As of May 2018, a new European Union (EU) regulation came into effect called the General Data Protection Legislation (GDPR). This regulation pertains to any company which processes the personally identifiable information (PII) of EU citizens. This data is not limited to sensitive PII such as social security number, and includes such basic information as name, phone number, and email address. It is also not limited by the size or physical location of the organization, or the permanent or temporary residence of the EU citizen. Anyone who collects and stores PII for EU citizens is subject to this regulation. We advise anyone who has a website to review the regulation with your legal team to ensure that you are compliant.
GDPwhat? Big Picture
In a nutshell, the regulation adds additional protection to PII for all EU citizens, regardless of their physical location, or the location of the organization they are sharing their data with (website or otherwise). The regulation outlines what is protected, the requirements of the data handling, and prescribes greater fines than in the past for non-compliance.
What to know about the GDPR
There are an abundance of resources available for GDPR which we recommend reviewing, but the key items to keep in mind are the following:
- PII must be collected in a legal, fair, and transparent manner. It shouldn’t be used in any way that wouldn’t reasonably be expected, and furthermore it should always be clearly communicated to the user how the data will be used.
- PII must be kept up to date to ensure accuracy, and should not be retained for any longer than necessarily to fulfill its intended purpose.
- PII must be accessible to EU citizens at any time in the form of a copy, and they have the right to edit, delete, or move their data at any time.
- PII must be stored in a secure manner.
How to ensure compliance with the GDPR
As mentioned above, GDPR is ultimately a legal matter, and as such any organization working towards compliance should first and foremost work with their legal team to understand the regulation in full and how it applies to their particular relationship with customer’s PII. As such, the following should only act as general information to help you understand what steps might be required.
- The first step for any organization should be to perform a full audit of what customer data they currently store and collect, as well as its purpose and ability to be accessed, edited, and deleted by customers.
- Review how consent has been obtained and documented for the storage and use of customer data. Consent should be stored alongside the customer data, and should be provided by the customer in an affirmative way (ie. pre-checked boxes are no good here). In addition, the use of the information must be presented clearly to the customer upon granting consent.
- Privacy by design: All systems on your website should be built with customer privacy in mind, and specifically in consideration of the GDPR.
- You should establish a clear set of data breach procedures. In general, the GDPR requires organizations to report data breaches within 72 hours of detection.
- Make sure you are fully aware of any third party providers who store or collect PII on your behalf. This includes mailing lists such as MailChimp and payment processors such as authorize.net. Communicate with these service providers to ensure that they are managing any stored PII for your customers appropriately.
We’re a small US based company who only does business locally. Why worry?
We often have clients who feel they are exempt from the privacy considerations covered by the GDPR on the basis of one of the following excuses:
- We only have 5 employees. It doesn’t matter what size the organization is – the GDPR applies to anyone who handles the PII of EU citizens.
- We’re a US based company. As stated above, it does not matter where you are based, if you handle EU citizen’s data, you are subject to the GDPR.
- We only take orders from US addresses. There are many EU citizens living in the United States, and their privacy rights are protected under the GDPR no matter where they reside and no matter who they do business with. Don’t assume that just because you only do business in the United States, that you are not interacting with EU citizens.
Even if you are 100% sure that you have no interaction with EU citizens as part of your data collection and storage, rather than take the approach of ignoring the regulation altogether, you’d be wise to follow its principals as to be a better steward of your customer’s data. Also, it’s likely more a matter of when, than a matter of if such a regulation will ever come into effect in the United States.
How can we help?
If you are currently on a maintenance plan with us and we haven’t touched base with you already, we will be in contact soon with any further specific guidance and recommendations. If you are not currently taking advantage of our maintenance plan service, we encourage you to consider signing up to ensure that your website is kept updated, secure, and compatible with the latest web technologies. You can read more about our plan here: https://www.watermelonwebworks.com/web-services/website-maintenance/ . While GDPR compliance is something you should work closely with your legal team on, we certainly are here to help answer any questions, as well as to work hand and hand with you on implementing technical solutions to ensure compliance.