I think the ONLY thing that may have received more coverage in the news and on the web this year than GDPR Compliance, would be the wedding of the Duke & Duchess of Sussex (AKA Prince Harry & Megan Markle for anyone who’s maybe not so au fait with the altest updates with the British Peerage).
Here’s the thing though, I think a lot of, especially small business owners, are under the slightly misguided perception that like the Royal Wedding, they weren’t invited… so it doesn’t concern them. You couldn’t be more wrong!
Read on to figure out if and how your business and website may be affected by GDPR. Surf on or click away at your peril kind lady or good sir!
Oh and one more thing before I go any further… I’m not a lawyer and this isn’t legal advice. Of course, I do have a vested interest in your success and want to help as much as possible. But if you need definitive legal advice, please consult with a lawyer.
Who Exactly Is Ready for the GDPR Deadline?
GDPR or the General Data Protection Regulation becomes a fully enforceable law as of May 25th, 2018. According to recent surveys, about 60% of companies have admitted they will fail to comply with the deadline.
You’ve probably seen those pesky pop-ups or drop-down bars on many sites lately that require you to click to accept cookies, without which many websites would be rendered as useless as a top-down convertible in a snowstorm. Those would most likely be in the aforementioned 60%, although that’s a start to comprehending GDPR, it’s not nearly the whole ball of wax as they say.
What Exactly is GDPR & Why Should You Care?
GDPR is the EU’s latest but surely not last, attempt to give everyday web surfers control over the data collected, stored and used by the companies collecting it. As such, it’s a law that will affect anyone in the WORLD who has a website. Yes indeed, even those who don’t intentionally target the EU market.
Seriously, I wouldn’t blame you for wondering, how the heck can the EU courts pass a law, and hold someone operating a business out of the USA (or anywhere else in the world for that matter), accountable for the privacy of people in 28 EU countries (at least until Brexit is final) that are located halfway across the world? Welcome to the new age of the Internet my liege 🙂
Anyone and I do mean anyone, who has a website and even the most remote potential that someone inside the EU might land on or transact with any part of their website, would be wise and well advised, to give GDPR and complying with it their most serious attention.
GDPR & The Cost of Non-Compliance
Why would that be? Well, first and foremost the fines are bigger than the House of Windsor’s net worth. Okay so that’s a slight exaggeration, but the difference between your business’s bottom line and what they (with all the power and might of the EU courts behind them) are threatening to come after you for if you violate (even inadvertently), any EU Citizen’s right to privacy under their laws, is going to feel like a reverse lottery ticket – where you will pay them, pretty much a Kings ransom!
Second of all, they “The EU” have been quite vociferous in stating there is no leeway, for anyone. There will be no defence, no matter how small, or large, of a business you are, there is no defence they intend to accept, not location, ignorance of the law, assumption that what you have in place is sufficient to save you. They will come after you with all the might and determination of a Knight defending his Lady.
Maximum Fine for NonCompliance €20 MILLION that’s
(£17 MILLION OR $24 MILLION)
or 4% of your annual global sales (whichever is greater)
Even though this particular EU law DOES apply to every business, be you global-type-big or one-person-teeny-tiny, all around the world (not just in the EU) because the law is about protecting the EU Citizens rights to privacy. If there’s even the remotest possibility to have visitors from the EU viewing your website, then this law does indeed apply to you and the EU are absolutely serious about enforcing it.
Need Some Good News?
Here’s the good news, if you are found in non-compliance, there is a process before they levy the big fines: (probably not in these exact words because I’ve attempted to de-jargonate for you)
- Warning – your site is in violation of GDPR laws
- Reprimand – you are a naughty, naughty business owner, we warned you, now do something about this
- Suspension – Article 18 of GDPR allows data subjects (AKA any EU website visitor) to request suspension of processing click here to read more about article 18
- Fine – up to €20 MILLION, (£17 MILLION OR $24 MILLION) or 4% of your annual global sales (whichever is greater)
But just in case you were thinking GDPR only applies to financial transactions and therefore only your payment gateway processor needs to be concerned, not so. GDPR also (in fact primarily) applies to personal data of ALL EU Citizens and there are (as is to be expected from any law devised and crafted by the “Brains in Brussels” yes that’s a snarky UK-US-Transplant IMHO remark) a veritable maze of rules regarding that. Said rules and regs would make the maze at Hampton Court seem like a jaunt in the park in comparison.
Think the White House Has a Problem with Leaks?
