GDPR became enforceable May 25, 2018, and it’s a pretty important regulation. If you’re still wondering what it is and if you need to update your site to comply, it’s past time to figure it out.
What Is It?
The GDPR (General Data Protection Regulation) is a regulation to “protect and empower all EU citizens’ data privacy,” according to www.eugdpr.org. The regulation affects any website that collects “personal data or behavioral information from someone in an EU country.”
This covers offering products (even for free) or simply monitoring visitor behavior, assuming the visitor is within the European Union. Also included are requirements regarding:
- security breach notification
- data erasure
- right of access (requests for identifying information)
- assignment of a data protection officer
The penalties can be steep, up to €20 million or 4% of your “annual global turnover” for the worst infractions. If there is any chance your site may have visitors originating in the EU, it might be best to follow the regulation. To be absolutely sure, contact an attorney to review your specific circumstances.
What If I’m US Based?
Unless you can guarantee no visitor from the EU will be able to access your site, it doesn’t matter where your company is physically located. The GDPR applies to the visitor, not the provider or company on the other end. As the regulation states, its purpose is to protect residents of the EU; it doesn’t matter if they stumbled upon your site.
The exception to this is if you collect no data whatsoever, in which case there’s nothing to protect them from.
Is There An Easy Solution?
Several plugins are available to simplify some aspects of compliance, but these plugins may not offer everything you need. Most include a clear action for opt-in and opt-out of data collection to present on your site. Other features to look for in a plugin may include:
- -subject access request or user access to personal information,
- request deletion or anonymization,
- cookie management tools,
- proper consent to existing forms
Not all plugins are created equally. Some may work better with your site than others, regardless of the features they provide. Make sure to verify compatibility with your site themes, forms, and other plugins and look for a combination that works for you.
What the plugins don’t typically offer are appointed data protection officers, security breach notifiers, or locating externally collected information (such as for AdSense or Analytics). Be sure to check all avenues of data collection, including user id’s, transaction id’s, encrypted data, and URL parameters. This might also be a good time to turn on the IP Anonymization feature for Google Analytics to be sure no personal data is collected in unwanted places.
Adding a plugin and checking your data collection may not be enough to fully comply with this EU regulation. To ensure your site complies entirely, it might be necessary to appoint a lawyer versed in the GDPR to review your company practices and site.