GDPR, short for the General Data Protection Regulation, went into effect on May 25, 2018. It was created by the European Union to centralize and unify privacy laws across all of the EU. The purpose of the regulation is to give all EU residents control and protection over their personal data, how it is used and stored. Although your firm might not do business in the EU, visitors to your website may very well be from an EU country. So, if you have even a basic form on your site, for example, you should consider GDPR compliance.
Although I’m certainly not an expert on the nuances of this complex regulation, there are aspects that are important to consider as they impact your firm’s website. Read on for a quick review.
GDPR Website Basics
There are three main things that you should include on your website going forward:
- Some type of privacy statement letting visitors know what personal data you want to collect
- The ability for visitors to opt in/out of that data collection
- Security to protect any data that you do collect
What Classifies as “Personal Data”?
The official definition, according to the regulation, is a bit convoluted IMHO. But for most service firm websites, if you have a contact form or newsletter sign-up where you gather a person’s name and/or email address, that definitely qualifies. But it seems that “personal data” is not limited to specific names or email addresses, it can be more generic. Other personal data may include information gathered by marketing automation tools (like HubSpot and others), Google Analytics, browser cookies, etc.
What Steps Should You Take Now?
The question many of us are thinking is “Will a GDPR law suit be filed against my firm if our website is non-compliant?” There’s really no way to know, but I certainly hope not. One thing is for sure, it can’t hurt to proactively avoid problems. Besides, allowing visitors basic privacy choices isn’t such a bad idea, right? Here are a few simple things you can do to help your site comply:
- Include a link to a Privacy Policy stating how you handle collected data. It’s best to have an attorney draft this for your firm, but you can find examples with a basic Google search as a start.
- Share your privacy rules internally so everyone at the firm knows how to handle sensitive data.
- Check your web hosting company’s privacy page to make sure they are making necessary updates (all the major hosts should be).
- Be diligent about keeping your CMS (content management system) up to date. Older versions of CMSs may not comply with new regulations.
- Verify where website forms send and store collected personal data (names, email addresses, contact info) and make sure it’s secure. It’s best to pull this data into a modern CRM system, rather than a homespun spreadsheet or other easily accessible format.
- Review your website forms to make sure opt-in boxes are not “pre-checked.”
- Make sure your site is secure (the URL should read “https” rather than just “http”). Independent from GDPR, this is important to have in place.
If your company doesn’t interact much with EU citizens, the likelihood of issues erupting from your website’s compliance are definitely lower, but still probably worth addressing. If you can demonstrate an effort is being made to comply, that is a significant step in and of itself. So, doing even a little to make your website a safer place may help significantly in the GDPR world ahead.
For More Information:
The GDPR and How it Applies to Small Business Websites
How to make your website GDPR compliant
Privacy Policy Free Template – GDPR Compliant
Vanessa’s article first appeared in SMPS Boston’s Outlook, May 23rd