What Is The GDPR?

What is the GDPR?
The GDPR is a privacy regulation from the European Union that protects its citizens, visitors, and travellers. According to the GDPR, these people, which the regulation calls “Data Subjects,” have rights related to information created or stored about them, no matter where that information is…even on a website in another country like the USA. In other words, GDPR Compliance matters to companies in the USA, like yours.

Our Website Uses Cookies

You might have noticed that over the last year or two, almost every website you visit now greets you with a message that says “Our Website Uses Cookies.” Although this notice is far from the only part of GDPR compliance you need to follow, it’s certainly the most visible. And it’s also evidence that even if you or your company CEO don’t think that the GDPR applies to US-based companies and websites, there are millions of other companies who believe that it does.

GDPR Rights

The GDPR gives data subjects 8 fundamental rights, and has a long list of requirements for the website owners. While some of the requirements can only be handled by your company internally, several of them come to life on your website. (Note: You should become familiar with the text of the GDPR to make sure that your company complies internally with its requirements.) Among the basic rights that the GDPR grants to Data Subjects are:
  • Right to be Informed — Ability to ask a company for information about which personal data is being processed and the reason for the processing.
  • Right to Access — Provides for the ability to access personal data that is being processed, including viewing it and receiving a copy of it.
  • Right to Rectification — The ability to ask for changes to his or her personal data if it’s inaccurate.
  • Right to Withdraw Consent — Ability to withdraw a previously-given consent for processing of their personal data. The company is required to respect the request.
  • Right to Object — This one is a bit wonky, in that it’s similar to the Right to Withdraw Consent, except that it seems to apply to processing during legal disputes.
  • Right to Object to Automated Processing — Many decisions are based on automatic processing of data, and this right provides for such decisions to be made and/or reviewed manually if it’s believed that the automated processing didn’t consider the unique situation of the customer.
  • Right to be Forgotten — Allows the Data Subject to ask for the deletion of their data.
  • Right for Data Portability — Similar to the right to access, except that this right requires that the data be provided in a machine-readable format that can be transferred from one “Data Controller” to another.
You might notice that there is no specific mention about the use of Cookies. Cookies are considered “data” under the GDPR and are also covered specifically under the ePrivacy Directive section of the GDPR.

GDPR Responsibilities

The GDPR also has certain requirements for Data Controllers, who are those who handle the personal information belonging to its Data Subjects. Among the requirements are that…
  • You conduct a data audit, which is an examination of all of the data your website collects, knowingly or unknowingly, from website visitors.
  • You have a legal justification for collecting and storing data.
  • You must keep your data secure so it is not breached.
  • You have a Breach plan in the event you do have a data breach.
  • And while it is recommended in all circumstances, in certain circumstances it is required that you appoint a Data Protection Officer to manage this entire process.
This is not a complete list, and you are encouraged to review the GDPR Checklist for full compliance.

But I Don’t Collect Any Data

Most of our clients look at these GDPR Rights and Responsibilities and say to us that they don’t collect any data on their website. To be clear, most of these rules apply to companies who process data on their websites, such as online stores, credit reporting agencies, banks, coupon sites, social media sites, and so on. But unless your website was built 15 years ago from pure HTML and doesn’t set a cookie or have a contact form, you are collecting data on your site, and therefore some of the GDPR rules apply to you, too. A contact form can be an important part of a website, and (along with receiving a phone call) it is likely the focus of all your online marketing. And while you might not realize that your website is setting cookies on your site, if it’s built from WordPress, Drupal or any major content management system, your website must set and read cookies to do its work. In a nutshell, if you have a modern website, you need to comply with the GDPR.

What Do I Do Next?

You can start by researching the regulations by visiting the official GDPR website. Whether you try to do everything you need on your own, or hire someone else to do it, you really ought to make sure you know what needs to be done, both on your website and in your company, so you know what your exposure is.

Or you can join the GDPR discussion on Reddit, a popular internet message board. There, thousands of people are participating in conversations about what the law requires, and how best to fulfill its requirements.

You can also take advantage of our GDPR Compliance Service. We are not attorneys, but we can summarize some of the more important requirements of the law for you and help you implement the requirements for your website. Learn more about our GDPR Compliance Service.