by Gina Burgess
By now you’ve most likely heard something about GDPR (General Data Protection Regulation). This is an European Union law that goes into effect on May 25, 2018. So what does a law in Europe have to do with global online business? I’m so glad you asked!
It only affects you if you do business with or your website is visited by a citizen of the European Union. But it is a good thing for all of us outside the EU. This gives us much more control over how our private information is used by any and everyone on the Internet. Really!
- Don’t be so sure you’re not collecting any private data at all. Websites are complicated beasts with a lot of moving parts under the hood. Here are some ways you may be collecting private data on your website or blog that you may not have thought of:
- Do you have a contact form that lets people email you?
- Do you have an email newsletter list?
- Do you allow people to post comments on your blog or your website?
- Are you an affiliate of Amazon or Apple iBooks or any other online store?
- Do you have Facebook Like buttons? Or Twitter Tweet buttons? Or any other social media buttons?
- Do you track visitors to your site with Google Analytics or some other tracking tool?
- Do you have any sort of cookies on your site?
- Do you have a Facebook “pixel” on your site?
- Do you use Feedburner for your blog?
- Do you use a spam protection service, such as Akismet?
Any one of these makes you liable in the GDPR.
If you blog with Blogger, you don’t have to worry because Blogger doesn’t share any personal information about your followers with you the blogger. If you blog with WordPress, they have this stuff covered and you should have received an email telling you what to do. In fact, most organizations around the net have made changes to comply such as Mail Chimp, and other contact managers. It’s only scary if you stick your head in the sand.
Here is the link to some frequently asked questions about GDPR from the GDPR.org (horse’s mouth so to speak) It’s written in easy to read and understand English. The fact is, most of the businesses around the globe won’t be affected if they take the time to comply.
Just know that if you have just one complaint from just one person, or you don’t comply when just one EU or UK person asks you to remove their information from your data base, you can be heavily fined. You do have 30 days to comply, though.
Remember, I am not a lawyer, this is not legal advice. I’m just sharing how I understand this GDPR stuff.
The way I understand it is the person needs to give consent before their information is saved to your list/database/website database/etc., therefore if they are notified before they fill out the contact form, then they fill out the contact form, that is consent. Therefore, if you put verbiage such as the notification above on your contact form, and you have evidence that the person filled out that form (a notification email that comes to you that tells you so and so just signed up for your newsletter, etc. should suffice for small businesses). Don’t delete those notifications.
Being a small business, you don’t have to have a designated Data Processing Officer.
If the personal information is necessary to complete or fill a contract, you don’t have to have direct consent such as editors editing a manuscript, or authors giving an ARC or using Beta readers, or something of that nature.
You can read a whole lot more about it on Wikipedia (be sure to check the references for legitimacy.)
So what do you think? Is this better or worse?