This change to European Union data security protocol is expected to be far-reaching.
It’s likely that you’ve already seen headlines talking about the General Data Protection Regulation (GDPR) and clicked away as soon as you read that the new rules apply to the “European Union” only. But the reality is, if your business has a web presence, then you’ll need to do some digging into the GDPR’s stipulations to see how it may affect your site.
So, what is the GDPR?
The first update to EU online security regulations since 1995, the GDPR is a law that focuses on data protection and the security of citizens. The “right to be forgotten” is the major goal of the GDPR; it aims to let citizens peruse the web without an invasion of privacy while choosing who accesses their data and where it is being stored or used.
The GDPR makes it illegal for businesses and organizations to gather, process and store users’ data without their consent. The term “data” can include names, emails, photos, bank details, IP addresses and more. If a user chooses to consent to giving their information away (for example, submitting their email address to sign up for a newsletter), then the website must fully disclose what their data is being stored for (newsletter mailings) and how it could possibly be used by the business or organization (being sold to third-party businesses, targeted advertisements on other sites, etc.).
Along with privacy, security is also a focus in the GDPR. The law recommends that encryption be used to protect the data of citizens, but it’s not required. If a data breach does happen, and it could potentially risk the rights and freedoms of individuals, then the business or organization who stored the data has a maximum of 72 hours to notify supervising authorities of the breach. Users whose data was leaked will then be notified if a negative impact is predicted. But if the data that was breached isn’t readable (via encryption or some other method) to those who illegally accessed it, then notifying users isn’t legally required.
Failing to follow the GDPR’s rules can result in hefty fines. These are determined by multiple factors like how many people are affected, if there’s a history of infringements, cooperation with the authorities and more. On the lower level, the fines could be 2 percent of the business’s worldwide revenue, while the upper level is a fine of 4 percent of worldwide revenue.
How can the GDPR affect my website?
Just because your business is based in the United States doesn’t mean it’s automatically exempt from this European Union law. Article 3 of the GDPR states that if you collect personal data (name, email, IP address, etc.) from someone in the EU without their consent, then your business then falls under those regulations. So even if you’re a U.S.-based site, if a user from Germany or Spain visited your web page and had their data unknowingly collected, you’d be liable for that under the GDPR.
Targeted advertisements is where the international lines get even more blurred. Targeted ads without user consent is against the GDPR’s regulations, but this all depends on where the user is and what type of ads they’re receiving. For example, if a French user visited your U.S.-based website, entered their data and suddenly began receiving targeted advertisements in their native language and the writing is EU-specific, then that falls under GDPR’s jurisdiction and is illegal. But if a French user visits a U.S.-based website, they consent to their data being used and they begin having English-language ads that aren’t regionally specific, then that doesn’t fall under GDPR’s jurisdiction.
What can I do in preparation for the GDPR?
The law comes into effect on May 25, 2018, so now is the time to get a head start on preparing. The occasionally vague language of the GDPR when it comes to international issues makes it hard to know exactly what will be necessary from U.S.-based businesses once it’s launched. But there are a few things you can preemptively do right now:
- Check your Google Analytics to see what countries you garner the most traffic through. You might have a significant number of European users that you never realized visited. If you do find that traffic from European countries is particularly high to your website, it would be a good idea to be extra cautious when it comes to observing the GDPR.
- Take an audit of your website’s user data gathering and usage. When someone buys goods from your site, do they automatically get signed up for your newsletter? When creating an account on your website, does your form have some boxes automatically checked for users? These go against GDPR rules and could get you in trouble if an EU citizen uses your site.
- If you participate in targeted advertisements, read over the details to make sure your service follows GDPR guidelines. Ads that translate to local European languages, use writing that’s specific to regions in Europe or who target particular European locations can all be illegal under GDPR.