GDPR: What It Means and How to Make Your Website Compliant

In May, the EU Parliament rolled out the General Data Protection Regulation (GDPR), a new data policy that protects the personal information of EU internet users by tightening the guidelines associated with data collection and retention by websites. While the GDPR only affects citizens and residents of the EU, there’s a catch that American’s and other non-EU citizens need to be aware of.  

Businesses outside of the EU that have a high concentration of website visitors from the EU, or that directly sells products to EU users, must ensure their website is compliant with the new policies set forth by the GDPR. In this blog, we’ll take you through the major changes to be aware of. Businesses that deal with users in the EU but don’t abide by the GDPR can face heavy penalties if found incompliant; maximum fines can be as high as 20 million euros, or 4% of global turnover, whichever is higher¹.

Making sure that your business’s website is in compliance with the GDPR is tantamount to dodging massive fines that could potentially cripple your entire operation. Read on to learn about the major changes and what you need to do to ensure your website is compliant.

What Are The Main Changes?

Aside from the major penalties, the biggest change to EU regulations on data collection is the geographical scope of the regulations as it applies to the EU. The previous regulations were a bit ambiguous² when it came to who the regulations actually affected. Now, the GDPR has drawn clear lines as to the geographical implications of the regulations; any citizen of the EU is covered under the GDPR, meaning that businesses outside of the Union are still required to abide by GDPR guidelines when collecting personal data that pertains to EU citizens.

The other major change is the terms of consent that a business’s website has to present to EU users on their site; terms of consent—or the site informing users that data is being collected while they’re on the site—must be clear and concise. Gone are the days of confusing legalese-saturated consent notifications. The GDPR requires all sites to inform users exactly what kind of data is being collected and the method being used to obtain it. This is why your inbox was most likely flooded with emails from every site you’re subscribed to informing you that their privacy policy had been updated.

Additionally, the GDPR requires businesses to report any data breaches to their sites by setting forth clear steps about informing users of a breach within a specific timeframe. The Right to Access is a section of the GDPR that allows a site’s users to request documentation as to the information that the site has on file, how it’s collected and how it’s being used by the business. The Right to Erasure is also included as part of the new regulation, which essentially allows users to demand that their data be erased and collection be ceased if they no longer wish to comply with a sites terms, or if the data is being misused after its collected.

How Do I Make Sure My Website Is GDPR Compliant?

The first question to ask yourself is, does it need to be? Does your site have a large concentration of EU users, or does your business periodically do business with EU customers? If either scenario is true, then it’s definitely in your business’s best interest to be GDPR compliant; remember those massive fees? If your site doesn’t have a major concentration of EU users, or doesn’t sell products to the EU, you don’t necessarily need to be GDPR compliant; but you’ve gotten this far, so why not cover all your bases?

The first step is to update your terms of service and privacy policy so that it’s in compliance with the GDPR. The necessary information to include is a bit lengthy, so take a look at this handy blog if you need help writing an inclusive privacy policy for the average user. After your privacy policy has been updated, make sure that users to your site are aware that your site is collecting their information, and have them confirm that they were made aware before continuing to browse your website. It also doesn’t hurt to send out an email to subscribers or regular users (yes, add your business’s email to that already-massive pile), letting them know that your site’s terms and privacy policy have been updated.

Aside from that, it’s all proactive on the side of the business; data breaches must be reported and user requests about data collection or action must be complied with in preset timeframes. Honestly, the best way to make sure that your site is doing what it needs to is to consult a reputable source to familiarize your site’s key staff with regulations and rules of the GDPR.

Although you may not think it’s necessary to update your privacy policy and site to be GDPR compliant, it’s definitely worth the small amount of work, especially when the penalty can be so steep.

Sources:

1. GDPR fines: how GDPR administrative fines and sanctions will be applied, i-Scoop
2. GDPR Key Changes, EUGDPR