(The following is adapted from a recent newsletter that I sent out via the ‘Milani Five-0.’)
I wish this was a fun, post. Lot’s has been happening and according to the farmers almanac, Sunday was the time to plant and our garden is booming. I wish I was using this email to talk about the big changes in our yard after getting inspired from our trip to Mendocino (where I taught a workshop). But alas, this is all about the big EU data protection regulation and what you need to know about it, and what actions you may need to take. Let’s ‘dig’ in.
GDPR (General Data Protection Regulation) — What is it & what does it mean for you?
If you’ve heard or seen the emails, you might be concerned or likely confused. The European Union’s new data regulations go into effect May 25th, 2018. Even though this new regulation is EU based it has worldwide impact because your website(s) are likely global.
In short, GDPR’s purpose is to give people more power to protect their personal data, and it requires businesses who collect that data — whether it be names, addresses, email addresses, phone, IP, etc — more transparency on when and how it’s used.
Here is what you need to do:
- Tell them who you are when you collect any data,
- Get clear consent to process their data,
- Allow people to access their data,
- Inform people of data breaches,
- Give people the right to be forgotten,
- Give people the option to opt out of direct marketing that uses their data,
- If you use “Profiling” to process applications there’s a bunch of new rules,
- Use extra safeguards for sensitive info like health, race and more.
There are a few more nuances to these new regulations, like transferring data between compliant and non-compliant countries. Overall, I think this is a positive thing to protect people’s data and it was inevitable.
What should you do?
Well, that part depends on your situation. You may need to bring it to your legal team if you operate internationally, or have a lot of moving parts. You should probably review this wonderful infographic/website to get familiar on how it might effect your business (http://ec.europa.eu/justice/smedataprotect/index_en.htm). If you use WordPress, there is team of core developer that are working together to help plugin developers quickly get up to code. You can read more over there as well (https://www.gdprwp.com/). Whatever your system uses to collect information will likely have a blog or page on their website dedicated to helping you in the transition — like this WordPress Plugin’s Gravity Forms page (https://docs.gravityforms.com/wordpress-gravity-forms-and-gdpr-compliance/). Your websites/clients will need to evaluate the process for data collection, how you make it accessible on-demand, and update your Terms of Use.
Case Study: ryanmilani.com
Again every situation is going to be different, but I’ll share what I did for my website which took less than one hour. First, I updated my privacy policy to be more explicit regarding the statements above. I then added a checkbox to all my contact forms letting visitors ‘opt into’ having their information stored and that I can contact them; I also link to my privacy policy. Now, I don’t do any remarketing for my website, so I’m not implementing a opt-in for cookies. Just to be safe, I also went ahead and just turned off all Advertising features in Google Analytics (I don’t use them, but if I did then I would make sure my privacy policy is up to date in accordance to which advertising features I use, data I collect, and I would use a cookie opt-in). Finally, I went in to Google Analytics>>Admin>>Tracking Info>>Data Retention and clicked Save (In accordance with the new Google Analytics policy).
Conclusion
Ultimately, you should audit your own data collection process, and look for ways to comply asap. Note that many plugins and third party platforms have released statements on how they are complying. A simple search “(company/platform) + GDPR” will give you information on what you need to be aware of.
Good luck and let me know if I can support!