As of May 25, 2018, websites that process Personally Identifying Information of European residents, need to be compliant with the new GDPR rules (General Data Protection Regulation). There is still a lot of confusion around the exact scope, and who applies, but the general consensus is that everyone around the world is affected and even logging IP addresses in your server logs have to be protected.
You may take this self-evaluation checklist to see if you are compliant, but we recommend you should speak with a lawyer to understand exactly how they apply to you and make plans to be compliant.
WHAT IS GDPR?
GDPR is a complex set of European laws that govern how you gather, get consent, use, share, and protect personal information. These are honestly good "best practices" for respectfully treating your visitors and customers (e.g. do not share personal data without consent). Compliance with these rules, also provides businesses with additional legal protection (e.g. you should have a Privacy Policy and be doing most of this already anyway). The U.S. has a patchwork of many similar state laws already, and may add their own federal rules soon as well, so it is good to to get compliant now. The GDPR requirements are complex, but some of the main requirements are listed below (NOT EXHAUSTIVE).
REQUIREMENTS FOR YOUR ORGANIZATION
• Notify Authorities of Data Breach within 72 hours.
• Privacy Policy. Provide a link to GDPR compliant Privacy Policy
• Cookie Consent Notification: Enable a cookie consent banner at the top of the site, which describes how cookies are used and gives users the option to opt-out.
• Data Usage Consent and Audit Trail: On all forms that collect data, there must be a clear statement about what the information will be used for and who (if any) it will be shared with.
RIGHTS OF THE VISITOR
• Right to be Forgotten: When requested, you will delete all user's data.
• Data Portability: When requested, you will provide a file with all user's data.
• Access: When requested, you will describe how data is stored and what third parties it is shared with.
• Rectification: When requested, you will correct user's data.
STEPS TAKEN
Updated Gutensite Privacy Policy. Gutensite has always protected your data in compliance with industry best practices and so we don't need to change our practices for GDPR, but we have updated our privacy policy to define key terms, and add language describing how we comply with GDPR.
Updated Default Privacy Policy. Your website comes with a default privacy policy (which you may not have activated), which should be customized by you and your lawyer to properly describe how you collect, store, use and protect your users' data. We've updated the default policy, but you should also review this privacy policy, customize it for your needs and activate it.See our article about how to customize a Privacy Policy and Terms of Service.
Cookie Notification. GDPR compliant websites must notify visitors of the use of browser "cookies" (small files that store preferences and track activity of the user), and must give visitors the option to accept or decline. The default cookies on your website are key to the functionality of your website because they store "session" information. But if you use third party widgets (e.g. Google Analytics, Google Maps, MLS properties with tracking, etc) you will need to provide clear language notifying users of the cookies you use and how the data is protected or shared.
For safety, we have enabled this for all sites. But you can disable it in your Site Info if you need to.
ACTION ITEMS FOR YOU
• Understand GDPR. Learn more about the General Data Protection Regulations.
• Self-Assessment. Take the GDPR self-assessment and then talk to a lawyer if your are concerned about compliance.
• Legal Agreements. Customize your Privacy Policy and Cookie Consent Notification.
• Review Processes. Review your internal data handling processes and make sure they are compliant with GDPR and general best practices for protecting user's data.
Note: Even if you think GDPR doesn't apply to you, every website is legally required to have an accurate Privacy Policy that informs your visitors what information you collect and how you use that data. You should also have a Terms of Service agreement if you sell products or services.We provide default pages with generic policies that you can use when you first create your website, but you should consult a lawyer to help you customize these your business. See our article about how to customize a Privacy Policy and Terms of Service.
Comments
0 comments
Please sign in to leave a comment.