In this post, we cover how the European Union law GDPR could impact US-based organizations and how to make your website GDPR-compliant.
As of May 25, 2018, the General Data Protection Regulation (GDPR) is in effect in the European Union (EU). Aimed to protect the personal data of EU residents, GDPR gives users more control over how their data is used and provides clear guidelines on what organizations can do with user data. While not a US-based regulation, GDPR does have ramifications for how website owners around the world may collect and use data from people in the EU. Let’s explore what GDPR means for those of us in the U.S.
While the full extent of GDPR includes many provisions, here are some basic guidelines:
- Data can no longer be stored in publicly accessible spreadsheets or other unprotected documents.
- Data can no longer be captured without explicit permission from users.
- Data can no longer be captured without a detailed description of what it will be used for.
- Users must have an easy way to withdraw consent and have their data erased.
- Organizations must have clear processes in place to detect, report, and investigate data breaches.
What Does GDPR Mean for US-Based Organizations?
If your country is not a member of the EU—currently 28 member states located primarily in Europe (27 after Brexit goes into effect Spring 2019)—you are considered a ‘third country’ under GDPR. Restrictions are imposed under GDPR that will impact how data is transferred to international organizations in third countries.
For example, if your US-based organization collects email addresses from EU citizens—such as a newsletter signup form, live website chat, or via telephone calls, for example—you’ll need to comply with GDPR guidelines. While you may not be actively targeting EU customers, if they can sign-up or input data to your website or through social media accounts, even if the data ends up in a third-party email marketing or CRM system (and not on your website), you’re responsible for GDPR-compliance.
GDPR also requires that nonprofits, businesses, and other organizations receive explicit consent from users with clear descriptions of how their data will be used. Organizations must prove they have received consent from users to collect their data, which will likely require new processes to record said consent. In addition to new data, this applies to existing recorded data as well, so if you don’t have that information you’ll need to acquire it.
Finally, if a customer requests that you remove all their data from your systems, you must comply.
What Does GDPR Mean for Your Website?
In simple terms, if your website or digital product collects or holds personal data from people residing within the EU, you must offer clear, optional, and understandable ways for them to opt in and out. You must also clearly explain how you will use obtained data and you must delete their data from your records if they request you to do so. You must also let them know if you have a data breach.
We created a quick GDPR website compliance checklist to help you easily understand what GDPR means for your website.
GDPR Website Checklist
To make your website GDPR-compliant, do these things:
- Add an SSL certificate to your website. This is a good idea for many reasons, including better SEO performance and user experience in the Chrome browser. It’s also a best practice for privacy and security.
- You must be able to prove comprehensible consent from users, so keep records of all user interactions.
- Don’t use pre-ticked boxes on website sign-up forms, such as newsletters. Users must opt-in not opt-out.
- Similarly, separate opt-in tick boxes must be used for each instance you gather data on your site, such as, for example, a marketing newsletter and terms of service for an on-site purchase.
- If you use third-party payment gateways for purchases, donations, etc. you will need to be Privacy Shield-compliant in the US (GDPR-compliant in the EU).
- Give easy options for users to withdraw consent and have their data removed from your or third-party systems (known as ‘request to be forgotten’).
- Website contact and inquiry forms must be sent securely through an SSL. If copies of form data are also emailed to recipients, those emails must also be stored and sent via GDPR-compliant methods. Check your email provider’s terms of service policy to ensure compliance.
- CRM systems also collect user data and are subject to the same rules as other third-party data collectors. Additionally, they collect date, time, reason for capture, and other information, which is included when users make a request to be forgotten.
- If your website stores user account information, your database will need to identify users by username only, not by account information—a process known as pseudonymization or anonymization.
Do I Have to Update My Website?
These are all good privacy and security practices regardless, but GDPR provides added incentives for US-based organizations to update their websites, email marketing practices, and so on. It is worth noting that GDPR non-compliance could result in stiff penalties. On the upper end:
Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements…
If you need help with any of the above or if you have specific questions about GDPR, please feel free to contact us.