GDPR Compliant Websites
Are you wondering how to make your website GDPR compliant? E-Platform Marketing is an Atlanta digital marketing agency that helps companies have GDPR compliant websites. Our agency can also direct you to the best GDPR compliance law firms.
About The GDPR – General Data Protection Regulation
This article was written to provide a general introduction to GDPR. Comments are included in how it may impact a typical business in the United States. Our company is not a law firm. Information provided here is not to be considered as legal advice. As you read through this article you will need to make your own assessments on whether or not GDPR applies to your business.
Who are GDPR Compliance Law Firms
Every business has its own unique set of circumstances, and GDPR is complex. In fact, there are many aspects of GDPR that have not been settled conceptually or even sorted out through case law. For GDPR legal advice you need to contact GDPR Compliance Law Firms which can provide expert counsel.
What is GDPR?
GDPR is an acronym for the General Data Protection Regulation (GDPR). The GDPR is a legal framework that defines requirements for the management of personal information collected on residents of the European Union (EU). In short, this new privacy regulation is intended to protect the privacy of European residents, and in so doing it imposes strict obligations on every business that engages European residents.
Why GDPR Is Worthy of Concern
In its general-purpose, the GDPR is not very different from other personal data privacy laws around the world. What makes GDPR quite remarkable is that it has the potential to impact any business anywhere in the world – including the arbitrary imposition of extreme financial penalties. Any business that handles personal data on EU individuals can be affected by this regulation. For these companies, GDPR mandates impacted companies to provide certain rights to their customers and to implement supporting corporate compliance measures. Under GDPR the financial penalties for non-compliance can be as severe as 20 million EUR or 4% of corporate annual revenue, whichever is greater.
A WORD OF CAUTION: The GDPR is presented as consumer protection legislation. However, if you read between the lines, it is obvious that this enables the EU (through excessive penalties) to use this law as a revenue generator. We strongly advise any company that directly or indirectly works with EU entities to develop an understanding of the GDPR and develop appropriate adjustments to their business. The consequences of being held accountable for non-compliance could be financially devastating.
Does GDPR Affect My Business?
We want to remind readers that this article was not written by lawyers and is not presented as legal advice. Our best piece of advice is to ask yourself, “does my business collect personal data on people in the EU?”. Our answer to the question is yes, GDPR could possibly affect your business.
If your business is based outside of the EU, and you do not have customers or vendors in the European Economic Area (EEA), this regulation will probably not affect your business. If your business engages customers or vendors within the European Economic Area (EEA) you may be affected. Without full scrutiny of your business operation, you may remain unaware of relationships or interactions that place your company in the line of fire from EU authorities. Do you know every person and company that may be a customer or vendor . . . or if they have an EU parent company?
Thinking ahead, it is conceivable that the United States may institute similar laws. For this reason, we believe that American business owners should become familiar with this regulation. It may be a good idea to contact a law firm that understands the General Data Protection Regulation. Then take an hour to have a lawyer help you to assess your situation.
How to Make Your Website GDPR Compliant
Companies in the United States are beginning to ask, “Is my website GDPR compliant?“. If you have not created a GDPR checklist and taken specific actions the answer is probably, no it is not GDPR compliant. So what do you do if your business is in the USA? We can provide a GDPR website checklist, and do the work you need. There are a few things which every business should do, even if you have no customers in the EU.
Top 3 Website Action Items for Your U.S. Business
Protecting customer information is good for everyone concerned. Taking prudent safeguards makes your company look good, mitigates certain risks and liabilities, and it’s simply the right thing to do. Our agency can manage all of the following recommended actions. Contact us for details and pricing.
1) Add SSL Security to You Website
Integrate SSL into your website. SSL encrypts (protects) data shared through your website contact form, e-commerce function, opt-in processes and more. In fact, Google already demands SSL security for websites. By integrating SSL you will protect your customer’s information and satisfy a critical Google requirement. Call us if you need to add SSL to your website.
2) Add a Cookie & Tracking Alert to Your Website
Most websites utilize “cookies” to obtain certain information on how website visitors interact with a website. Most commonly, this occurs via the use of Google Analytics, LiveChat or Heat Mapping. Under the General Data Protection Regulation website owners are mandated to offer EU website visitors the option of accepting the use of cookies or leaving your website. Our GDPR website developers can help you add this critical piece to your website
3) Update Your Website Privacy Policy
Whether or not GDPR truly affects your business, your customers may have concerns. Amending your privacy policy with information on how your company has addressed GDPR is a very good idea. If your website was built by E-Platform Marketing you already have a general privacy policy page. We can easily update your privacy policy page to address the GDPR. We can provide your company with a GDPR Privacy Policy template for your website. Contact us for GDPR privacy policy information.
More Information On GDPR
What Countries Are Absolutely Affected By GDPR?
