What you Need to Know and Do to Be Compliant with the New GDPR Data Privacy Law

The General Data Protection Regulation (GDPR) has replaced data protection laws across the European Union (EU) with one coherent data protection framework.
Significant and wide-reaching in scope, the Regulation brings a 21st-century approach to data protection. It expands the rights of EU residents to control how their personal information is collected and processed. It places a range of new obligations on organizations to be more accountable for data privacy and protection.

California, the largest economy in the US, recently enacted the California Consumer Privacy Act (CCPA). It was clearly influenced by the GDPR. While currently directed at larger businesses, it follows the trend to increase data privacy rights for consumers.

Of note, Tim Cook, CEO of Apple, is a strong advocate for internet privacy. In a recent speech in Brussels, he called for new digital laws in the US similar to GDPR. (You can read more about this here).

He holds up GDPR and it’s implementation as a model for everyone to follow.

Could this affect my business?

GDPR applies to any organization that offers goods or services to people in the EU.
If your website collects or will at some point collect personal information from visitors from the EU, GDPR likely applies to you.

The types of personal information that you could be collecting include:
• Name
• Address
• Email address
• Photo
• IP address
• Location data
• Online behavior (cookies)
• Profiling and analytics data
• Affiliate marketing tracking (Amazon Associates, etc.)

Under the new law, organizations in breach of GDPR can be fined up to 4% of annual global revenue.

Start planning now to be in GDPR compliance. You may be at low risk now, but why take a chance? And sooner or later, stronger privacy requirements are coming to the US.

It’s the right thing to do – better to have it on your site than not to.

Besides, websites that are GDPR-compliant will:
• Build trust with site visitors
• Use best practices for information security
• Improve your brand and reputation

What are the requirements?

1) You should have a privacy policy that explains the following:
• Explain what you collect
• Explain how you collect the data. For example, it could be through site logs, cookies, web beacons, signup/registration forms, comment forms, etc.
• Explain why you collect this information.
• Explain how site visitors can opt out of data collection (you might add the links to opt-out pages on your site and third-party advertiser websites)
• Tell how site visitors can contact you if they have questions
2) Before you collect any personal information, EU residents must be presented with an opportunity to affirmatively opt-in to any data collection

Your action steps are:

1. Audit your website:

a) Determine what data you collect when a visitor accesses your website.
b) Examine the data you collect to determine if you have information from any EU residents.
c) Review your third-party service providers to see how they are handling GDPR compliance.

2. Update your Privacy Policy

a) Be more specific about the information you collect, including how you use it and how it is transferred to or shared with third-party providers.
b) Include a process for EU residents to request access to their personal data or to be forgotten.

3. Obtain Explicit Consent for each reason you collect personal data

Remember, you may need to obtain explicit consent more than once. Consider the following common areas for publishers to engage in data collection, as any of these services could potentially trigger GDPR requirements:

a) Google Analytics
b) Retargeting Ads and Tracking Pixels
c) E-mail list opt-in
d) Affiliate Links (Amazon, etc.)
e) Amazon – OneLink
f) Display Ads
g) Contact Forms
h) Comments
i) Product Sales
j) Plugins (Gravity Forms, Jetpack)
k) Logging tools and plugins
l) Security tools and plugins
m) Data retention limits

4. Ongoing Requirements

a) Breach notification:

This has now become a major area of focus, with so many personal data breaches, individuals are complaining against organization who can now be investigated by data protection authorities.

b) Inform your users:

Provide a clear and specific information on the cookies in use on the site, what types of data are processed, for what purpose and where in the world they are sent.

c) Get prior consent:

Ask for consent before setting cookies. Only strictly necessary cookies may be set prior to the reception of the consent.

d) Document:

Keep record of all received consents as evidence that the consent has been given.

e) Protect the data:

Ensure that all personal data is securely stored, when transmitting data to the EU and other counties

f) Give your users a true choice:

Make sure that your users have the possibility to see the cookies, select, accept and reject them. The site must function even though the user has rejected cookies.

g) Provide the option for your users to change their mind:

Give access for the users to see and change their choice of accepted and rejected cookies on your site. If the user so requests, you must be able to erase their data.

h) Alert:

In the case of a breach, alert securities and affected users within 72 hours.