Disclaimer: this post was written in partnership with attorney Christina Scalera but is not legal advice. Please consult your legal counsel to ensure GDPR compliance.
WHAT IS THE GENERAL DATA PROTECTION REGULATION (GDPR)?
We’ve all heard about the big data breaches. That time a-shall-remain-nameless retailer had its credit card numbers lifted (we forgive you). The (it seems like daily) emails we get from doctors’ offices, software providers and online shops that tell us, “Oops! Someone hacked our system and your data may be compromised.”
The GDPR was designed to help protect us as internet users from these breaches of trust. It is designed to do that in two ways: (1) it makes consent to use your name, email and other data optional, and (2) if there is a breach, it forces the site/shop to tell you within 72 hours, not months and months after a cyber attack or hack.
5 WAYS TO TELL IF THE GDPR APPLIES TO YOUR BUSINESS
Even though this new General Data Protection Regulation is focused on European markets, there will be many businesses in the U.S. who will have to comply. Here’s how you can figure out if you are one of them:
- A reasonable amount of people who are on your email list or who visit your site are based in the EU (which includes the UK); or
- You use EU-based languages to market your goods and services; or
- Your domain name ends with an abbreviation that’s EU-based (e.g., .co.uk for the United Kingdom, .es for Spain); or
- You accept payment in Euros; or
- You target European countries for sales, including the United Kingdom.
HOW CAN I BECOME GDPR-COMPLIANT?
- Here’s an online checklist you can reference to see if the remainder of your website is GDPR compliant (Please note that these templates and checklists are not affiliated with MAKA Digital).
- Once you have updated your TCPP and website, it is best practice to email consumers about this update.
STEP 2. CONSENT TO OPT-IN IS NOW REQUIRED.
Unfortunately, where Step 1 (see above) used to be enough, it no longer is under the GDPR. One of the major changes is the requirement that you get consent from the visitor when they opt-in to your communications and visit your website.
- When a consumer from the EU opts in to receive communications from you, there is explicit language and checkboxes that now need to be included on your opt-in forms. Reference your document templates or legal advisor for approved language.
- This consent has to be freely given, so online business owners will need to make sure any opt-in forms aren’t checked ‘yes’ by default if the visitor is from the EU.
- For traffic coming from the EU, they need to be shown a notice about cookies used on your site. This can be achieved by using a cookie bar that pops up a notification. Many website platforms also offer plugins to automatically detect EU visitors and show this notice. If you are on a common website platform it is worth searching the app/plug-in store for a solution.
STEP 3. KEEP LEARNING ABOUT THE GDPR.
The truth is we only know how this thing is going to look and work in theory until the EU starts enforcing it, and we don’t know when that will be. While the GDPR officially takes effect on May 25th, it’s best to stay up-to-date on news even after this point to make sure your webstore is continually compliant. We’ll keep you updated on future news, and feel free to drop us a line at firstname.lastname@example.org if you have any questions.