Disclaimer: We are not lawyers and this is not a legal advice. For sure, we have tried to make it as accurate as possible and also as easy as possible for you to understand. But if you need a definitive legal advice for your business, you have to hire an attorney
GDPR stands for General Dara Protection Regulation. It is one of the biggest change in the history of privacy laws. GDPR will be enforced from May 25, 2018 across Europe. It means if your app, service, website etc if operated in Europe region then you have to comply with GDPR otherwise you have face fines defined in the law.
So don’t need to worry. It is not as freaky as everyone is making it sound. Let’s understand why and how to make your app, service, site GDPR compliant.
What is GDPR?
GDPR is the new framework for the data protection laws with replaces the previous 1995 data protection directive. I think that GDPR is awesome and every country should adopt it.
But wait why everyone is so worried due to this regulation.
They should not worry because the main focus and target of the GDPR are the giant companies like Facebook, Google, LinkedIn etc. who collects lots of personally identifiable information from the users and process them on their servers.
It also mentions that if you have collected user data and it is no longer required then you should delete it from your storage.
Why is GDPR Necessary?
Probably you have heard about the infamous Facebook Cambridge Analytica Data Scandal. If yes, then you might also know that personally identifiable information of almost 87 million Facebook users was collected and was used to sell to interested parties across the globe. You may not find it dangerous but in reality this is horrifying.
Here are the important advantages that GDPR has to offer:
- Greater Consumer Confidence in your Brand
- Improved Security of Data
- Reduced Maintenance Cost of Data
If you can think of any more advantages of GDPR then do comment it down below!
Seriousness of GDPR
Webmasters have time till 25 May 2018 to comply with the new regulation. The penalty for the non-compliance can be up to 20 Million Euro or up to 4% of the worldwide annual turnover of the last financial year. The amount of the penalty may vary according to the seriousness of the breach.
But setting this high amount of penalty ensures one thing, that EU is not messing around they are serious about this. So it’s time for every online business operating in Europe to comply.
Important Points that GDPR Mentions
There are lots of points that need to be discussed here but I will like to make it short. However, you can find all the details on the official site.
You should incorporate the following into your business model:
This consent that you are asking from users should not be marked or ticked or accepted by default. Also if you are using email marketing then you have to make sure that you can only send email to users for what they signed up for. This means no more merging of the email list, sending emails without verification etc.
Data Processing & Storage
You have to let users know that how the data submitted by them will be processed by you and how it will be stored on your servers. It means you have to mention everything that you will do with the data submitted by your users.
Right to Access
Along with it, the user can also request to update any pre-submitted data with a simple request.
Right to be Forgotten
The user now has the right to delete any or all of their data that is collected and stored by you upon request. And after such request, you have to delete all the data from servers as well as backups.
If your business/organization is experiencing any kind of data breach then you have to let the users know about this breach. You have time up to 72 hours after becoming aware of the breach. It includes all the users that you have collected data from so far.
Who Need to Comply with GDPR?
As I mentioned earlier in the article that if your organization or business collects information from your users in any way possible then you have to comply with GDPR. To make it short, if your organization is included in any of the following activities then you need to comply with GDPR:
- User Registration
- Email Subscription
- Customer Chat
- Collection of Data with any third-party services
- Contact Forms
- Orders and Sales
There are several other activities but these are the common ones.
Note: Checkbox for consent must be unchecked by default in every case
If you are using any type of commenting system on your website then you will be asking users for their Name and Email at least. Same as online forms mention all the things that you will do with the data along with the checkbox. If you are using any third party comment system or providing this data to any third party mention it as well.
If you are providing any kind of forum or discussion platform then ask for the consent from the user for storing all their activity on the forum along with messages, IP address and mention the third party sharing if applicable.
Chat & Chatbots
If you are using any type of chat, chat service, chat plugin or chatbots on your website then ask for the permission and consent for storing the chat before the commencement of the chat.
If I forgot to mention any important point here let me know ASAP so that others can take the benefit of this post.
How to be GDPR Compliant
Although I have discussed most of the common things that you need to know about GDPR but here is a step-by-step process to make your website/business/organization GDPR Compliant:
- List out all the third-party services that you provide this data to and mention what you share with them.
- Also, don’t forget to mention any third-party services that you are using like Push Notification Services(like OneSignal), Advertising Networks(Google Adsense, Media.net etc.), Heatmap Services(like Hotjar) or any other services.
- All the data that is stored by you mention that how you will store them, how long it will be stored and how you will process the data.
- Create a dedicated page from where the user can request and access the data that is collected by your website. If you are unable to create that then create a form from where the user can request their data.
- Best way to add more security is to install SSL certificate and use https, though it is not mandatory it will surely help. If you are not looking to spend few bucks on buying an SSL certificate then you can get one for free from services like Let’s encrypt.
- Similarly provide data erasure facility.
Showing Cookie Consent
Notifying Users about the Update
Tips for WordPress Users
Tip: Use plugins like Ultimate GDPR Compliance Toolkit for WordPress, developed by the createIT team to make it easy for WordPress users to be GDPR Compliant. You can get more details from their official plugin website.
As most of the bloggers rely on WordPress like me, there are small things that you need to take care of along with the ones that I mentioned earlier:
Make sure that all of the plugins, themes, and services that you using comply with GDPR. If not then you can be in trouble because all of the things you use must provide a way to extract user-specific information and delete the same upon request.
Add the consent checkbox that is unchecked by default to all of the contact forms, email subscription forms and even the comment form.
GDPR is a complex regulation that can take a while to understand and it may require time and money to comply with it. But for what it has to offer I think it is worth it.
So what do you think about GDPR? Let me know in the comment section below.