GDPR: Here’s the Breakdown
As your trusted web partner, we thought we’d give you the breakdown of what Europe’s GDPR (General Data Protection Regulation) might mean for your business.
At the moment only businesses operating in or with individuals in Europe have to disclose to its users how their business collects, uses and stores users’ personal and sensitive data, such as names, home addresses, the users’ IP address, location data, cookies, etc. Users are also able to ask those same companies to delete their data.
While you may not be doing business in the EU, you should note that the GDPR compliance is a complex process and is likely to influence US privacy laws, such as HIPAA, in the near future. And while complying with the GDPR is preparation for what’s likely to come, it also helps to foster a safer internet.
Below are some practices that we already have in place, as well as, some practices that you may want to put in place if you would like to make your website more GDPR compliant.
How Our Data Centers Handle & Protect Data
- HTTPS and SSL Certificates to encrypt information as it travels from the user’s computer to our server
- Utilizing pseudonymization by obfuscating entries of PII (personally identifiable information) from other identifying information
- Utilizing encryption to protect data in use and at rest
- Controlled methods of access (logins, facility access) for individual users
- Compartmented, or need-to-know, access to information and all additions, changes, or deletions of data is logged
- Redundant systems such as internet services, utilities, HVAC, and hardware with no single point of failure
- Reviews and audits of hardware and infastructure to ensure that it is capable under expected loads
- Continuous internal and external audits of compliance with common security and privacy standards such as HIPAA, FERPA, SOX, SOC, or PCI DSS, all of which have similar requirements to the GDPR
- Data Minimization
- Not receiving or storing information unless it is absolutely necessary
GDPR Updates our Product Developers Have Made
- WordPress Has Rolled Out Some New GDPR Compliance Tools in their Recent Update
- A user data request, export, and deletion option has been added for WordPress. An admin may input an email address into a field prompting WordPress to send the user their data (only including registered user information and comments) through email and confirm deletion if necessary. This may not include 3rd party plugin information such as form data.
- The Avada WordPress Theme Has Made Some Updates for Improving GDPR Compliance
- Users now have the option of hosting Google fonts locally to reduce transfer of IP address information.
- Privacy settings have been added for embeds such as YouTube, Facebook, Twitter, etc. This will help users to opt into these cookies collected by these services before interacting with videos or feeds.
- A custom registration message option has been added for new user registration forms so that an opt-in statement may be included.
- More transparency has been added by the theme about when your data as a theme user is being collected.
If you have one of these in place on your website, but do not have access to these capabilities in the new updates, get in touch with us and we will help you make use of these new features.
Updates That Can Be Made To Your Existing Website
- Add Opt-in Check Boxes to Existing Forms
- If you have existing contact, career, or other forms existing on your site, a checkbox can be added to the existing form enabling users to opt-in to their data being stored when the form is submitted.
- Set Up Google Analytics to Track Only After Explicit Consent Has Been Given
- If you have Google Analytics on your website, users need to be able to opt-in to their data being tracked as well as have the right to request it be deleted. Google recently made some updates to make this easier, but it also requires a more integrated approach to tracking with tag manager and an opt-in form involved. Meet with a developer to better integrate google analytics in an opt-in friendly format as well as a legal counsel or a GDPR expert to identify all the changes your company needs to make.
Plugins That May Be Utilized to Make Your Site More GDPR Friendly
- This plugin can help you in the process of identifying cookies and third party communications on your site through their documentation and setup.
- It allows users to request download and deletion of their personal data through forms on the website and allows you to automate the process through WordPress. *However, this may not help you identify all data, associated with a user if you collect data through 3rd party plugins such as forms.
- Allows for mass emails to users when a data breach occurs as well as adding version control to privacy policies for updated consent.
- It also provides short codes to add forms and privacy policies that users can opt-in to and use to request download or deletion of their related data from the following integrations.
Some share buttons collect user information by default regardless if the user clicks the share button or not. This share button does not submit data unless the user clicks on the button.
- If you use Easy Forms for Mail Chimp add a GDPR compliant check box to your form with this simple add-on.
***Using these plugins alone does not guarantee that your site is GDPR compliant. These plugins are simply helpful suggestions to push companies in the right direction and will require the assistance of a web developer, legal counsel, or GDPR expert.
Likewise to Forbes, we at Firefly Marketing Inc. believes that
It all comes down to trust and transparency. Customers want to know they can trust companies to take care of their personal information and not sell it or use it inappropriately. Companies that can demonstrate customer trust will be much more successful than unprepared companies inundated with customer deletion requests.