GDPR for the American Website Owner

By Matt Adams on May 8th, 2018

So chances are you have been seeing a ton of emails from all your apps and tools about their update for GDPR, but thats about all you likely know. If you own a company or run a website that even remotely interacts with any citizen of the EU, then this DOES apply to you.

This goes into effect May 25th 2018, and can carry some heavy fines up to $20 million euros. While its fuzzy how they will be measuring for the fines, let’s not find out.

GRPR, or General Data Protection Regulations, is a set of laws outlined by the European Union, and it puts the power of internet data in the hands of users not corporations. How you collect data, what you do with the data, and users ability to request a copy of that are all ground breaking items that will effect your site. Also note that GDPR is retroactive. This means that it applies to all customer data you’re storing and using, even if it was collected before May 25th 2018.

Starting May 25, your visitors have new rights. They can request a copy of all of their data you are storing, they can request you to delete all of it. You need to have a good legal basis for gathering and using any data. Alternatively, you need to ask for consent for each purpose separately. Your customers must be able to withdraw the consent they’ve given at any time. And you are obliged to inform them of everything you do with their data, everyone you share their data with and all of their rights regarding GDPR.

Basically, a person’s personal data is always owned by that person. This means that they must have control over it.

Even if your website only has website has comments or a contact form, it means that you are already storing someone’s personal data. Therefore, GDPR requires almost all website owners to take action.

Major GRPR tasks to take on your site NOW.

First up, we MUST know what data you are collecting and storing.  Personal data is almost any data about a person. For example:

  • name
  • email
  • age
  • personal identification number
  • location info
  • appearance description
  • information about hobbies
  • income

GDPR grants users new rights with their personal data. From the perspective of your WordPress website, the three most important rights are:

  • Your visitors can request to access any personal data you’ve gathered about them
  • Your visitors can request to export their personal data in machine-readable format
  • Your visitors can request to delete their personal data

Unless you have a good, legally backed reason, you are obliged to comply in 30 days.

Explicit consent is required!

Article 6 of the GDPR requires any organization, even a US one, to get explicit consent for the collection and use of personal data. This is a new requirement that is pretty revolutionary for US businesses that normally collect this data by default.

To comply with this GDPR requirement, you must have documented evidence that consent was given, and that all requests for consent are clear and concise. This might create problems for several types of US companies, such as those that use direct marketing and rely on data analytics.

What about old data?

Well if you don’t have clear consent? you must destroy it. Granted this only applies to EU citizens, so in theory, you could filter your lists for EU users if you have addresses, and remove just those users.

What about active members in my platform? 

The best bet here is to inform them of the GDPR policies, and ask for their consent to maintain their account with you.

The right to access and the right to be forgotten.

Two major elements in the GDPR access and removal. Users can ask to see all data you have on them, and you must comply in 30 days. This can be tricky when you have multiple marketing tools in place. The more ground work you do now to identify the possible locations, and HOW to export that content the better off you will be when someone asks.

Additionally, any user at any time can ask you to remove any and all data. Again, you must comply, and knowing how to complete this task will be critical in your companies success with compliance. This is mainly marketing focused. If you have user data on an invoice, you are allowed to keep that. But the intent there is the purpose you have the data for, is locked into that purpose.

If you have shared a data subject’s personal data with a third party, you are obliged to inform them that this data has to be erased.

What you can do right now

Factor1 mainly runs WordPress sites, and utilizing a new tool we can run a lot of this for you. Our GDPR Framework provides a Privacy Tools page where visitors can authenticate via email or login. On that page, they will be able to:

  • Request to view their personal data,
  • Request to export their personal data in a machine-readable format,
  • Request to delete their personal data,
  • View and withdraw consents they have given

Looking for help with this? Contact us today!

Disclaimer. Factor1 nor any of its employees are providing legal advice. The tools and actions we suggest are a best effort and may not be sufficient to fully protect you in GDPR compliance. Full legal counsel is advised for their official review of your business needs and how your site may need to be adjusted for compliance.