Albania, Algeria, Andorra, Angola, Anguilla, Aruba, Austria, Azerbaijan, Belgium, Belgium (French), Benin, Bermuda, Bonaire, Saint Eustatius and Saba, Bosnia / Herzegovina, Botswana, British Indian Ocean Territory, Bulgaria, Burkina Faso, Burundi, Cameroon, Cape Verde Islands, Cayman Islands, Central African Republic, Chad, Comoros, Congo, Democratic Republic of Congo, Republic of Cote d’Ivoire, Croatia/Hrvatska, Curacao, Cyprus, Czech Republic, Denmark, Djibouti, East Timor, Eritrea, Estonia, Ethiopia, Falkland Islands, Faroe Islands, Finland, France, French Guiana, French Polynesia, French Southern Territories, Gabon, Gambia, Georgia, Germany, Ghana, Gibraltar, Greece, Greenland, Guadeloupe, Guernsey, Guinea, Guinea-Bissau, Guyana, Haiti, Hungary, Iceland, Ireland, Isle of Man, Italy, Jersey, Kenya, Latvia, Lesotho, Liberia, Liechtenstein, Lithuania, Luxembourg, Macedonia, Madagascar, Malawi, Mali, Malta, Martinique, Mauritania, Mauritius, Mayotte Island, Moldova, Monaco, Montenegro, Montserrat, Morocco, Mozambique, Namibia, Netherlands, Netherlands Antilles, New Caledonia, Niger, Nigeria, Norway, Pitcairn Island, Poland, Portugal, Reunion Island, Romania, Rwanda, Saint Barthelem, Saint Helena, Saint Martin, Saint Pierre and Miquelon, San Marino, Sao Tome and Principe, Senegal, Serbia, Seychelles Sierra Leone, Saint Maarten, Slovak Republic, Slovenia, Solomon Islands, Somalia, South Georgia and South Sandwich Islands, Spain, Suriname, Svalbard and Jan Mayen Islands, Swaziland, Sweden, Switzerland, Tanzania, Togo, Tunisia, Turks and Caicos Islands, Uganda, United Kingdom, Vatican City, Virgin Islands (British), Wallis and Futuna Islands, Zambia, Zimbabwe.
Domain Privacy Registration and GDPR
As of May 25, 2018, our domain registration privacy product (Domains By Proxy) is no longer available in GDPR affected areas.
On May 25 2018, GDPR required a change to Whois. When a Whois search is conducted on a domain registered in the European Economic Area (EEA), the results will only show domain technical information, Registrant Country and State/Province. This impacts GoDaddy customers in the EEA as well as customers in countries that mirror languages and currencies of GDPR impacted regions.
What Are a Company’s Responsibilities Under GDPR
The official version of the GDPR is 261 pages long, contains 173 Recitals, 99 Articles and (as mentioned) is complex and often broad, vague and ambiguous (lucky us). We’re going to cover just a few of its key principles:
- * Due Care requires that companies safeguard personal data
- * Minimization requires that companies only collect personal data that is necessary for its intended purpose
- * Privacy by Design requires that companies analyze what risks affect personal data and work to minimize those risks
- * Notification requires that authorities are notified timely of any data breaches that affect personal data
What Constitutes Personal Data Under GDPR?
Personal data is defined as any information that can be used to directly or indirectly identify a person. Common types of personal data include name, email address, credit card info, or an IP address.
What Are EU Customer Rights Under GDPR?
- Transparency or the right for individuals to know what is happening with their personal data
- Consent or the right for individuals to choose what personal data is collected about them and to change that choice
- Update and Erasure or the right for individuals to update or request deletion of their personal data
- Portability or the right for individuals to request a machine-readable copy of their personal data
- Privacy by Design is our process which proactively applies prudent actions and procedures to protect personal data
- Data Breach Notification is our obligation to promptly advise any client affected by a data breach or security problem.
Transparency
What data are you collecting and how will it be used? Explaining that to your customers in an easy to read and easily understood manner is an important principle of any privacy law, including GDPR.
GDPR requires companies to provide transparency in how they collect and use customer information. Privacy policies are the ideal manner for offering transparency by explaining to your customers clearly and in simple language how you collect and use their personal data.
Customer Controls and Managing Consent
If you are using (or collecting) information from your customers (beyond what is required to provide them the goods or services you sell) then you must provide options to consent (opt-in) to any additional uses. Furthermore, customers must be given the ability to revoke their consent.
The most obvious example here is using email addresses or phone numbers collected to communicate with your customers (usually we think in terms of opt-in/opt-out to such communications/subscriptions). This information may be provided by your customers in the course of creating an account or purchasing a product or service from you. However, it also includes your collection of information about individuals who visit your websites via tools commonly known as “cookies” (and similar technologies such as pixels, scripts, etc). Certainly, you’ve seen “cookie banners” when visiting websites, and similar to the use of a privacy policy, these cookie banners allow for greater transparency. By displaying a cookie banner, individuals may learn more about what tools are being used to collect information about them, accept or decline such use, and/or otherwise granularly control which cookies might be acceptable for use.
