Owning a business comes with a seemingly never-ending checklist of important tasks to keep in mind, including paying taxes and meeting local business laws. When your business goes online, there’s even more to consider as privacy protection comes into play.
GDPR is an acronym you’ve likely seen and heard a lot in the past couple of years if you have a website (and probably even if you don’t). But if you’re not sure what it is or how it affects your business, it’s time to brush up because this groundbreaking law affects the way in which you market and sell to your customers online.
What is GDPR?
The General Data Protection Regulation (GDPR) is a law governed by the European Union (EU). Although it protects EU citizens, it is applicable to any business globally that collects personal data from those EU citizens. In other words, if your business website has EU visitors and it collects data, like email addresses for marketing purposes or cookies for advertising, on those visitors, you’re subject to following GDPR rules.
The initial law went into effect in 2018, and it has since been updated to include additional guidance for businesses to create more clarification over previously unclear rules. As it stands today, both EU and businesses outside of the EU (including US-based businesses) have been involved in judgments involving the GDPR for non-compliance.
GDPR Checklist for Compliance
A single fine against a business for GDPR non-compliance can be as high as €20 million for serious infringements and as much as €10 million for lesser infringements. Obviously, GDPR is not a law you want to take a chance with. Here are a few steps you can take to ensure your business’ compliance:
1. Get an Expert to Help
Before doing anything, you should consider contracting a GDPR expert to guide your business and help you stay compliant. Your expert should have a clear understanding of what kind of business you run, the services you provide, and the type of data you collect. This should be a legal expert who can also assist you with writing a privacy policy and cookie policy that meets GDPR requirements.
Some businesses are required to appoint an EU representative who acts as a liaison between you and the EU. You’ll need to do this if you’re a non-EU business that offers goods or services to people in the EU or monitors the behavior of those in the EU, as with cookie collection. There are some exceptions, as outlined here.
2. Determine What Data You Collect
Next, you and your expert, if you have one, should determine what kind of data you collect from visitors or customers. Under the GDPR, all personal data you collect can become a problem if you don’t make it known that you’re collecting it and what visitors can do about it. The GDPR defines personal data as follows:
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
– GDPR, Article 4
Someone’s name, customer number, and address are all examples of personal data. Cookies are also considered personal data because they’re used to identify a person when they return to your website.
3. Write a Detailed Privacy Policy and Cookie Policy
Using the information you’ve just gathered about your personal data collection, you’ll need to carve out your privacy policy and cookie policy. A privacy policy details all of the ways in which you might collect data from people visiting your website, including when they register an account or leave a comment. A cookie policy focuses solely on the cookies you collect and what they’re for.
By law, these documents should be on your site and easy to find, so placing them in your navigation menu, header, or footer is best.
4. Give People a Way to Opt Out
One of the most important things you can do for GDPR compliance is to provide people with an easy way to opt out of having their data collected. No one should be forced to accept your data collection practices, and they should always know that giving their information to you is their own choice.
GDPR-compliant websites also include a way to opt out of cookie collection. You’ll usually see these as small pop-up bars on the top or bottom of the screen when you visit a site. They’ll include options like “Accept all cookies,” “Opt out of all cookies,” or “Manage cookies.” This gives visitors a way to control the type of cookies you collect on them or decline them altogether.
5. Keep Your Policies Updated
Your privacy and cookie policies should be updated whenever your collection methods change, so be sure to revisit them if you change how you collect email addresses for your list or install a new plugin for your site. Also, update the date of your policy to reflect its most recent modifications and let your visitors know about the update by adding a notification on your homepage, sending out an email, or another notification method.
GDPR compliance can be challenging, especially because data collection and cookie usage aren’t things the average website owner is experienced with. By implementing the above tips and enlisting an expert on data privacy and compliance, you can ensure your website is compliant.
ShareThis also offers a simple way to get consent from visitors regarding cookies with its Consent Management Platform. This free tool installs on your site in minutes, allowing visitor to accept or reject cookies from your site.