Our clients and team of Virtual Assistants are buzzing about the GDPR privacy law that comes into full force on Ma 25, 2018.
This is important because all companies in the U.S. who have a web presence must pay attention to the GDPR law, to evaluate and change existing data security practices where necessary. Even if you have one European resident as a customer, client or email subscriber—GDPR applies to you.
This means that, in practice, most services and/or projects will be considered to involve processing of personal data.
Do you know what type of personally identifiable data you have on file for your current clients? How sensitive is it? Where is it held? Do you use third-party services like Google Analytics or Stripe? Do you know what they do with the data they obtain from you? Do you obtain explicit permission for obtaining that data, without a lot of legalese and links to Terms & Conditions? What are your data handling processes and procedures?
There is no way to know – yet -- how strictly the EU will enforce the fines that come along with the new laws. Regardless, your company should be accountable and responsible for personal data that you collect. We believe it’s still prudent to invest the time in strengthening your data security processes and procedures.
At this time, we don’t think that enforcement—but, who wants to be the company who finds out that the enforcement mechanisms are, indeed, effective?
Here are a few action items:
Make it clear what users are signing up for. On any of your e-mail opt-in forms, make sure the wording explicitly describes what someone is signing up for. As an example, if you’re offering a free white paper, make sure that there is clear wording to ask if they would like to receive further, regular mailings from your company. GDPR requires specific consent – and you might keep a record of that consent. Furthermore, if the data you collect changes – or, more importantly, you start using it for a different purpose – you have to obtain consent from the data owner again.
Make it quick & easy for users to unsubscribe (and be sure to take it a step further and delete their info from any third-party vendors you use like Square or PayPal). An important factor of the GDPR is called “the right to be forgotten” which essentially means that subscribers should easily be able to unsubscribe, or stop having their information used in any way.
Ensure that your website is switched to HTTPS. While this has long been held as a SEO strategy, this is now a must-have for data security.
Be sure that your plugins and web hosts are in compliance. For example, with a WordPress blog, WordPress requires all users, by default, to enter what is considered personal data such as their name and e-mail address before they can comment. Now, the plugins that you install on your WordPress site that you use to give you additional functionality, has the potential to collect personal data on your users.
This is a strong indication of where data privacy and security is heading in the U.S. as well.