As of May 25, 2018, websites that process Personally Identifying Information of European residents, need to be compliant with the new GDPR rules (General Data Protection Regulation). There is still a lot of confusion around the exact scope, and who applies, but the general consensus is that everyone around the world is affected and even logging IP addresses in your server logs have to be protected.
You may take this self-evaluation checklist
to see if you are compliant, but we recommend you should speak with a lawyer to understand exactly how they apply to you and make plans to be compliant.
WHAT IS GDPR?
REQUIREMENTS FOR YOUR ORGANIZATION
• Notify Authorities of Data Breach within 72 hours.
• Cookie Consent Notification: Enable a cookie consent banner at the top of the site, which describes how cookies are used and gives users the option to opt-out.
• Data Usage Consent and Audit Trail: On all forms that collect data, there must be a clear statement about what the information will be used for and who (if any) it will be shared with.
RIGHTS OF THE VISITOR
• Right to be Forgotten: When requested, you will delete all user's data.
• Data Portability: When requested, you will provide a file with all user's data.
• Access: When requested, you will describe how data is stored and what third parties it is shared with.
• Rectification: When requested, you will correct user's data.
Cookie Notification. GDPR compliant websites must notify visitors of the use of browser "cookies" (small files that store preferences and track activity of the user), and must give visitors the option to accept or decline. The default cookies on your website are key to the functionality of your website because they store "session" information. But if you use third party widgets (e.g. Google Analytics, Google Maps, MLS properties with tracking, etc) you will need to provide clear language notifying users of the cookies you use and how the data is protected or shared.
For safety, we have enabled this for all sites. But you can disable it in your Site Info if you need to.
ACTION ITEMS FOR YOU
Take the GDPR self-assessment
and then talk to a lawyer if your are concerned about compliance.
• Review Processes. Review your internal data handling processes and make sure they are compliant with GDPR and general best practices for protecting user's data.