In the past month, you’ve received emails from all sorts of people whose lists you may even have forgotten you were on, as well as from giants like Twitter or Facebook. Each one explained that the business or site was now compliant with the European Union’s General Data Protection Regulation (GDPR), which took effect on May 25.
It doesn’t matter where you are located, or even if you have few, if any, website visitors from outside of the United States. If you process any data that could identify an European Union (EU) resident, you must comply with relevant obligations under the GDPR.
What is GDPR?
The new EU privacy law helps protect people’s personal data. From now on, bloggers must ask site users whether they will allow data collection. You also must be explicit about the nature and scope of the processing.
The GDRP now gives users the right to have their information deleted. The EU calls this “the right to be forgotten.”
Additionally, if there’s a data breach, processors must inform users within 72 hours of its discovery.
If you’re wondering whether big companies will comply, consider what they risk if found not in compliance – a penalty as high as four percent of their worldwide revenue. That’s a good compliance incentive.
What about Personal Data?
What does the GDRP mean by personal data? Anything that can identify a natural human, like you. This includes your contact information, location, religion, politics, ethnicity, even what you look like.
If you have a blog, that means personal data collected via:
- Blog posts
- Contact forms
- User registrations
- Email signups
- Web host location
- Google Analytics and other tools
- Third-party hosts
- Various plugins
If there is any way in which you are collecting visitor data, you must comply.
What to Do Now
If you use WordPress, ensure you have updated to version 4.9.6, which contains tools specifically designed to assist in GDPR. You can read more in the announcement here.
After identifying all ways in which you collect user data, figure out which ones you can eliminate. Many processors hold more information than necessary. Keep it to a minimum and ensure you are specific – for example, if someone is entering their email address to download a free guide, but you intend to also send them follow up emails, you need to tell them as much. If you’ve sold them a course about gardening, it doesn’t mean you can market to them about a course on cooking. They haven’t given you permission to do so.
Keep it simple, and be explicit and upfront on how you are going to process someone’s data.
Also, get rid of personal user data you don’t need. For data you do keep, store it only as long as needed, then delete it.
Remember the Golden Rule, modified for the digital age: Do unto others personal data what you would have them do with yours.
If you want more information on GDPR, check out these links:
Have you taken the necessary steps to become compliant with GDPR? Tell me in a comment below.
About the Author
Jane Meggitt is a former reporter for a major New Jersey newspaper chain. Her work has appeared in dozens of publications, including USA Today, Financial Advisor, LegalZoom, Zack’s and The Motley Fool.You can contact her at firstname.lastname@example.org.