Tips for NZ website owners to comply with the General Data Protection Regulations (GDPR)
If you have customers in Europe, or recruit from Europe, this issue is particularly relevant. All website owners should be proactive. Even if your target market is not in Europe, your site is still accessible by people all over the world (that’s why they called it the world wide web).
On 25 May 2018, new EU privacy laws came into effect to protect the personal data of European citizens wherever they may roam online. The laws cover the ways in which organizations use personal data and basically require consent for the collection and usage of personal information. It also gives people in Europe the right to request information on how an organization may be using their data and ask for it to be removed.
The GDPR does not apply to anonymized personal data, which means an individual can no longer be identified from the information alone.
It specifically applies to data that can be traced back to identify an individual. This includes but is not limited to; the person’s name, contact details, financial information, medical records, images and videos of the person, location data, their IP address. This applies even if they can be identified by combining different pieces of information that alone would not reveal the identity of the person. (1)
Why is it so important?
Failing to meet these regulations could result in a fine of up to 20-million euros (that’s over 34-million NZD at the time of writing). For large global companies, fines can be up to 4% of annual turnover if that’s higher than the 20-million.
The GDPR also raises questions about why our data isn’t protected as a given. Why has it taken drastic measures from Europe to get the rest of the world to tighten up privacy controls?
The graph below shows the GDPR’s quick rise to fame since the end of last year. When big companies like Facebook and Google update their privacy policies – people take notice.
This shows a scale of relative search interest for the given region and time. A value of 100 shows the peak popularity of the term (for the GDPR that’s right now). This time last year, the term GDPR had a relative score of 8.
In some ways, this move is similar to what Google did with AdSense back in 2008 when it required publishers to notify users that they were collecting data with cookies. Basically saying ‘Hey, we’re tracking your data, is that ok with you?’ (2)
You don’t have to be in Europe
The new European regulations are far-reaching or ‘extra-terrestrial’. This means not complying could still result in hefty fines even if you’re outside of the European Union.
It’s particularly important for you to comply if you’re selling a product or service to customers anywhere in Europe. The rules apply to anyone collecting European citizen’s information through forms, online sales, or 3rd party plugins such as social media sharing buttons and sharing that or processing it.
What can you do to comply?
At the very minimum:
- Setup a double opt-in for newsletters or forms
- Install a cookies approval pop-up plugin
- Include a note on any forms detailing how you store and use people’s data
- Talk to your lawyer to ensure you’re meeting your legal obligations
If your customers are in Europe, it’s imperative you engage a lawyer to ensure that your website and data processing is fully compliant. Even if you’re customers are predominantly in NZ, it’s still worth taking measures to protect your customer’s privacy. There are also considerations for enewsletters that MailChimp explains quite extensively (3).
The recommendations below are not a substitute for legal advice and are just some starting points to get your website on track for data protection. It’s not a one-off fix but will be an ongoing process.
WordPress sites: install a plugin to support GDPR compliance.
WP GDPR Compliance: This plugin has a note in the checkbox text that states by using this form you agree with the storage and handling of your data by this website. This provides proof that a customer gave you their approval for you to collect their details.
WP GDPR core: This plugin creates a page where users can request access to their own personal data that’s stored on your website. In the backend, you’ll get an overview of the requests users send and you can see which plugins collect personal data. Users who ask to view their personal data will get an email with a unique url on which they can view, update and download their own comments and ask for a removal per comment. You also need an ‘ask for approval’ checkbox.
EU Cookie law: informs users that your site has cookies, with a popup for more information and option to lock scripts before acceptance.
Cookie notice: Allows you to customize the cookie message and redirect users to specified page for more cookie information as well as set the cookie expiry
Note: Activating these plugins do not guarantee you fully comply with GDPR. Please contact a GDPR consultant or law firm to assess the necessary measures.
Cookie notification wording could include: “We use Analytics on this site which tracks visits anonymously using cookies. Please close this box to confirm that’s ok with you, or read more in this privacy statement”
Alexanders is actively working on WordPress & Joomla sites to install plugins and privacy/cookie terms pages. Talk to us about implementing a solution. Alexanders has engaged a lawyer who has prepared templates for our clients – if you are interested, talk to us about getting a copy – for a small contribution to our legal fees.