In a world where unfathomable amounts of personal information live online, data protection is more important than ever before.
Take, for example, Experian’s massive data breach of 150 million people in 2017. For some of their customers, this resulted in identity theft and financial loss. For Experian, this resulted in a $700 million settlement.
Large data breaches suffered by such corporate juggernauts have created a demand by the public for professional standards and accountability around data handling and cyber security. That’s where the General Data Protection Regulation (GDPR) comes to play.
Get social with us!
Like what you’re reading?
Subscribe to Bragg Media’s monthly newsletter.
What is GDPR?
GDPR is a legislation enacted in 2018 by the European Union concerning the transfer and use of personal data. GDPR gives the citizens of the European Union (EU) and the European Economic Area (EEA) the ability to exert greater control over their personal information. The law ensures that personal data of European citizens will be handled more responsibly and that authorities have the legal tools to respond to misconduct by data-handling entities. This includes the ability to take legal action against non-European companies that are privy to the personal data of European citizens.
Yes, even small businesses in the United States are expected to be GDPR compliant if they handle personal data from people in the European Union. Moreover, GDPR is considered the standard best practice in online data processing. If your website doesn’t comply with baseline GDPR practices, such as cookie banners, a privacy policy and top notch security, your business will be left behind.
What led to GDPR?
GDPR happened when several high-profile tech giants were caught sharing user data — including personal messages sent on their platforms. In particular, Facebook shared personal information with the voter-profiling company Cambridge Analytica.
Compounding concerns over data privacy were cases involving data breaches due to poor security. Suddenly, the world was watching how large companies handle consumer data.
GDPR was adopted by the European Union Parliament in 2016. The European Commission enacted the GDPR after a two-year transition period in 2018. For the official website, click here.
Why is GDPR Important?
The new legal framework gives consumers of online services the assurance that they can interact online without having their personal data grossly mishandled and shared with other entities. GDPR fosters a more regulated and safer online landscape that translates to a more robust online business ecosystem. It is an important milestone in the evolution of today’s digital marketplace.
How does GDPR affect your business?
GDPR is important for your business and how you interact with your audience. The legislation is not limited to large, multinational enterprises. All businesses need to be compliant regardless of their size. If your website handles personal data of any kind — even a simple e-mail subscription form — it should adhere to GDPR best practices.
Personal data is defined as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier,” according to this GDPR website. This information includes name, e-mail, phone number, location data and online identifiers.
What are the consequences for non-compliance?
As of September of 2019, a survey of 250 decision-makers showed that less than 50 percent of companies were compliant. At the same time, the companies that are placing emphasis on compliance are also devoting funds to improve data handling.
Hefty fines have already been given to large corporations that have failed to follow-through in protecting their customers’ data. In 2018, a 200 million euro fine was placed on British Airways after a data breach. The fine represents 1.5 percent of their annual turnover, with GDPR-related fines allowed for up to 4 percent of a company’s business on the year.
Website Audit
How well do you know your website?
How do you stay GDPR compliant?
Small online business owners can take a few simple steps to ensure compliance and safeguard themselves.
1. Appoint a Data Protection Officer
Having a Data Protection Officer (DPO) is not a suggestion. Having a DPO is now a requirement of companies that handle user data of European citizens. There is some debate on when a DPO is needed for smaller online enterprises. According to GDPR’s policy, a DPO is required when a company processes “sensitive personal data on a large scale or a form of data processing which is particularly far reaching for the rights of the data subjects.”
The DPO is required to:
- implement GDPR data privacy and protection compliance
- monitor data processing efforts
- increase employee awareness of data protection
- training employees in regards to data protection
Don’t assume your website designer or marketing director will serve as your DPO. If you aren’t sure where your website stands in terms of cyber security and/or GDPR compliance, seek out a professional cyber security expert and a lawyer.
2. Conduct a security audit
Running a security audit for a small online business can be as simple as a third-party software tool to give you a comprehensive picture of how your website measures up in terms of its security.
Find an Internet security professional that specializes in heightened online security — including malware scans, firewalls, spam controls, IP address blocking and more.
3. Have an emergency plan
Don’t wait for a security breach to occur. GDPR provides a framework on how to communicate a data breach to your users. If you have a website that collects any of your customers’ data, offers the opening of user accounts or runs an e-mail newsletter, you should have a data breach communication plan ready to go in effect.
4. Keep your cookie policy updated
Cookies are small bits of code that are shared between your website and your visitors that contain anonymous data on people’s usage of your webspace. The Cookie Law predates the GDPR. This law gives Internet users the right to object to the use of cookies when they interact with a website. Your website is required to be clear on your policy regarding cookies and that you allow for users to opt-out is important for complying with GDPR.
5. Be mindful of data access
If you store data in a physical location, such as in a data server, then you run the risk of having data stolen or abused by employees or contractors. Safeguard all physical data storage so that access is not readily given to potentially malicious parties. This type of data breach also includes user information you store on a cloud service, what’s not stored in your physical space. If the data can be easily accessed by a device available for others to use, you may want to reconsider some of your practices.
6. Obtain explicit consent
GDPR requires direct, clear language when asking for user information. Don’t send unsolicited emails who have not opted in for your marketing e-mails. Explicit consent means you require an opt-in with unambiguous information requesting their consent that is separate from terms and conditions.
7. Provide easy-to-read information on data rights and breach notification
Don’t confuse your audience with multisyllabic legalese. Your privacy policy should include :
- How you collect data
- How you use data
- Why you collect data
- How you store data
- What security precautions you use to protect data
- How long you store data
- How can people opt out of e-mails
- How can people opt out of cookies
Consult an experienced lawyer to craft a privacy policy and terms and conditions that best reflects your unique situation.
Is WordPress GDPR compliant?
Many small online business owners use WordPress’ content management system for their website. WordPress is flexible and provides seamless functionality for all of your business’s needs. What you’ll be happy to know is that WordPress also offers a simple solution to your GDPR needs. There are several plugins in its list of available tools that will help you achieve and maintain compliance:
Does GDPR help or hurt my business?
GDPR may seem like another hoop to jump. However, in today’s digital world, trust is not easily given. GDPR best practices ensure that your business is doing what’s right, legally and morally.
When you ask for permission before sending correspondence or allow your audience to choose the degree to which they will share their data, your business will build a stronger bond with your customers. The more your target market trusts that you will respect their privacy, the more they will be willing to purchase your products and services.
Website Design
Affordable website design with a process that works for you.