GDPR and websites

What is the GDPR?

The GDPR or General Data Protection Regulation is a legislation meant to protect the privacy of EU citizens that has inspired other regulations like the California Consumer Privacy Act (CCPA) and redefined our expectations when it comes to privacy on a worldwide scale. Every website owner should be aware of its principles and requirements, as it means big changes in the way we collect, store and use our customers’ and website viewers’ data.

Do I need to read this if my company and website are not from the EU or California?

Yes. Your website can be accessed by users worldwide. The GDPR doesn’t just apply to EU companies, but to any company that collects information about EU citizens. If your website asks users to sign in with their email address when shopping,  or to sign up for offers and notifications when browsing, you’ve just collected their personal information. Where is that person from? What regulations apply to their personal information?
It’s best to set up your website now in a way that makes it easy for you to comply with the latest privacy regulations and adapt as they change. The trend worldwide in legislation is consumer protection. People are becoming more and more aware of their own rights, and studies have shown that consumers increasingly prefer to buy products and services from companies that prioritize the security of their data.

What are some of the regulations that will affect my website?

Privacy regulations tend to have certain requirements and principles in common, for example:
They have a broad definition of personal data.
Even things like names, email addresses, and phone numbers are personal data and are protected under privacy regulations.
They aim to increase transparency.
The GDPR and the CCPA both require you to inform your website users about the types of personal data you collect, why you collect it, who you share it with, and for how long you keep it. 
They require you to get clear consent when asking for personal data.
Your website should be set up to ask for unambiguous consent when asking for a person’s data. For a consent to be valid, the person must give it with a clear affirmative action. Don’t use pre-ticked opt-in boxes in your consent forms anymore. 
They make the individual the owner of his personal data.
Even if they give it to you; in a contact form, while checking out their shopping cart, in a chat box; you never really own it. And you may be asked to give it back.
They allow individuals to ask for their data back.
Regulations called ‘Right of access’, ‘Right to be forgotten’, and the ‘Right to data portability’ let people ask you for a complete copy of all data stored about them in human and machine readable format, ask to have it deleted or to have it transferred to another company.
They set deadlines.
The CCPA gives you 45 days to fulfill a request or data deletion, the GDPR gives you about 30. 
They hold you accountable.

The CCPA has a maximum fine of $7,500 for intentional violations. Violations lacking intent have a $2,500 maximum fine. The GDPR’s penalties are even more sobering: If you fail to fulfill an EU citizen’s data request on time, you can be fined up to 20 million euros or 4% of your annual turnover, whichever is greater.

What features can I add to my website to help me comply with the GDPR and other privacy regulations?

A well written privacy policy.
Don’t make it vague or overly complicated, and never make it misleading. Websites like Google, Apple, and Youtube that are held up as models of design have recently updated privacy policies with features like pictures, indexes and readable fonts. By all means, get legal guidance when writing your privacy policy. Then write something your customers don’t have to be a lawyer to understand.
A structured way for users to make data requests.
Regulations allow people to make requests any way they choose, by email, by phone, by conventional mail, in person, on social media. Requests coming in from every direction can be a nightmare to track, verify and fulfill. 
You’ve created a website that lets you receive orders, offer customer service and process returns online rather than by phone or by mail for a reason. Setting up your website to receive data requests online is the obvious timesaving solution for data portability. To see how you can add a fully functional data request portal to your site as a block or a widget, watch this video.
A process for verifying requester’s identities.
You are responsible for verifying the identity of a requester before responding to his or her data request. To see how the Connectid Business plugin for WordPress verifies requesters, watch this video.
A system for collecting data quickly and delivering it securely.
Fulfilling a data request manually can easily take 30-40 hours. The Connectid Business plugin automatically extracts data from WooComerce and delivers it securely to requesters. To see how to set up the plugin in WordPress, watch this video.

Is there a way to guarantee compliance with privacy regulations?

No. Complying with privacy regulations involves your whole company, and every employee. But the goal should be to set your website up to do as much of the work as possible for you. 
The Connectid Business plugin is a simple way to do it. 
It’s built by SafeOnline, creators of TrustedLink, Connectid Mail, and Connectid Personal. SafeOnline is based in Copenhagen, Denmark and is continually developing solutions that offer a data ethical way to share personal information.