Most of us think about GDPR the way we think about most abbreviations, that is to say, not at all. Abbreviations always have a negative consequence- even BYOB means you have to pay for the beer yourself. I’d been happily ignoring GDPR for a while now, much like the rest of the online community, until I saw a great presentation on it at my local WordPress meetup. I’ve combined a number of those takeaways into one top-level GDPR checklist to help you decide if you should care about GDPR.
If you’re not entirely sure what GDPR is, you can either check the wikipedia entry or their official website. In a few words, it’s a big new law in the European Union that regulates how websites can handle your personal data, whether it’s your email address, your political affiliation, or your rant-filled comments on the bottom of someone’s blog post. If you own a website, you now have more legal requirements surrounding how you collect and store data, and how you let your website visitors know about the data you’re collecting.
I should state upfront that this is a very basic rundown of GDPR and should not be taken as legal/business advice. This is just a starting point for the research you should hopefully be doing for your own business, if your business relies on the internet for revenue.
Could I be affected by GDPR?
First, let’s look at three basic questions that determine whether or not GDPR could apply to you at all.
Do I have a website or an email list?
This should go without saying, but this applies only to organizations who are using computers. If you’re still doing everything in your business by pencil-and-paper or stone tablets, you can walk away.
Could someone from the EU land on my website?
The first myth about GDPR is that it only affects people in the EU. The truth is that the GDPR affects any website that interacts with people in the EU. So even if you’re located in the United States, if you have a single person who happens to be located in the EU as they visit your website and you collect any of their data (maybe they fill out a newsletter subscription form), then you are liable to follow the GDPR.
More importantly, you are open to lawsuits from groups who might be looking to profit off of companies who are not following GDPR. So unless you’re completely geo-blocking all traffic from the EU (which is still not a foolproof strategy), you should consider yourself under the umbrella of the GDPR.
Do I collect information from visitors?
Do you have a contact form, a newsletter subscription, an online shopping cart? Those are the obvious ways you collect data on your users, but there are other ways as well. Do you have Google Analytics or a similar service to monitor traffic? Are you using Jetpack to track site visits? Do you have any other ads or third-party website like YouTube coming through your site? There are many ways you could be collecting information from your site guests.
We’d like to believe that things like Google Analytics don’t count because Google is doing all the work, but if you own a website, then technically you’re responsible to inform your visitors of all the data that’s being collected. And while we’d all like to believe that Google Analytics is anonymous, the truth is a lot of personally-identifiable data, such as IP addresses, is getting collected.
Am I taking basic precautions?
Chances are you answered yes to those first three questions in our GDPR checklist, in which case you are affected by GDPR and are at risk if you don’t follow it to the best of your ability. Non-compliance can cost up to 4% of annual revenue or even €20 million, and as mentioned before, this can apply to groups outside of the EU. Here’s a few basic precautions you could be taking.
Is my site SSL encrypted?
One of the major areas of coverage in GDPR is around the area of data breaches. What would happen if all those email addresses or analytics you’ve been capturing get stolen and released online? It may not seem like you’d be a target but even smaller sites are hit constantly by bots trying to break in. Because of this, having SSL on your website is just a no-brainer, especially since SSL certificates have become basically free.
Am I clear with my visitors about what data I’m collecting and what I’m doing with it?
This is the core of GDPR- respect privacy and don’t lie to your visitors. Don’t hide things from them. Don’t add them to your newsletter without their explicit permission. Don’t collect more data than you need. Don’t store their personal information on an insecure site.
Respect your users personal data and privacy, and respect your business enough to keep your website updated and secure.