Under GDPR, your customers must be given the right to consent to such collection (and subsequent use), and the only way consent may be properly given is if you presented the option to exercise such consent in an easy to understand, specific (to the particular use), and explicit manner. Pre-checked boxes, silence or inactivity cannot be used to indicate your customer’s consent. For instance, if you have a checkbox on your website that says, “We will share your data with 3rd party advertisers,” you cannot pre-select the checkbox to opt data subjects into processing their data. The checkbox needs to remain un-checked for data subjects in the EEA until they voluntarily opt-in or express consent to such processing.
Ultimately, you need to ensure your customers can exercise control over the use of their personal data, communications, and consent, including a right to revoke that consent.
Right to be Forgotten
GDPR, unlike other privacy laws, has one unique and very important requirement. The GDPR provides individuals the “right to be forgotten” (“Right of Erasure”). This means that the customer can ask that their personal data be deleted (“forgotten”), where the personal data collected is no longer necessary for the purposes they were collected or otherwise processed.
Where the right exists, you must delete the data subject’s personal data from your systems (unless there are legitimate business or legal reasons that such data must be kept, say for your financial reporting purposes or legal retention needs).
For instance, if a customer decides to stop doing business with you, they may no longer want you to keep information about them that was previously collected and stored by you. Though there are limitations to this right – with exceptions and complicated nuances – where applicable, you must consider how, and your ability to honor that request when made.
Right to Data Portability
The right to data portability is also unique to the GDPR. This allows people to request the formal return of their personal data.
Privacy by Design
Privacy by Design essentially means that when you obtain, process, store or use personal data, the necessary protections are contemplated and applied.
As a Data Controller protected by the GDPR you control how your data is used stored. Your data will be utilized per the terms of our Data Processing Addendum, and as required for providing and maintaining the products and services necessary to fulfill our contractual obligations or requests from our clients.
Data Breach Notifications
In the unfortunate event of a personal data breach, companies have a duty to notify its supervisory authority within 72 hours of becoming aware of the breach or without undue delay. E-Platform Marketing has never experienced a security breach that exposed sensitive client information stored anywhere in our company.
How Do You Become GDPR Compliant?
GDPR is written around protecting the privacy and confidentiality of personal information. Below we offer some key definitions that will define respective responsibilities for managing personal data:
- Data Subject: The person providing personal information. This could be a customer, an employee, or someone that visits your website (the latter if you collect information about them using “cookies and similar technologies”).
- Data Controller: The party that determines the purposes and means for processing personal data.
- Data Processor: The party that processes personal data on behalf of the data controller.
- Processing: Any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Personal Data: The GDPR applies only to ‘personal data,’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information about people. Essentially, if you can use the data to identify a user, customer or anyone, it’s personal data.
About E-Platform and Personal Data Protection
E-Platform Marketing – Already Safeguarding Client Data
As your digital marketing agency there are instances when E-Platform Marketing becomes a Data Controller (when we acquire information from you for the purposes of providing products and services). Examples of “personal data” that meets GDPR criteria include your name, address, email, phone number, credit card info, etc.
It is worth mentioning that for all E-Platform Marketing clients we do take precautions to protect your confidential and sensitive information. Our general Privacy Policy speaks to how we manage information provided to us via our website.
Are E-Platform Marketing Products(s) and Service(s) GDPR Compliant?
No products or services are alone “GDPR compliant”. However, when properly configured for your particular business needs, and used in combination with other measures, policies, and processes you implement as necessary to your specific business (some of which are described below), they can be used in a GDPR-compliant manner. No one knows your business better than you. Though E-Platform Marketing, LLC hopes to offer the tools and resources to help your business attain GDPR compliance, and we are here for you, we are not suited to ensure your compliance with any laws applicable to your business.
E-Platform Marketing offers solutions to help companies be GDPR compliant. We can provide and configure products and services, as well as direct you to other services such as GDPR law firms. In any engagement, it is critical that you provide full and accurate disclosure of your business practices in order for our company to provide the best possible solutions.
E-Platform Marketing is one of many Data Processors serving your company. We will process data strictly as required to provide the services you have purchased from us on your behalf, or as otherwise instructed.
All websites produced by E-Platform Marketing since 2004 include a privacy policy page with our standard privacy policy language. We recommend that our clients review the privacy policy for customization that addresses any company-specific policies or procedures. Because we do not know the specifics on your internal operating standards we are unable to provide your business with the perfect privacy policy.
E-Platform Marketing maintains business practices that include active “data hygiene”. Our records generally include only information we require to acquire, manage and deliver our products and services. In accordance with our Data Processing Addendum, we promptly comply with requests from a client (the Data Controller) to remove unnecessary information from our records. The only exception to this is when our company is required to cooperate in police investigations or under court order to preserve information.