Ready or Not, Here Comes GDPR: What You Need to Know – and Do – to be Compliant
You’ve probably heard about the European Union’s (EU) General Data Protection Regulation (GDPR) that takes effect on May 25. Although it’s receiving scant attention in the news, GDPR is sounding a depth charge among American companies as it implements sweeping changes on businesses that deal with customer data – which may very well include yours. In other words, GDPR compliance isn’t just for EU-based companies. Here’s what you need to know.
What is GDPR?
In TechRepublic’s cut-to-the-chase terms, the GDPR was put in place to protect the personal data of EU residents and affects any business that has customers located in the EU. There is no restriction based on location, company size or scope of business, meaning any entity with an internet presence could be affected. As reported by TechRepublic’s Brandon Vigliarolo, fines for non-compliance will be high. Any service offered to an EU resident – regardless of whether the service is free and which country hosts its servers – has to play by the rules.
The Big Difference
Calling the GDPR a “seismic shift in the digital information space,” Kimberly Simpson – regional director of the National Association of Corporate Directors (NACD) – noted the major differences in the approach to collecting personal data in the United States and the EU.
“In the U.S., personal information is often collected as a matter of course, with only an ‘opt out’ offered to consumers. By contrast, GDPR requires that in order to collect information from EU data subjects, an affirmative ‘opt in’ consent must be obtained that clearly specifies how the data will be used. Privacy policies must match. Then, once information is obtained, the EU data subject has the right to request that his or her data be deleted; that is, to invoke the right ‘to be forgotten.’ Incorrect information must be corrected upon request. These rights may seem simple enough, but when data is held in multiple locations, developing a process to handle such requests may be quite difficult.”
WordPress & GDPR Compliance
As implied in all this, a key part of GDPR is the business’ responsibility to secure customer data and websites to prevent data breaches, phishing and other forms of malicious online activity. Search Engine Watch turned attention to WordPress, noting that estimates show WordPress is used by 25-40% of the internet – and given its widespread popularity and usage, it is a prime target for hackers.
WordPress is prepared for GDPR, introducing its GDPR Compliance Team and providing information on how WordPress is paving the way with new privacy tools.
The GDPR Compliance Team is focusing on four main areas:
• Adding functionality to assist site owners in creating comprehensive privacy policies for their websites.
• Creating guidelines for plugins to become GDPR ready.
• Adding administration tools to facilitate compliance and encourage user privacy in general.
• Adding documentation to educate site owners on privacy, the main GDPR compliance requirements and on how to use the new privacy tools.
WordPress has also added a roadmap for adding privacy tools to core. These tools will help website owners comply with GDPR and other privacy laws and requirements.
Social Media Marketing and GDPR Compliance
Social media marketers now need to ensure that the data they collect – as well as how they collect the data – from EU members is GDPR complaint. According to Social Media Examiner, collection of personal data from an EU resident requires obtaining explicit consent, which generally means that the consent should be:
Voluntary – Have the user take affirmative action.
Specific and informed – Make sure people are aware of what you’re collecting, how it’s being used, and whom it may be shared with.
Unambiguous – Don’t disguise with redirects to terms of service overflowing with legal jargon.
Ready or Not, Here it Comes!
However, many organizations are still not ready. According to Crowd Research Partners’ 2018 GDPR Compliance Report, only 40% of organizations are either GDPR compliant or well on their way to compliance by this month’s deadline. Other key findings include:
• A whopping 60% of organizations are at risk of missing the GDPR deadline. Only 7% of surveyed organizations say they are in full compliance with GDPR requirements today, and 33% state they are well on their way to compliance deadline.
• While 80% confirm GDPR is a top priority for their organization, only half say they are knowledgeable about the data privacy legislation or have deep expertise; an alarming 25% have no or only very limited knowledge of the law.
• The primary compliance challenges are lack of expert staff (43%), closely followed by lack of budget (40%), and a limited understanding of GDPR regulations (31%). A majority of 56% expect their organization’s data governance budget to increase to deal with GDPR challenges.
Becoming GDPR compliant doesn’t need to be an overwhelming process. Virtual Stacks Systems offers comprehensive web design, web hosting and social media marketing services that can help you make compliance seamless. Contact us to learn more.