Yes my dear entrepreneurs, whether you are Equifax or Ever-So-Tiny.com, you will have a mere 72 hours to report and respond to a data leak! Plus, you’re required to have introduced or updated your policies and protections relatively recently, AKA often. Your pre-new millennium policies and disclosures will not save you. Again, ignorance of the law and its requirements won’t wash like it often seems to do in Washington.
How to Respect the GDPR Right to Erasure Rules
No this isn’t a reference to the 90’s British pop duo, but I do believe it’s a nifty little segway. I’ve even put a YouTube video below in case you need a little memory jog, I swear you’ll recognize their hit “A Little Respect” as soon as you hear it.
Getting back to GDPR though, as far as that’s concerned, the right to erasure speaks to the “right of a data subject’s (translation “any individual”) right to be forgotten”. Actually, I know a number of people who absolutely qualify to be forgotten, although sadly, they have never requested such action be taken. Uh-oh as Britney would say…Oops I digressed again.
Right to erasure under the EU GDPR law means anyone can request that you remove all traces of them and their activity from your site and your servers. You must also identify and advise, any and all associated 3rd parties, to remove said data subject from their respective environments and further to confirm they have done so too. All within 30 days BTW.
Needless to say, a little respect is the very least you need to show for both GDPR & FTC Compliance, lest you will for sure regret your oversight and find yourself on the wrong end of a very powerful stick!.
What does that really mean for you and your website though? It means you have to look carefully at the plugins and other technology you use to add features and functions to your site to be sure they also comply with GDPR. So your contact forms, optin pages etc., any page, post, form, doodah and/or doohickey on your site that collects even a crumb of personal information, well they all need to be GDPR compliant too.
So here we are, once more at the proverbial bottom line. What can, should, yes even must, you do ASAP to CYA (cover your assets) against finding yourself, even unwittingly, in non-compliance with the EU’s GDPR laws?
Digiday has created an excellent guide to GDPR, in fact, it’s the only one I have found that comes close to putting it all into laymans language. You can download their guide here.
5 Secrets to Unleash the Opportunities in GDRP
- Analyze & Assess Privacy Data: GDPR is super specific about this. You are required to know what data is being collected, why it’s collected, how it’s processed and by whom. For e-commerce sites especially that might mean a full information audit, but for many a site, a plugin and security audit will put you a long way toward understanding your obligations under GDPR and at a minimum will help you create a plan and policies to put you in compliance lickety-split.
- Prepare Proper Policies & Procedures: By having a clearly defined set of policies and procedures in place, you are taking positive steps to comply. Should you ever find yourself on the wrong side of GDPR or US-FTC rules and regulations, it appears that having actively taken steps toward being compliant will be your best defense. I’m not saying it will save you, but it’s a small step in the right direction and GDPR may only be in the EU for now but ask Mark Zuckerberg, it’s coming our way and sooner than you think.
- Get Clear About Consent: Review all consent request points on your site. Rid your website world of any pre-checked boxes agreeing to, well anything. Require your visitors to click and tick the boxes themselves. Remember those optin forms and plugins – case in point Contact Form 7, the developer of this, the worlds most popular Contact Form plugin, stated as recently as April he doesn’t know if his plugin will be GDPR compliant in time. Get yourself a “properly compliant” Contact and Forms plugin, set yourself and your site up to be ready to handle consent requests and the dreaded Right to Erasure (or as I like to call them, Forget-Me-A-Lot) Requests. Again, click here to connect with us if you need help with any or all of this.
- Expect the Unexpected: So many websites are built like Swiss cheese when it comes to security in general, never mind the security and protection of visitor data. Let this be your warning to get your entire business house in legal and secure order. Audit all your security practices at every level and in every aspect of your business. Create an action plan and then apply it, systematically, thoroughly and repeatedly. These are elements of your business you need to revisit at least as often as you visit your dentist (assuming that’s a minimum of twice yearly).
GDPR: How to Make This a Win-Win-Win!
Rather than seeing GDPR as an onerous or challenging law to be adhered to reluctantly, why not approach it in the spirit of the NY Times best seller “The Gentle Art of Swedish Death Cleaning” by Margareta Magnusson and embrace it as an opportunity to powerfully demonstrate to your customers or clients how much you value and respect their right to privacy.
Put your money where your Policy is and get GDPR & US-FTC compliant, not because the EU or any other body of law tells you to, but because it’s the right thing to do.
So…now you know what to do and where to get help…
well, the rest… that’s up to you my friend.
Do you need help with getting your site GDPR & FTC Compliant?
Click here to Contact Us via email or Call + (757)-880-4793