[The] simple overview first... it's all about data privacy and making sure that a user is clear and has control over their privacy. Whether you are giving them cookies or having them submit forms, that user needs to be in control of where that data goes and how that data is managed.
- Joe Krug, Finsweet livestream
What is the GDPR?
The General Data Protection Regulation (GDPR) was a set of laws implemented by the European Union (EU) in 2018 to provide people more control over their personal data. Here are some steps a website should take in order to be GDPR compliant:
- Consent: The website must obtain informed consent before collecting personal data from users. This means that terms and conditions, as well as privacy policies, must be easy to understand and not hidden away. Explicit consent for the usage of cookies is also necessary.
- Data Minimization: Only collect necessary data. The website should not collect more personal data than it needs for its intended purposes.
- Access: Individuals have the right to access their data at any time. They can request to view the information, and the company must be able to provide this.
- Rectification: If an individual finds that the data held on them is incorrect, they have the right to have it corrected. Websites must have systems in place to make this process as easy as possible.
- Right to be Forgotten: Also known as Data Erasure, individuals can request that their data be deleted when it’s no longer necessary, when they withdraw consent, or when they object to the processing.
- Data Portability: Individuals have the right to download their data and take it to a different service provider.
- Data Protection Officers: Larger companies may need to appoint a Data Protection Officer (DPO) who is responsible for GDPR compliance.
- Security Measures: Websites should ensure data is secure. This can include encryption, pseudonymization, confidentiality, integrity, availability and resilience of processing systems and services.
- Data Breach Notification: In the event of a data breach, companies are obligated to report certain types of data breaches to the relevant supervisory authority, and in some cases to the individuals affected, within 72 hours of becoming aware of it.
- Privacy by Design and Default: Incorporate data protection from the outset when designing new systems, rather than it being an addition.
Specific requirements can change over time, and vary based on the size and type of the company, the nature of the data being collected, and how/where it's being processed and stored.
Does it Affect Me?
My site is not primarily targeted towards Europe. do I need to care about this?
Maybe.
The GDPR applies to the European Union (EU) and the European Economic Area (EEA). It does not directly apply to countries outside of those areas.
However, the GDPR has extraterritorial effect, which means it applies to organizations outside the EU if they offer goods or services to, or monitor the behavior of, individuals within the EU.
If your company processes personal data of individuals in the EU in connection with offering goods or services, or as a result of monitoring of behavior, it would need to comply with the GDPR.
You will want to consider GDPR compliance-
- If some of your visitors and customers come from Europe
- And you have cookies on your site
- Or capture any customer information via web forms
- Or use analytics and tracking services like Google Analytics or a Facebook Pixel on your site
