What is GDPR? An easy overview of the General Data Protection Regulation
by Idean Vasef
The EU General Data Protection Regulation (GDPR) law is the most important change in data privacy regulation in 20 years – we’re here to make sure you’re prepared. How’s that for an opening line? If you fire up your web browser right now and head over to the EU’s official GDPR homepage (seriously do it), this bold quote sticks out like a sore thumb, and that’s most likely by design. GDPR is currently among the hottest and controversial tech topics that no one (well, at least us state-side folks) is talking about. Proposed by the European Commission, GDPR is a data protection law that was initially adopted last April and replaces a previous data protection law implemented back in 1995. GDPR goes into effect on May 25, 2018. Although the GDPR regulations are technically in place right now, they’re not enforceable until May 25, 2018. Given that this is the date, we need to roll our sleeves up and get to work!
Familiarize Yourself With The Basics
I’d be the first person to admit that I’m no legal advisor nor am I anywhere close to being a GDPR expert by any means. However, I will do my best to keep you calm and share as much as I understand to help you prepare for doomsday (ignore my awful attempt at humor, swear I’m not trying to scare you!). The aim or objective of GDPR is to put personal data back under the control of the individual. If you’ve done any basic level of research on GDPR, you’ll notice the EU’s documentation use of the words ‘processor’ and ‘controller’ quite frequently. In a layman’s term, the data controller is the organization (aka us business owners) that hence ‘control’ the data, whereas, the data processor is the organization that handles or processes this data (can be your web hosting provider, email marketing provider, etc.).
In principle, the mere timing and action of the legislation shouldn’t be that surprising when you take in account last year’s disastrous Equifax’s data breach and Facebook’s current data scandal. As a self-proclaimed tech-junky, what catches my attention most is not so much the timing or even the formation of the GDPR law (generally speaking) but rather, the requirements of the law and skeptically what is being defined as ‘personal data.’ Be mindful of this as you can overlook personal data.
According to the EU, the term ‘personal data’ is loosely described as any information that can define a human being (name, photo, email addresses, date of birth, etc.). If you think about this, there’s a little bit of a grey area in this regard. For example, from my understanding, comments left on that last kick-ass blog post you created would also be categorized as personal data under the law. Why? Because that person that left you that nice feedback in the comments section probably had to sign in your website. This means that we (the business) have some form of this individual’s data stored on our end (by the web host). Some may find this excessive and abrasive, but unfortunately, it’s out of our control, and we have to accept it. Know that EU citizen’s data are about to be protected to an extent we’ve never seen before.
Why Should You Be Concerned?
Although it’s most pivotal for businesses inside the European countries, the GDPR legislation will have an impact on your company if you have any website visitors from European citizens. A little louder for the folks in the back: If you’re a business or website and are collecting any user data from European citizens or residents, you are required by law to comply 100% with GDPR. GDPR applies to ANY company that processes any data on behalf of EU citizens or residents. Don’t feel like complying? You better be ready to fork up some cash. Penalties for non-compliance of the GDPR can result in fines of up to 4% of gross revenue (or up to 20 million Euros). Under GDPR, your organization only has 72 hours to report a data breach, so time is literally of the essence. Sorry for my language but there’s no ‘half-assing’ this time around my friends. Now that that’s out of the way let’s get down to brass tacks.
Marketers especially will be key players in the rollout of GDPR. Let’s role-play for a moment (not that kind of role-play, get your head out of the gutter) and put on our digital marketing hats. On any given day, we target users and collect their data, and probably don’t think twice about it. For example, on our standard landing page or ‘contact us’ form, we might have three fields: first name, last name, and email address. We then subsequently grab this information from a database to collect or update our current mailing list of subscribers so we can target them using various platforms. With GDPR, we need an extra check mark that requests the consumer’s consent. This text will read along the lines of ‘I consent to company XYZ collecting and storing my data via this form.’ The folks at WPForms wrote an easy starter kit on how to create GDPR compliant forms that I recommended checking out. If you’re not already implementing double opt-ins, the procedure where the person who initially signed up receives a confirmation email to confirm their signup, I highly recommend doing this asap. The great advantage of double-opt ins is that it puts the responsibility on the user to take the next step. One less thing to worry about!
What Immediate Steps Can You Take?
Under GDPR, there are several action items that we have to fulfill as WordPress administrators. If you can begin by doing some simple house cleaning, the lowest hanging fruit is to wipe out any plugins you’re not utilizing. This is already a best practice for ensuring website performance and optimization, so you’re killing two birds with one stone. From a provider standpoint, any plugins that you use will also need to comply with the GDPR rules as well. Putting that marketing hat back on for a moment, think about plugins you’ve integrated with your WordPress site. I would bet that you’re probably using a web analytics tool. You’ll want to pay attention to these tools because their sole reason for existing is to track users and their user behaviors on your behalf.
On a side note, GDPR can spell some tough times for some of the most popular plugins out there. Solution providers such as Jetpack, a very popular marketing & design WordPress plugin, collect a whole lot of data by nature. However, as a site admin or owner, it’s still our responsibility to make sure that the plugins, active or inactive, are complying with GDPR regulations themselves. Perfor an audit of your plugins and make sure that the third-party providers are on their A-Game when it comes to GDPR compliance. Familiarize yourself with plugins as you’ve never done before. Also, I realize it’s common for a lot of businesses to outsource their website management to third parties. Unfortunately, this causes a disconnection between the owner(s) and the third party admins who hold personal data. Reach out to them on twitter or go old-school and give them a ring (people do this still right) to make sure stakeholders are all on the same page.
Website cookies also store and collect data to help marketers retarget users with ads, analytics tracking, and storing your session dat) Going forward, you should make your messaging crystal clear for individuals ahead of placing any cookies on their machine. One action you can take is to launch a pop-up window or place text somewhere that’s extremely visible to the user. We can no longer be vague with our messaging. People need to know what they are signing up for, so investigate and find out what the plugins and other third-party tools are collecting on your behalf. Remember, the burden of proof lies with us, the business owners and organizations.
Some larger organizations who have the budget, have already decided to appoint or hire a Chief Data Officer. This expert would be responsible for all things GDPR related and would relieve companywide anxiety for sure. Whoever you put in charge, he or she needs to fully grasp what information is being collected, how it’s being collected and why it’s being collected. If your budget doesn’t allow for a fancy Chief Data Officer, that’s okay. Another route you can take is to have your legal team work together with your in-house or IT hosting company. This creates a synergy, and it’s less likely things will fall through the cracks. On a larger scale, ensure every single employee in your organization has a basic understanding of GDPR and why it’s important to stay mindful of. Make a company event out of it, or get on a quick all hands call to get the ball rolling. However you decide to move forward, the key is to create awareness as soon as possible and start getting into good habits!
March 30, 2018
March 17, 2018