What Is GDPR?

GDPR stands for the General Data Protection Regulation which regulates how the personal data of individuals within the European Union is collected, stored, and used. “Personal data” are things like your website’s visitors’ names, phone numbers, email addresses, and all information related to their religious and political views. It includes their IP addresses, locations, photos, and extends to their health, biometric, and genetic data, as well as their sexual orientation, race, and ethnicity. The main objective of the GDPR is to protect individuals against the violation of their privacy.

Disclaimer: This is not an official EU Commission or GDPR resource. This is an educational post and in no way constitutes legal advice. Any person who intends to rely upon or use the information contained on this website about GDPR is solely responsible for independently verifying the information, and obtaining legal advice if required. To read the official GDPR document, please visit http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN.

Is GDPR New?

GDPR was created in 2016, but beginning May 25, 2018, it will be enforced. Over time, some of the early GDPR regulations have become a bit more restrictive, especially with regard to the way consent is given, and some new regulations have been added.

Who Needs to Comply with GDPR Regulations?

  • Anyone who provides goods and services to those in the EU, including companies that market to companies residing within the EU and those with websites that are open to EU visitors. Even if the only bit of information that you are collecting on your website visitors is their IP address (for use in Google Analytics, for example), since an IP address is considered personal information, you must comply with GDPR regulations. If you don’t have Google Analytics installed, if you don’t have any web forms on your site, or if you don’t have any 3rd party plugins that share visitor data, then you don’t need to worry about GDPR. But that’s a very small percentage of all websites, so chances are you should read on and take action!
  • If your web host collects and stores IP addresses from your visitors in its log files, and some of your website visitors come from EU countries, you need to comply with GDPR. Let’s face it: unless you have geo-IP blocks in place, that pretty much covers all web hosts, right?
  • If you have any forms on your website that collect personal information (like names and email addresses, for example), and some of your web traffic comes from GDPR-protected companies, then you need to comply.
  • If your website shares data with any 3rd party services, and some of our website visitors come from EU countries, then you need to comply.

Why Terminology on the Official GDPR Website is Confusing to U.S. Companies That Serve Only U.S. Customers

On one hand, the text on the official GDPR website clearly states that if a non-EU company’s website collects IP addresses from its EU visitors, then it must comply with GDPR. However, on this page that discusses who GDPR applies to, the EC website spells out the following example:

“When the regulation does not apply

Your company is [a] service provider based outside the EU. It provides services to customers outside the EU.  Its clients can use its services when they travel to other countries, including within the EU. Provided your company  doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

Some Key Points and Updates About GDPR for Business and Website Owners:

GDPR Requires That All Data Has to be Processed in a “Fair and Transparent Manner.” What Does this Mean?

  • Fair means that companies process the minimum data they need to be able to provide their services. Certain fields on web forms, for example, “salutation,” that looks for gender, social or marital status like Mr. Mrs. or Ms. is not necessary information for most businesses. So, eliminate these types of fields from your web forms. GDPR encourages companies to collect as little information as possible.
  • Transparent – GDPR requires companies to tell visitors, in advance, what information they are collecting, for what purposes they are collecting it, and for how long they plan to store it. The information must be presented in “a concise, transparent, intelligible and easily accessible form, using clear and plain language.”

Right of Access

If you’re an owner of a website that supports user accounts or that has a user area, you must provide a way for users to view the information is stored in their account.

Right of Rectification

This just means you have to give your users the ability to update their information in your user area.

Right to be Forgotten

In case a user’s information in a user area is not complete or if they decide they want to terminate their agreement, the Right to Be Forgotten gives users the right to contact you (the company) and ask that their data be removed. Note that this is not an ‘absolute’ right: many companies are required to keep some information on their customers for certain periods of time, like transactional data, and this time window varies by jurisdiction. So, if you submit a request to a company “to be forgotten”, they have the right to retain certain parts of your data, for example, invoice amounts for tax purposes, for some period of time.

Right to Restrict Processing

This right protects individuals against requirements to submit unnecessary information on a web form or order form (for example, a salutation, gender, or social label like Mr. Mrs. or Ms.). What this means for companies: it’s time to remove required fields on forms that are not essential to the delivery of your goods or services. Collect only the data you need to provide your goods or services.

Right of Portability

This right ensures that users’ records can be transferred easily to another company, for example, in a transferable file.

Right to Object

In case users once gave their consent to receive promotional emails but changed your mind, this right says that users preserve the right to unsubscribe.

Right to Automatic Decision Making

Under GDPR, users now have the right to change retargeting and remarking preference in their browsers to exclude them from receiving related advertising in future web sessions and social media sessions. OMG! This is huge! 

The word or topic that runs through all the new GDPR legislation is consent. As a website owner, how can you make sure you are gathering consent properly?

First, you need to make sure your visitors are able to freely and easily consent to the collection, storage, and use of their personal data. This suggests that you should include check boxes and opt-outs on all forms filled out by new users. The requirement to sign-off on consent does not necessarily extend to existing clients with whom you already have formal contractual agreements in place. However, if you are introducing something conditional, like a new service, newsletter subscription, or marketing materials, then yes, consent must be requested and given again.

