Does my website need to be gdpr compliant.
In 2018, the European Union introduced a series of data protection reforms known as the General Data Protection Regulation (GDPR). Essentially, the GDPR has replaced all the various data protection laws with a single set of rules that apply across all EU countries. Many companies have had to change their policies to comply with the GDPR, however, despite the transition period, there is still a lot of confusion regarding the new rules.
So what is the GDPR and how can you ensure your business is compliant?
In this article, you will learn how to comply with the GDPR without reading the dry EU data protection directive. We’ll help you understand what the GDPR is and tell you what steps you need to take to make your site compliant with the GDPR.
What Is GDPR?
The GDPR is a European Union data protection directive designed to protect the privacy of EU citizens online. It governs how personal data is used and what types of data websites may collect about you. Although the GDPR is an EU regulation, it applies to all websites accessed by EU users. As a result, websites and businesses must comply with the GDPR or block EU traffic.
With that in mind, here are the key aspects of the GDPR that could impact your business:
Your site must clearly inform visitors that their personal data is being collected. You must also disclose how and why their data is being collected and stored. If users ask you to delete the personal information you have collected, in most cases you must comply with the request. Users can also request a copy of any personal information they hold. If one of the main activities of your business is the collection and storage of personal data, you need to hire a data protection officer. If your website is hacked and your users’ personal information is leaked, you have 72 hours, to report a violation.GDPR violations can result in fines of up to €20M (~$24M) or 4% of your company’s annual turnover.
The main goal of the GDPR is to protect people and their personal information from data breaches. Now the question is, what types of data are covered by the GDPR?
Data types regulated by the GDPR
Whether you built your website from scratch or use a WordPress theme, your website collects various types of data. Websites collect information in a variety of ways, including through analytics, WordPress forms, subscription forms, contact forms, and email marketing campaigns.
In short, all personal data is subject to the GDPR, but we can divide it into the following types:
Genetic and health information.Biometric data.Political and/or religious views.Race, ethnicity, and render web data such as your IP address and cookie data.
As long as your business holds any of the aforementioned EU citizen data, your site must be GDPR compliant. Remember that this applies even if you do not have a presence within the borders of the European Union.
Steps Required To be GDPR Compliant
When you read about your responsibilities as a website owner, you may feel overwhelmed and decide that it’s easier to block all incoming traffic from the EU. Don’t let the GDPR discourage you. Below are the main steps you need to take to comply with the GDPR.
1. Improve your privacy policy
Be transparent when collecting, storing, and sharing data. Your website should include a detailed privacy policy that clearly explains data collection practices, data protection, use of cookies, and data sharing. A good privacy policy should include at least the following:
You do not sell your users’ personal data. You do not share personal data unless required to do so by law. The types of data you collect. Why do you collect data and how do you use it. How you protect user data. How your plugins collect and use data.
Be as clear as possible using simple language that leaves no room for interpretation and you will have a clear and transparent privacy policy.
2. Create a cookie notice
According to the GDPR, cookies are considered personal data, so user consent must be requested before using these cookies. Place an explicit cookie notice on your website and make sure you allow users to access your website even if they do not consent. Your users should also be able to withdraw their consent at any time.
3. Display notifications in all website forms
It is standard practice to collect some user data through various submission forms. If you would like to continue collecting email addresses and other information, please post a data collection notice. Do not collect any data until this point and without user confirmation. Otherwise, your business may be fined for violating the GDPR.
Be as clear as possible in your language and provide all the important details about data collection. You should also avoid using pre-checked flags. The user must understand that the collection of data is optional and requires his consent.
4. Ensure that all plugins comply with the GDPR
If you are using third-party data collection plugins such as Google Analytics, you will need to anonymize the data. This can be tricky to do manually, but you can find GDPR-compliant plugins to handle the process for you. Just find a tool with GDPR compliance settings.
5. Use dual subscription
The GDPR does not make dual subscriptions mandatory, but it is highly recommended to use them. Dual subscription means that you are asking the user twice to confirm that they consent to the collection of data. This is especially important for subscribing to a mailing list.
To add a dual subscription, you must first request consent through the subscription form on the website. The user must then consent a second time by clicking on the link received in the email.
Using a dual subscription shows that you are committed to data protection and privacy, and gives authorities additional proof that your site is GDPR compliant.
6. Add unsubscribe links
Include easy-to-read unsubscribe links in every message you send to your subscribers. Unsubscribing from a mailing list should be easy and instant.
7. Deletion of personal data on request
The GDPR gives users the right to be forgotten. This means that they can request the deletion of their data at any time. Always do as asked. This includes removing your users from mailing lists, deleting their accounts, and destroying any personal information you have about them. Even blog posts and forum comments are considered personal data and should be deleted upon request.
8. Don’t buy mailing lists
Buying mailing lists is not recommended as you may violate the GDPR. In most cases, you cannot be sure that these email addresses were collected with users’ consent.
That said if you’re still determined to buy a mailing list, make sure you at least include unsubscribe links in every email you send.
Being GDPR Compliant Is Worth It
Open your website and business to EU citizens by following all the steps above. Compliance with the GDPR may seem daunting at first, but it’s not that difficult. This mainly involves transparency in the collection of data and the request for consent. As a bonus, non-EU users will see that your company cares about privacy and data protection and are more likely to trust you.
Does my website need to be gdpr compliant
Does my website need to be gdpr compliant