Home » security

Tagged security

GDPR compliant ready website USA

Is Your Website GDPR-Ready? 4 Questions to Ask Yourself

The EU’s General Data Protection Regulation (GDPR) comes into force May 25th, 2018. It is intended to affect data privacy laws across the European Union and Great Britain. Even businesses run outside of the EU may have users within the GDPR’s jurisdiction, so this new regulation affects just about anyone with a website online (I mean, it IS called the world-wide web, after all!). Understanding GDPR and how it will impact your website and your business may be a bit overwhelming at first (with a whopping 88 pages of legal language), but thankfully, there are many resources available online to help website owners figure out how to ensure their site is operating within the new regulations.

The best way to start

Perform an audit of your entire website to see what aspects of your site need to be declared as far as what you collect, and to be transparent to all visitors accordingly.
The following guide is not an end-all, be-all to GDPR compliance for your website, but is a general condensed overview meant to help you to go through what items on your site need to be addressed. Ask yourself the following questions about your website, and follow the suggestions under each.

1) What data is my site capturing? 

The following list of examples of data collecting you will want to audit includes, but is not limited to:
  • Personally identifiable information: Obviously, names, addresses, and email addresses are identifiable information. If your site allows comments, that’s collecting identifiable information. Same with contact forms. Someone fills it out and hits “Submit.”  You need to find out where is that data stored, and where does it go to?  Some contact forms don’t store the data in your site’s database, some do. Which option do you have set? Don’t forget I.P. addresses. In the United States, Visitor I.P. addresses are not necessarily considered identifiable information, but in the EU, they are. If your site tracks or collects any users’ IP addresses, you will need to know this, as well.
  • Cookies: Most websites send a small file to each user’s computer or phone, called a cookie. Most of the time, a cookie’s file contains just a timestamp of the user’s visit to a site, but can also store many other personally identifiable data, such as an email address or password.
  • Selling of products or services: Does your site sell products and/or services using ecommerce or payment tools (PayPal, WooCommerce, Stripe, Amazon Seller, etc.)?
  • 3rd party site tools: Such as live chat tools, marketing tools. If your site uses a live customer chat or any marketing tools, such as funnel services (LeadPages, ClickFunnels, WishList Member, etc.), you need to visit these service providers to see what they are doing to be compliant

Any other ways not listed here, in which your site collects a user’s data, you will want to mark down.

 

2) How long is the data on my site kept for?

Any tools mentioned above, or others, that your site uses to capture a user’s data must be investigated by you to find out how long a record is stored on your website’s database or in some cases, on a cloud connected to or provided by the service or tool in question. Follow up with your website designer/developer or investigate each tool on your own by visiting its provider’s website and either search for their updated privacy policy that clearly indicates that they are GDPR compliant, or contact them to ask how they are planning to meet the regulations, then be sure to get the information in writing.
In many cases (if your site is running WordPress, for example), the above-mentioned tools and aspects of your site may be handled by a script called a WordPress plugin, and those are typically written and managed by third-party developers. Visit your WordPress plugins page and then visit each plugin’s respective website or plugin listing to investigate the way the data is collected. Here is also a resource on WordPress and GDPR compliance.
Once you find the information that each provider outlines which indicates how they compliantly handle data, you can link to the language that each service provides, within a Privacy Policy page (addressed further in this post).

3) How does my site address consent and explicit consent?

After collecting all the above answers for the first two questions, write out what needs to be addressed, and how you want to present and disclose what it is your site does with any information it captures (you will need to make sure none of it is personally identifiable because there’s an issue of consent. All visitors need to not only consent to give you access to their data, you need to allow them to do so.

You can prepare a Terms page on your site to outline that by using the site, each visitor has agreed to give their consent for you to collect their data. Then you can add a button or check that says “I agree” next to a link to this Terms page.

4) How does my site allow users to access and control their data?

The next concern your site needs to address is the prove your site has the ability to deliver all data to each user in the EU that you have collected on them. The GDPR outlines that one thing they require for all EU website users, is that each EU citizen has the right to access and opt-out of or remove any or all of this identifiable data upon request. 

Some data compliance efforts may not be required on your part

If your site deals with health or medical information, you need to know that explicit consent is required for the processing of certain special types of personal data. Examples would include things like racial or ethnic background, political, religious, or philosophical beliefs, data concerning health information, sexual health, and sexual orientation. This is outlined in more detail in the GPDR’s Article 9. If your site does not use or request such data, you should be OK, but be sure to read through the GDPR text to make sure.

Bottom line: Transparency

Setting up a clear disclosure that explains in plain English what data you collect, what the data is used for, who can see the data, and where and how long it is stored, should be done via a Privacy Policy page. A good idea would be to check out a reputable legal website which provides privacy and terms page templates, use and customize what they have available, and then, for each service your site uses to collect data from users, provide a link to their page that outlines their GDPR compliant practices language.
If your site collects no personal identifiable information whatsoever, and your site is in the US and does not cater to users in the EU, you probably have nothing to worry about, but in the spirit of transparency, it’s still a good practice to just make sure there is a site disclosure easily accessible to all users of your site, even if you do not collect anything.

Next steps:

Whether or not you are within the EU or have customers in the EU, there are fines and penalties that can be imposed if your site is not compliant with the GDPR law. How these fines or penalties can be collected or enforced is still unclear, and many parts of what has been written so far have been presented in a very ambiguous way, so the practical effects and results on non-compliance have yet to be tested in a court of law.
You will want to share this with your legal team and/or website developer so you can work together to get GDPR-ready!

_______________________________________

This was a guest post by Bobbi Jo Woods