The GDRP Dossier – A North American Perspective – Websites-related Only

Why Almost Every Business In The World Needs To Comply

First of all: let me make perfectly clear that I am not a lawyer, and that you should not assume the contents of this article are legally sound. This is merely a reflection of my search for information, on the Internet – coupled with (hopefully) some common sense and healthy suspicion.

Apart from not being legally accurate, it is also not complete – this law has a lot of different facets to it, many of which don’t seem to apply to our specific situation – not residing in the European Union or Switzerland (where the GDRP also applies).

I am just an Internet Consultant who is confronted with a new and far-stretching law that by the looks of it, most companies will have difficulty 100% complying with – if only because not all of the implications of the law are fully known right now.

So why this article? Because I want it to be a Dossier if you will, about my research into the GDPR.

Always consult your own lawyer and/or your data protection professional.

By May 25, 2018 your business (not just your website) will have to comply with the new European law the GDRP (General Data Protection Regulation). The idea behind the GDPR is to give resident of the European Union and Switzerland control over their personal data – worldwide.On this page I only touch upon information related to websites, not computer or network software or business processes.

So your business doesn’t even have to be in the European Union; this law applies to any organization worldwide that deals with personal information from European residents (referred to as “data subjects”).

Fines for not complying are massive: up to 20 million EUR or 4% of worldwide turnover. These numbers are mentioned everywhere as part of global scaremongering (often to sell products or services to make your website “100% GDPR compliant”…), but the European Union’s website for GDPR states that fines are the last step if you still fail to comply after warnings and reprimands.

GDPR - the cost of non-compliance

That doesn’t mean there can’t be damage if you are a “first time offender”; image the negative PR that can come from failed audits and data breaches. And some of your suppliers may refuse to serve you if you are not GDRP compliant.

Not sure what “personal information from EU residents” you may have?

  • Email subscribers from the EU
  • Prospects from the EU who contacted you
  • Clients or customers
  • Analytics software like Google Analytics (tracks IP addresses)
  • Facebook or Google tracking codes for retargeting
  • Cookies from WordPress plugins
  • And more…

Personal information can include name, email address, phone number, date of birth, physical address, location data such as an IP address, images, political/religious/sexual preferences, and more.

GDPR - What is personal data?

This information is recorded in a lot of different places, like your own website(s), your Contact Management System (on or offline), your Outlook/Thunderbird email program, Google Analytics, your autoresponder software company (Aweber, MailChimp, etc.). So a first step in becoming more compliant with GDPR is to do an audit/assessment – make a list of all the places where personal information of European Residents may be processed and stored.

Unless you are blocking website visitors from the European Union (and Switzerland) you are processing information from “data subjects”, and you should comply with the GDPR – at least for those visitors from the EU. But why not for all visitors then, right?

This New Law Is All About Data Protection

Some of the core requirements under this new law:

  • You need to implement both organizational and technical safeguards
    • Organizational: staff needs to be informed and trained, assessments need to be done to determine the scope of implications
    • Technical: pseudonymization, encryption, online and offline security improvements
  • In case of breaches the local data protection agency may need to be informed, within 72 hours (not even sure who foreign companies should report to) and even the people whose personal information was compromised. But only when there is a “high risk” to their rights and freedoms; meaning that if pseudonymized information was breached, the risk would be low and notifications would not be required.
  • A European Resident has the right to ask companies worldwide to disclose what personal information that company has on them, and they can request to have all personal data either deleted or adjusted. When requested, you need to provide this personal information promptly, and you cannot charge for it.
  • People need to give permission for you to store their personal data, and it should be easy for them to withdraw that consent later. Consent cannot be implicit, like the result of pre-ticked boxes, or silence. Consent must be documented (which means the data controller must be able to produce evidence that consent was given)

Essential Requirements

  • You must have a legal basis for controlling and processing personal data (Article 6).
  • You should only collect and process the information that’s needed for the legal basis, a principle called data minimization (Article 5(c)). Don’t collect all kinds of “extra” information, just in case.
  • Once personal data is no longer required for current data processing activities, it should be pseudonymized (making it no longer personalized) or erased.
  • You must maintain documentation of all data processing activities (Article 30). You should be able to prove compliance.
    If you deal with personal information from children, you will need to be extra careful and parental consent will be required (and recorded).

What should you do?

