Unless you’ve been living under a rock, you’ve heard all about the GDPR at this point – whether through a flood of emails about being ‘committed to your privacy,’ or through your own research. Perhaps you’ve wondered what expanded privacy legislation like this might mean for your own website. If you haven’t, it’s high time you started.
The European Union’s General Data Protection Regulation (GDPR for short) is just the beginning. We’re already seeing other countries following suit – Canada, Australia, and the United Kingdom, to name a few. More will soon follow.
In short, even if you don’t ever intend to do business with EU citizens, even if you know for a fact that people in the European Union are outside your target demographic, it’s imperative that you work to comply with the GDPR. It’s better to be safe than sorry – better to have checks, balances, and processes in place in advance rather than being caught off-guard by new legislation. Moreover, much of what’s required under GDPR is simply good data hygiene.
But we’re getting off topic.
You’re here to find out if your website will be in some way impacted by regulations like the GDPR. If you’re going to need to change how you do business online. The short answer?
It depends on what your website does.
If it’s something simple, like a blog or a digital portfolio, you’re probably in the clear. Note, of course, that I said probably. There are exceptions.
Let’s say, for example, you have a mailing list, or use marketing automation tools like tracking cookies. Suddenly, you’re veering into the realm of using personally-identifiable data for business gains. You need to be transparent about that – ensure you’ve consent to use this data, and that you’ve a valid reason.
You have a contract with a business partner, vendor, or consumer (Contractual Agreement)
You are legally obligated to retain/analyze their data (Legal Obligation)
You are retaining this data to protect someone’s life (Vital Interest)
You are retaining the data to perform something in the interest of the general public (Public Task)
You need to analyze data for either the legitimate interests of your business or the interests of a third party (Legitimate Interests)
Establish what data you are collecting, why you are collecting it, how long you will retain it, and how you will use it. Make it clear that consent to use this data may be withdrawn at any time, and provide the user with an easy way to change or withdraw their consent. The idea behind GDPR is to give people total ownership over their personal data – so the easiest way to comply is to do exactly that.
With that in mind, it’s also important to keep a close eye on all records of consent your site receives. Make sure they’re stored on a secure server, and that they are readily accessible. That’s doubly true of the collected data – you need to know exactly where a user’s information is at any given time, and have the capacity to delete it immediately.
Depending on what sort of data collection you do (and how you use that data), it may be worthwhile to invest in an Enterprise File Synchronization and Sharing (EFSS) or content collaboration platform that allows you to maintain ownership over files once they’ve left your perimeter. That way, you won’t run afoul of the Right to Erasure (the ability for any EU citizen to request their data be deleted), even if a person’s info is in the hands of one of your partners or vendors.
Beyond that, the other stipulations of GDPR are things you should have been doing already:
Use a strong password. A long string of random words, with a few symbols and numbers mixed in is your best bet. Write it down somewhere if you must, or use a tool like password keeper.
Establish an incident response/disaster recovery plan. These days, being breached isn’t a question of if, but when. The more prepared you are for when things go south, the better-equipped you’ll be to protect the data of your clients.
Use foundational security measures like firewalls, network monitoring, antimalware, and antispam.
Maintain isolated, regular backups of your website.
Perform a risk analysis of your business partners and associates. Supply chain attacks are very much a thing, and if someone decides to directly attack your site, they may do it through one of your vendors.
Basically, this is all the stuff that a webmaster worth their salt should be doing already.
The GDPR isn’t as complicated, intimidating, or troubling as some have made it out to be. It really just requires you to be in control of your data – to be organized, secure, and proactive. If you’re doing that, you should be fine, no matter what the future holds.