Let’s talk about the GDPR

OK, I have to admit it. I’ve been putting off looking into the GDPR. But, it is time to have a more in-depth look-see.

If you’re not aware, this is the General Data Protection Regulation. It is a set of rules which come out of the European Union about user privacy and protection of user data. It is quite the sweeping regulation, too, and represents a fairly big swath of changes for website owners.

Now, my first thought when I saw all this was…

“It doesn’t apply to me”.

After all, I’m based in the United States – as are many of you. And this law is from the EU. So…. Phfft!

But, not so fast. The law holds the promise of fines. Big fines. And it is said to apply to any website which serves EU citizens. Which means, if you have EU visitors and EU customers, you are technically required to abide by these rules even if you are not based in the EU.

Now, honestly, the issue of fines is probably more of a threat than anything. I’m no lawyer, but it seems to me there’d be an issue of enforcement for any entity in the EU to issue a fine to an American. The fines are quite stiff, too. Either 4% of annual revenue… or 20 million Euros. Whichever is higher.

Now, is the EU likely going to attempt to impose and enforce such a fine on a small-time web company in the United States? Not likely. But…

Here’s my take…

Even if most of us would probably be fine not doing anything about the GDPR, it is still recommended to abide by it. The way I see it, there are 2 reasons…

  1. There is most definitely a rising tide of concern over user privacy online – and rightly so. Consumers want it. And that should be reason enough.
  2. The GDPR is likely just a forerunner. I think it is only a matter of time before something similar takes place here in the U.S.

So, it is just the right thing to do. ‘Nuf said.

But, exactly WHAT do we need to do? And how sweeping is this thing?

I’m going to talk more about this in upcoming issues, but the jist is this…

If you collect and/or store ANY user data at all, then you need to take the time to review GDPR compliance. This includes…

  • Contact forms
  • Opt-in forms
  • Checkout pages
  • Analytics software
  • Community forums, social software
  • Blog comments

Yes, this means… pretty much every single one of us.

So, what does this entail? Well, let me try to simplify the hell out of it here, based on my research.

  • You must be totally transparent with the end user on all data being collected, what it is used for, etc.
  • Such agreement must be expressed, not hidden in a privacy policy linked to in a tiny link in your footer. It needs to be expressed in plain language, and users will need checkboxes to express their OK with the storage of data.
  • Users must have ability to edit/change their user data.
  • Users must have the ability to request to download all of their user data and take it to a different provider.
  • Users must have the ability to request all of their user data be erased.

When it comes to putting this stuff into practice, it comes down to two things…

  1. The various plug-ins and software we’re using making their own changes to be GDPR compliant.
  2. The actions WE need to do ourselves on our sites.

We’re going to talk about both here in The Daily in the coming days.

My goal is to try to make this thing simple enough. This one is easy to get confused by. And I’m all about simple.

I’m going to do the best I can here. I should also mention…

I’m not a lawyer. Nor do I pretend to be. 🙂 So, if this is really a big concern to you, I suggest you go consult a real lawyer.

But, I’m going to try to decipher some actual action steps for us, because I think for the most part, we shouldn’t have to hire anybody for this one.

Be aware that we have about a month (as of this writing) to get things in order. The official date where you need to be GDPR compliant is May 25th.

M’kay? See ya tomorrow.

– David