  • Use plain language – tell visitors who you are, what information you collect and process, why you do this, who received this, where it is, and how they can view/edit/remove it.
  • Update your Privacy Policy. Tell people how long you will be storing their information.
  • Get cookie consent. Most websites just have a cookie bar that says “if you continue to use this site you are consenting to our cookies”, with hopefully a link to their Privacy/Cookie policy and perhaps instructions on how to disable/remove cookies. However, strictly speaking you have already processed their cookies without their consent… The only solutions I found that blocks cookies until consent is given is from the paid WordPress GDPR plugin () and Iubenda. Some sites have more granular cookie notices; some with the ability to selectively consent to/disable/enable cookies. This is a cumbersome and complicated process for many, though.
  • Get consent. You’ll need to ask your contacts if it’s OK to process their personal data. This can be as simple as adding a checkbox to your contact forms.
    • Prove Consent
      Note: this can NOT be a pre-ticked box. You will have to be able to prove that they consented in you processing their personal information, and if their personal information is not 100% required for you to perform your service you can not force them to give their consent.
    • Not Mandatory
      Not Bundled
      If you give away a report or access to a video or something in exchange for their email address, you cannot make that consent mandatory. Their email address (or name) is not required for the service – which is accessing the report/video.
      Tell people WHY you need their consent – what you need the information for. And you can ONLY use their information for the purposes that you stated.
      This also means that if you got permission to send them the free report, that doesn’t mean you also got permission to send them your marketing newsletter from then on. You’ll need separate permission for that, or change your wording so that people give permission for both (some say this is not GDPR compliant, though).
    • Not Shared
      You cannot share their personal information with a third party, unless you made that part of the data subject’s explicitly consent.
  • Provide people with a way to find out what information of theirs you are storing, and the ability to edit or delete that personal information:
    • “The right of access” – people can request if their data is being used, how they can access it, why it’s being used, who it’s shared with and how long it will be stored
    • “Right to be forgotten” – if someone asks you to delete their personal information, you should determine what personal information you have for that person, who else has it (3rd parties), and then erase it as soon as possible – unless you have a legal obligation to keep it. Also ask 3rd parties to erase this personal information.
    • “Right to rectification” – people can ask what information you have about them, and they can request changes be made to them.
  • Give people the right to opt-out (revoke their consent)
  • Safeguard their data
  • Anonymize (pseudonymizate) analytics data – removes the IP address’ last digits, so it’s no longer exact
  • Use SSL certificates (https) for your website
  • Only process/store the information you need now, for the task at hand. Don’t ask for more information than you need (“just in case”), and store as little as possible online, or with third parties.

WordPress and GDPR

As of WordPress version 4.9.6 WordPress has implemented GDPR-related tools: it allows you to gather some personal information based on a visitor’s email address, and it also allows you to delete this information. But this only relates to online registrations and comments. WordPress also added the comment consent checkbox, should visitors want their name and email address so they don’t have to re-enter this information if they want to leave future comments. And WordPress has a built-in Privacy Policy Generator. Just  the bare bones of it, with lots of information that you still have to update/write yourself.

Resources

European Commission – Data protection – Better rules for small business and Principles of the GDPR
WPBeginner – The Ultimate Guide to WordPress and GDPR Compliance
Thrive Themes – The Smart Way to Make Your Opt-In Forms & Email Marketing GDPR Compliant
WooCommerce – How we’re tackling GDPR in WooCommerce core
IP Anonymization in Google Analytics
Facebook Group Suzanne Dibble – GDPR For Online Entrepreneurs (UK, US, CA, AU)
GDPR for online entrepreneurs – busting the myths, the sensible approach – Suzanne Dibble (1:26:29 video on YouTube)
a
a

Tools

WordPress:

Free:
GDPR
GDPR Core
GDPR Framework
GDPR Tools
WP GDPR Compliance
Cookiebot – cookie consent/controls only
GDPR Cookie Compliance

GDPR WordPress plugins comparison (1:32:25 video on YouTube)

Paid:
WordPress GDPR  – an all-in-one plugin (on Code Canyon; affiliate link)(video)

Other:

Iubenda cookie solution
Cookie Consent bar by Insites

Disclaimer

Again: let me make perfectly clear that I am not a lawyer, and that you should not assume the contents of this article are legally sound. This is merely a reflection of my search for information, on the Internet – coupled with (hopefully) some common sense and healthy suspicion.

Always consult your own lawyer and/or your data protection professional.

GDPR Jokes

Do you know a good GDPR consultant?
Yes.
Can you pass me their email address?
No.

~

Have you heard the GDPR joke about the man from Spain?
Unfortunately, I can’t tell you because the data subject hasn’t granted consent, and I have no other legal basis for processing.