What is the GDPR? What Your Business Needs to Stay Compliant

Disclaimer: this post was written in partnership with attorney Christina Scalera but is not legal advice. Please consult your legal counsel to ensure GDPR compliance.

 

WHAT IS THE GENERAL DATA PROTECTION REGULATION (GDPR)?

We’ve all heard about the big data breaches. That time a-shall-remain-nameless retailer had its credit card numbers lifted (we forgive you). The (it seems like daily) emails we get from doctors’ offices, software providers and online shops that tell us, “Oops! Someone hacked our system and your data may be compromised.”

The GDPR was designed to help protect us as internet users from these breaches of trust. It is designed to do that in two ways: (1) it makes consent to use your name, email and other data optional, and (2) if there is a breach, it forces the site/shop to tell you within 72 hours, not months and months after a cyber attack or hack.

5 WAYS TO TELL IF THE GDPR APPLIES TO YOUR BUSINESS

Even though this new General Data Protection Regulation is focused on European markets, there will be many businesses in the U.S. who will have to comply. Here’s how you can figure out if you are one of them:

  1. A reasonable amount of people who are on your email list or who visit your site are based in the EU (which includes the UK); or
  2. You use EU-based languages to market your goods and services; or
  3. Your domain name ends with an abbreviation that’s EU-based (e.g., .co.uk for the United Kingdom, .es for Spain); or
  4. You accept payment in Euros; or
  5. You target European countries for sales, including the United Kingdom.

HOW CAN I BECOME GDPR-COMPLIANT?

STEP 1.  ADD (OR AMMEND) A PRIVACY POLICY AND TERMS & CONDITIONS TO YOUR SITE.

Terms and conditions + privacy policy is something super fun, disguised as a bore-fest. Your terms and conditions tell people what is and is not allowed. For example, if you do not want people right-clicking and saving or sharing your images, that’s where this information would be housed.

A privacy policy is slightly different. It tells anyone who visits your site what information you’re collecting from them, from cookies to names and emails. It also tells your visitors what you do with this information.

The privacy policy has always been required by U.S. law, and setting up rules for your visitors (terms and conditions) has always been a good idea. It gives you something to reference for FAQs, like, “what is your refund policy?” and “can I use your images with credit?”

This step is nothing new for business owners, but having a GDPR-compliant privacy policy looks a little different than policies of yesteryear.

Action steps:

  • There are many templates and tool kits available online that will help you structure your terms & conditions and privacy policy to be GDPR compliant, such as this one from The Contract Shop
  • Here’s an online checklist you can reference to see if the remainder of your website is GDPR compliant (Please note that these templates and checklists are not affiliated with MAKA Digital).
  • Once you have updated your TCPP and website, it is best practice to email consumers about this update. 

STEP 2. CONSENT TO OPT-IN IS NOW REQUIRED.

Unfortunately, where Step 1 (see above) used to be enough, it no longer is under the GDPR. One of the major changes is the requirement that you get consent from the visitor when they opt-in to your communications and visit your website.

Action steps:

  • When a consumer from the EU opts in to receive communications from you, there is explicit language and checkboxes that now need to be included on your opt-in forms. Reference your document templates or legal advisor for approved language.
  • This consent has to be freely given, so online business owners will need to make sure any opt-in forms aren’t checked ‘yes’ by default if the visitor is from the EU.
  • For traffic coming from the EU, they need to be shown a notice about cookies used on your site.  This can be achieved by using a cookie bar that pops up a notification. Many website platforms also offer plugins to automatically detect EU visitors and show this notice.  If you are on a common website platform it is worth searching the app/plug-in store for a solution.

STEP 3. KEEP LEARNING ABOUT THE GDPR.

The truth is we only know how this thing is going to look and work in theory until the EU starts enforcing it, and we don’t know when that will be. While the GDPR officially takes effect on May 25th, it’s best to stay up-to-date on news even after this point to make sure your webstore is continually compliant. We’ll keep you updated on future news, and feel free to drop us a line at hello@makadigital.com if you have any questions.

hello@makadigital.com