If you haven't heard about the new General Data Protection Regulation (GDPR) you can read a brief overview about it from our very own Co-founder and Creative Technical Director, Christina Mickens.
But just to reiterate.
No matter where your organization is physically located, if you’re handling the data of EU citizens (or if your website gets traffic from the EU), GDPR applies to you and you'll need to do some internal planning to figure out what it's implications will mean for your organization.
We've tried to distill the key implications for your website
GDPR has some broad implications because it applies to any way your organization collects data about it's users, but for the website specifically, if your website uses any cookies to collect personally identifiable information you will need to do the first three following items by the deadline May 25th, 2018 (this would include analytics tracking software like Google Analytics):
- Review and accept Google Analytics' new Data Retention Controls - Update any other Data Processors as needed.
- Add Secure Socket Layer (SSL) Encryption - as long as you're making these GDPR updates now is the time to make sure your site stays secure because in July of 2018 Google Chrome will start calling out sites not using SSL certificates as "Not Secure".
- Hire or Designate a Data Protection Officer - This is not explicitly related to the website, but having this person in place will help direct your website data and other non-website data collection and storage.
Since most organizations have not been required to have a formal policy regarding user data capture and retention it is likely that every company online will have to do some internal reflection and planning.
Questions to consider as you prepare for the impending GDPR regulation
Here are some questions that we can't answer for you, but you should be asking internally:
- What personal data do we collect/store?
- Do we protect the data we collect?
- Do we obtain the data we collect ethically?
- Do we audit the data we hold on a some sort of regular schedule?
- Should we conduct a data privacy assessment?
- What is our plan to be GDPR compliant by May 25th, 2018?
- Does the executive team understand the implications of this new regulation and do we have their buy-in to allocate the needed budget so we can to ensure we meet the compliance requirements?
- Does our staff require training to make sure we meet this new compliance requirements?
This may all feel very frustrating and overwhelming, but this new regulation is actually a good thing. The EU is forcing us all to think about data protection at a time where we have all seen how seen how damaging misused data can be if we're not vigilant.
This is not legal advice. Do not rely on it as such. We recommend companies and individuals should assess their data capture and storage policies and even seek legal advice from their own attorney to make sure that they're complaint with the new GDPR regulation.