Disclaimer This article is written in collaboration with a law agency. However, it is intended for general information purposes only. It does not constitute a client-attorney relationship or personalized legal advice.
This chapter will explain what is GDPR and briefly reviews the major responsibilities of website owners. We’ll try to explain the bigger picture here and go into the details in later chapters.
GDPR stands for General Data Protection Regulation. It is a legislation that aims to protect the privacy of all EU citizens. GDPR forces organisations to make major changes in the way they handle their customers personal data, affecting their business processes as well as software. It’s a whole system of principles, rights and obligations which you will need to be familiar with. GDPR will apply from 25 May 2018.
GDPR has a very wide definition on personal data (more on that later). If you have a website at all, it’s very likely that you need to make some changes to it. Also note that GDPR is retroactive. This means that it applies to all customer data you’re storing and using, even if it was collected before May 25th 2018.
Technically, GDPR applies to everyone handling the personal data of EU citizens, even if they are not based in the EU. If you’re located outside of the EU and unsure if GDPR affects you, consult this knowledge base post.
How GDPR affects your website
Starting from May 25, your website visitors have certain new rights. To give you a very short overview that omits a million details: they can request a copy of all of their data you are storing, both in human- and machine-readable format. They can request you to delete all of it. You need to have a good legal basis for gathering and using any data. Alternatively, you need to ask for consent for each purpose separately. Your customers must be able to withdraw the consent they’ve given at any time. And you are obliged to inform them of everything you do with their data, everyone you share their data with and all of their rights regarding GDPR. (We’ll go over what ‘data’ in this context means later.)
Basically, a person’s personal data is always owned by that person. This means that they must have control over it (with some exceptions).
An important note is that if your website has comments or a contact form, it means that you are already storing someone’s personal data. Therefore, GDPR requires almost all website owners to take action.
Based on this summary, the situation might not look too bad. But as mentioned before, this is not the full list of rights and requirements. Also, once we go into the details, you’ll see that there’s a million things to take into consideration and lots of technical difficulties that will arise. But don’t worry – that’s why we’ve built this plugin.
How GDPR affects your business
GDPR also sets some new rules for you business in general. You need to keep a registry of all data processing activities. You might need to appoint a Data Protection Officer. You need to have contracts with everyone you share customer data with. You cannot transfer customer data to someone who does not comply with GDPR. Should a data breach occur (someone else getting access to customer data, by for example a hacked website or a stolen employee’s laptop), you need to notify your local supervisory authority and possibly your customers. If you store a lot of data or work with sensitive data, you might be obliged to make a Data Protection Impact Assessment. And you are responsible for demonstrating that you’re GDPR-compliant to your supervisory authority.
And again, that’s not even the full list.
Yes. We know – it’s a lot of work. But we are here to help you as best as we can!
We recommend getting started with GDPR compliance on your website as soon as possible. While making your website compliant, there’s a good chance that you’ll realise that you need the help of a developer or a lawyer. However, as May 25th approaches, other site owners will be doing the same thing and we expect that both developers and lawyers will have a lot of work in at least the following 6 months. You probably don’t want to be late.