New GDPR law and what it means for website owners

The European Union has a new privacy law, the GDPR, which goes into effect in May 2018, and unlike previous laws, these are extra-territorial. That means the new privacy law applies to countries outside of the EU. We’ve put together a breakdown of what it means for you as a website owner.

Disclaimer: I’m not a lawyer, none of the following can be considered to be legal advice.

What is the GDPR privacy law?

Previously, each of the EU countries has had their own privacy laws and it’s been a complete mess. The goal of the new GDPR (or General Data Protection Regulation) has been to unify the laws and provide EU citizens better control over their personal data online.

Some key definitions of the new law:

Data Subject: an EU citizen whose personal data you collected
Data Controller: the business or individual that owns the website
Personal Data: name, address, online id, health info, demographic info, income info, etc. Basically, anything that could personally identify them.
Data Processor / 3rd Party Processor: anyone that you give data to (ie: web developer, virtual assistant, web host, marketing company, email newsletter provider, analytics provider, web advertising platform, any service connected to your website, plugins installed on your site, etc)
Data Transfer Outside of EU: only a few countries are authorized to receive personal data from the EU. For example, if you have a Canadian SEO company doing work on your site that is legal. However, if they offshore development to India, then you just broke the rules. Because while it is legal to transfer data to Canada, it’s NOT legal to transfer it to India (at least as of the writing of this article, that may change in the future). Click here for a list of countries you can transfer data to.

My website is outside of the European Union, does this really matter?

The new law is specific in that it applies to any website that gets information about an EU citizen. So if your website could be visited by an EU citizen (remember, plenty of people have dual citizenship, which means they not live in the EU or access your website from an EU IP address), then it applies.

As far as the legal reach goes, if your country has friendly ties to a country in the EU, then yes, the new rules probably have the power of enforcement.

As far as how likely the new law is to directly affect you, that depends.

If you have a small website with very few or no official customers in the EU, then the GDPR enforcement team is probably only going to bother you if they get a complaint against you. This is very similar to ADA accessibility, small websites will only be visited about this if there are complaints.

On the other hand, if you have a large website with a lot of customers in the EU, then you need to take this GDPR law very seriously.

Regardless of whether you are likely to be affected, there are still some measures you should take.

What’s the possible penalty for not obeying the GDPR?

Basically, if you don’t follow the new law and you get caught and you’re in a country with friendly ties to the EU, you could be in legal & financial trouble.

The basic structure if you violate the GDPR looks like this:

First, you’re given a warning and a limited amount of time to get in line with the law.
Second, you’re given a reprimand.
Third, depending on your jurisdiction, you may have to suspend processing of data about EU citizens. This one will depend on your country and exactly what agreements your country has with the EU.
Fourth, fines. Up to 4% of your global annual turnover, or up to €20
million.

Generally, these types of laws have pretty predictable enforcement. Typically, they go after large websites that process a lot of personal data and websites that get complaints lodged against them. Even if you are a small little website, if people lodge complaints against you, the authorities will come knocking.

Key points of the new GDPR law

Use plain language

The new GDPR explicitly says that you must use plain language, not a giant pile of legalese. You must tell data subjects who you are when you request the data. You must also say why you are processing their data, how long it will be stored and who receives it.

Consent must be explicitly given

In the past, simply having a privacy policy and a link to it on every page was enough. It was implicit that if someone was on your site they were agreeing to your policy.

Now, if you are collecting NON-personally identifiable information (say aggregate info for overall analytics) then you are fine with implicit consent. However, if you are going to collect personally identifiable information (name, email, phone, etc), then you must have explicit consent.

Explicit consent means that a checkbox for “I accept the terms” must be UNchecked by default and the visitor to your website must voluntarily click that box. You must also make it clear when people voluntarily submit data what that will be used for. They don’t expect your entire privacy policy to be in your contact form. However, within your form should be the link to the privacy policy and some text stating that by submitting the form you are agreeing to the policy.

Notification of data breaches

You must notify data subjects of a data breach within 72 hours of you becoming aware of it. Data processors must notify data controllers of a breach “without undue delay”.

Some examples of data breaches:

You hired someone in India to do work on your website. Your website logged your contact forms, and therefore this person in a non-GDPR compliant country had access.
You gave your mailing list to a new marketing company to do marketing on your behalf. Your privacy policy had not previously stated that you would do this such action, so since this is a change in how personal data is handled, you must notify data subjects.
Your website was hacked.

Since you are required to notify about data breaches, that actually creates a legal obligation to have security monitoring on your website.

Right to access their data

Upon request, and at no charge, you must provide a data subject a copy of the personal data you have stored about them. You must also provide them with what data is processed, where that data is processed, by whom, and for what purpose.