Example: Let’s say you sell home security services, and on your standard contract you collect the name, phone, physical address and email of your customers. To continue providing home security services under the new GDPR regulations, you do not need to ask for continued consent for services directly related to that contract. However, if you wish to send your clients a newsletter or emails about upcoming promotions or other marketing-related material, then yes, you must gather their consent before you send that material. Furthermore, it is prohibited under GDPR to require customers to opt-in to marketing email in order to continue to receive the goods and services they contract with you.

You can provide incentives to your customers to opt-in to your marketing email lists, but you cannot require it as a condition.

In summary, if you want to be able to send any marketing materials other than transactional email, you need users’ explicit agreement. The focus of GDPR is on opting-in, unlike the loose CAN-Spam requirements in the US and Canada, which emphasizes users’ right to opt-out.

10 GDPR tips for business and website owners:

1) Every business is different and will therefore require different modifications to support the new GDPR regulations. Think carefully about all the ways you are collecting information. Even if you’re not selling directly on your site, even if you don’t have opt-in newsletter subscription forms on your website, in all likelihood, your site is still collecting the IP address of all its visitors, which is classified as personal information under GDPR. So yes, even “postcard-type” websites require some level of GDPR modification.

2) Every business needs to review and update its Terms of Service, Privacy Policy and other related documents to make sure they are GDPR compliant. Don’t have these documents in place? It’s time to create them.

3) Regarding your cookie policy, simple “implied consent” is no longer allowed. Instead, after May 25, 2018, visitors must actively opt-in to your cookie policy. That notification must link to your published cookie policy. Google Analytics has its own cookie policy, so if the only information you are collecting from your visitors is their IP address for the purpose of feeding Google Analytics, then just link to Google’s cookie policy.

4) Make sure that employees who have access to your visitors’ data sign a non-disclosure agreement and confidentiality agreement, and that they are aware of the obligations of GDPR.

5) Consider your partners and whether your users’ and visitors’ information is shared with any 3rd party service providers you exchange data with. For example, do you use a Gravatar plugin on your site that allows you to pull custom avatars which are uploaded through Gravatar? In this example, you’re sending Gravatar your users’ emails, and Gravatar is checking whether that user is registered with Gravatar before they send the user’s avatar back to your website. It is your obligation to make sure your partners are also GDPR compliant!

6) CYA with an SSL certificate.

7) Make sure your ESP (email service provider) has a GDPR policy.

8) If you have chat enabled on your website, make sure your chat provider’s policies are GDPR compliant. Be sure to reference their policy on your policy.

9) Update your webforms to remove pre-ticked boxes, especially for Terms and Conditions. The visitor who fills the form must voluntarily be able to check or uncheck acceptance of your T & C.

10) If you take payments on your website, make sure you link through to your payment gateway’s policies.

What if someone hacks your website? What about cases of security breaches?

If your website is hacked, it doesn’t necessarily mean that you have to inform all your customers. Only when there is direct evidence that a hack has negatively affected the personal information of your users do you need to be concerned and alert your customers about a data breach. If a data breach has occurred, business and site owners are required to notify their users and the authorities within 72 hours. In every member state, there is a different Authority responsible for data breaches that must be contacted. Every company needs to implement and maintain a data security breach procedure. This includes the requirement to inform your web host in the case of a known data breach.

Penalties for GDPR Breaches

GDPReu.org has defined 2 infringement levels, the lowest of which constitutes up to €10 million, or 2% of your annual revenue of the prior fiscal year, whichever is higher. Worst case scenarios, penalties can be up to 4% or €20 million of a company’s annual revenue, whichever is higher.

What WordPress plugins help manage GDPR compliance?

Here are 4 WordPress plugins that may help you with GDPR compliance:
GDPR: https://wordpress.org/plugins/gdpr/
WPGDPR Compliance: https://wordpress.org/plugins/wp-gdpr-compliance/
WP Legal Pages: https://wordpress.org/plugins/wplegalpages/
Cookiebot: https://wordpress.org/plugins/cookiebot/

What’s the Lazy Man’s Way to GDPR Compliance?

If you own a website or business that only serves customers in the US or Canada, then instead of making all the aforementioned changes on your site,  you might find it easier just to restrict all visitors from all IPs in EU countries if you don’t need website traffic coming from those EU countries. To see what percentage of your web traffic comes from EU countries, simply create a segment in your Google Analytics account for EU and non-EU visitors. The easiest way to block traffic from EU visitors is at the webserver level, directly through your host. You can also manually enter IP address ranges by country into your .htaccess file. Regardless how you block these countries, make sure you whitelist your host if they have support offices located in the EU.

What Countries are Protected Under GDPR?

Austria France Netherlands
Belgium Germany Poland
Bulgaria Greece Portugal
Croatia Hungary Romania
Republic of Cyprus Ireland Slovakia
Czech Republic Italy Slovenia
Denmark Latvia Spain
Estonia Lithuania Sweden
Finland Luxembourg United Kingdom
Malta