GDPRWhat it is and how it could affect you

You’ve probably noticed it creeping up on you… a flurry of privacy policy updates and opt-ins and re-establishing preferences for emails and websites. What is it and why does it matter? It’s not just Facebook that is updating their privacy policies — the EU has established some firmer rules about website privacy and compliance, the General Data Protection Regulation, otherwise known as the GDPR, and U.S. based companies are affected by it, too.

What does this mean for you? Well, If you are a U.S. based company doing business and marketing in the U.S. only – it means nothing. Other than the fact that these new regulations are fast being considered good business practice, you don’t need to worry about anything.

If you are a U.S. based company who does do business in the EU or collects data from residents of the EU, you are subject to these regulations. Any third party services you use to collect and store data are also subject to these regulations.

This sounds like a lot, doesn’t it?

As PayPal’s blog on getting GDPR ready so nicely puts it — don’t panic.

In a nutshell, the GDPR is simply looking to protect the personal data of EU citizens. Ninjaforms blog on GDPR Compliance and WordPress Forms summed up what this means in a nice, short, 4-point list:

1. Request the explicit consent of every user before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other text.
2. Have a clear and accessible privacy policy that informs users how collected data will be stored and used.
3. Have a means for users to request access and view the data you have collected on them.
4. Provide users with a way to withdraw consent and purge personal data collected on them; i.e. the “Right to Be Forgotten”.

What does this mean in terms of your site?

For most of our clients, this just means some due diligence on your end. As an organization, you need to sort out who you collect data from, what type of data you collect, what do you do with it, and why. And then you should consider the following:

Having clear terms of uses and privacy policies are important to state exactly what data you gather and/or share and why, and how to opt-out and, as the list stated above, purge personal data. Graphic Details needs to state that we are not lawyers and other than offering to put new or updated terms or privacy policy on your site, we cannot offer assistance in crafting those messages. We highly suggest you consult your lawyer on the specific terms and how they’re worded.

A clear opt-in message if you are using cookies to track users. Users have to have the active choice to select whether or not they want to be tracked. See the image below for an example.

A clear opt-in message when submitting forms. A required checkbox that states agreement with your site’s terms and privacy policy will do. See the image below for an example.

Google Analytics. It is currently not legal to store personal data in Google Analytics (and we’re pretty sure none of you do that anyway). However, under the GDPR, IP addresses are now considered personally identifiable information and may need to be scrambled should someone choose to opt-out of being tracked.

The ICO put together a nice clear list of Eight Practical Steps for Micro-Business Owners. This is geared specifically towards small business in the UK, but it breaks down what you need to know and/or do in digestible chunks.

What this comes down to is, again, don’t panic.

Graphic Details can implement any changes to your terms and/or privacy policy that you and/or your lawyer draft, install check boxes on forms, and install a cookie opt-in notice.

Below is a list of resources — information on the GDPR that we have found to be helpful and a list of what some of the third party companies that we know our clients may use are doing to ensure their compliance with these new regulations.

GENERAL RESOURCES:

• ICO’s Online Guide to the GDPR
• ICO’s Eight Practical Steps for Micro Business Owners
• Navigating the EU GDPR
• PayPal’s blog on getting GDPR ready
• What Small Business Owners Should Know About GDPR and Why

THIRD PARTIES:

• Google Analytics
• WordPress and WordPress Plugins
• Hubspot
• Salesforce
• Ninjaforms
• Gravity Forms
• Contact Form 7

EMAIL:

• MailChimp
• Constant Contact

SCHOOL SPECIFIC:

• GDPRiS  (GDPR in Schools)
• FACTS
• Blackbaud
• Finalsite
• Achieve Technology – no info readily available. Contact your representative for information.

Please remember that we are not lawyers, nor do we claim to be experts in everything GDPR. We highly suggest you consult your lawyer on the specific terms of GDPR and how they may affect your particular situation.