The basic steps for data access are:

verify they are who they say they are (otherwise you would be committing a data breach)
make sure you have their data, if you don’t, just tell them you don’t have data on them
don’t create extra data while processing their request
record the request in an audit log
do it within 20 days

Right to be forgotten

Basically, people have the right to leave your website and have you not store personally identifiable information about them. Provided, of course, that doesn’t violate any other laws.

Upon request, a data subject (aka EU citizen) can request that you delete the data you have collected about them. For example, if someone created an account with MailChimp and then decided to leave MailChimp. They have the right to ask Mailchimp to delete all data.

However, this is limited by other laws. For example, if you had paid Mailchimp for services, then Mailchimp is required by tax laws to maintain certain records. So in this case, Mailchimp would need to delete the data NOT related to tax purposes.

Right to take your data elsewhere

Basically, this is very similar to the right to access but extends it a little bit by saying that the data must be in a commonly used and machine-readable format.

So, taking a photo of some scribbled notes is not ok.

Most companies won’t have to deal much with this, but companies like MailChimp do. Since they have a lot of data, they provide an easy export to a CSV file.

Privacy by Design

Basically, only ask for data you actually need. If you don’t need the data, don’t ask for it, and then you can’t possibly do anything bad with data you don’t have.

Here’s an example:

You are a doctor’s office. You have quite detailed patient data because that’s needed to provide medical service. You want to share some data with a marketing company who will be doing some mailed flyers for you. This marketing company will need people’s names and addresses to send the flyers.

The marketing company also asks for demographic information for designing the flyer. You would need to give the marketing company only the info they need (name & address) and then aggregate info about your customers (both male & female, ages 18+). You couldn’t send them a big spreadsheet outlining people’s names, address, gender, and exact age.

Data protection officers may be required

If you process a lot of personal data then you’ll have to appoint a specific person to be in charge of the auditing and tracking of personal data and how you handle it. This person needs to report to the top tier of the company and will require specific training and certification. This person also needs to be an EU citizen.

A DPO, or data protection officer, only needs to appointed if you are a public authority or you engage in large-scale monitoring or processing. For example, ancestry.com has very personal information about a lot of people so they will need a DPO. My mom’s blog is small and doesn’t process a whole bunch of data, so she has no need for a DPO.

Steps to take before May 2018

Update your Privacy Policies

Website privacy policies, we generally set one up and then forget it. If you don’t have one, then now is the time to get one. If you already have one, now is the time to give it a good reading and make sure it’s up to date to reflect your current data practices and uses.

Remove any automatic opt-ins

If any of your forms have an automatically checked “I accept” box, you must make this box UNchecked.

Do a check on your stored information

Do a review of the information on your computers and paper documents.

Did a customer leave you years ago and you still have data about them that you don’t need? If so, delete it. If you need to keep some info for tax or other legal purposes, keep only the data you need.

Figure out what 3rd party services you actually have and if they are compliant

Take an inventory of your third-party services. Make sure that these services either are compliant or have a reasonable plan to become compliant. Some common ones:

Email newsletters
Analytics
Email contact forms
Web hosting companies
Email providers
File hosting (like Dropbox, Google Docs, etc)
Payment processors
Accounting software
Time tracking software
Project management software
Chat, calling, video etc software
CRMs

Figure out what 3rd party providers you have and if they are compliant

Contact your current and past providers and make sure they don’t have any information they don’t need. Also, make sure they have very strict outsourcing/subcontracting policies.

Remember, data should only be transmitted to countries on the approved list! That includes both subcontracting and if they plan to travel. Remember, data isn’t supposed to go to non-approved countries. So don’t access personal data while you travel.

SEO companies (most contract out work)
Marketing companies (most contract out work)
Web developers (some contract out work)
Designers (some contract out work)
Anyone else who has access to your website (remember: if someone has access to your computer, and you’re logged in to your website, they can access the data, this may include your babysitter)

Collect only the information you actually need

You can’t mishandle data you don’t have. So if you don’t need it, delete it. Also, update your forms to make sure you only collect what you need.

Have a plan in place in the event of a data breach

Hope for the best, prepare for the worst. It’s a good motto.

Also, it’s a great time to get your website secured and monitored. We’re in the US and have a policy to not outsource any work outside the US, and have very reasonably priced website security packages and website maintenance packages which include daily security checks of your website.

Have a plan in place for someone requesting their data/deletion of their data/transfer of their data

Now that you’ve gone through your data, you should have a pretty good idea of what data you have. Just make a plan for how to verify someone if they ask for their data and then send that data to them.

If you are using a mailing list service like MailChimp, check out that service’s info on how to make it easy for people to access & delete themselves.

Update your contracts & NDAs

Review your contracts to make sure they fall in line with the GDPR, also make sure that you have clear and specific policies on outsourcing any work. For example, pretty much anyone with a business has a CPA and an assistant.

If you need to update any of your contracts or NDAs, get it done before May 2018.