are several requirements that your website should have:
- terms of service, written with straightforward language, with optin settings for EU citizens
- the “right to be forgotten” or data deletion option
- access to a report on all data your company collects (each person can request their own data only)
- a plan to report any data breaches to all users
- a mechanism to rectify any data inconsistencies
Who does GDPR apply to?
GDPR applies to any organization operating in the EU, and any organization which offers goods or services to customers or businesses in the EU.
What is personal data?
Under the old regulations, personal data meant name, address, and photos. Under GDPR, personal data also means email address, ip address, genetic data and biometric data. Here is the official definition:[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’).
What are the possible penalties?
Penalties can be as high as 20 million Euros or 4% of worldwide turnover. You can incur penalties if:
- you fail to report a data breach
- you ignore customer requests for data
- you fail to put procedures in place to protect data
- you transfer data internationally without authorization
- you fail to get proper consent to collect data on users
This is not an exhaustive list, but you get the idea.
I don't serve EU customers. Why should I care about GDPR?
GDPR is a big deal because it is such a game-changer. You can choose to turn EU visitors away from your website. It’s our guess though, that similar protections will eventually become the standard (if not the law) world-wide. The sooner you are compliant, the easier your data management processes can be.
Okay, I want my company to be compliant. Where do I start?
A good place to start is appointing someone to be the data controller for your company. This individual will make sure that the plan is in place and will regularly monitor data handling and management. You should also assign the processor, or individual/company who processes the data.
What is the difference between a controller and a processor?
A controller is the person who “alone or jointly with others, determines the purposes and means of processing of personal data”. The processor is the “person, public authority, agency or other body which processes personal data on behalf of the controller”.
What should I do after I have determined the controller and processor?
Are there any special rules for handling breaches?
You must notify all users individually via email, and this must be done within 72 hours of discovering the breach.
What should be in a breach notification?
You should describe the breach. What categories of information were compromised? Tell how many individuals were compromised, and the approximate number of records that were breached. Include a description of the possible consequences of the breach. Then describe what measures are being taken to deal with the breach. Also provide contact details for your data protection officer, or the person in charge of managing the breach.
Wait, what? A data protection officer?
If your business carries out “large-scale processing of special categories of data, carries out large scale monitoring of individuals such as behaviour tracking or is a public authority” then you need to appoint a data protection officer. Failure to do so can be considered non-compliance.
This isn’t mandatory if you don’t deal with the special categories of data, but depending on the size of your organization, may be a helpful step.
What do I need to do for existing users?
If you have any concerns that you weren’t compliant when you collected individuals’ data (name, email address, other identifying details), then it may be wise to send out an email asking them to opt in again.
That's a huge job. Do you have a way to help?
If you have a WordPress site, we can help! We can add the software to your site to make sure you have the basic protections in place for your users and your business. See our sales page to learn more about what we offer.
I have a WordPress site. Can you help?
Yes! We have a solution to make life easier for WordPress site owners. See this page for more information.
I have a Wix site. How do I make that compliant?
Wix has a help page here. Follow these directions to gain GDPR compliance. We are looking into solutions for non-WordPress sites.
Did we answer your questions? If not, please use the contact form below to ask. We’ll answer you directly and add it to this page so that other business owners can have the information as well.