when relevant content is
added and updated.
The GDPR or General Data Protection Regulation as its actually known is a European law that will be taken effect in May 2018. There’s a lot of misconceptions out there that need to be talked about, especially by non-EU websites.
Before we get started, let me state that I’m not a lawyer, and I don’t even play one on TV. Everything that I’m talking about should be verified with an actual lawyer.
The fines for violations of the GDPR are pretty steep. 20 million Euros or 4% of your companies revenue, whichever is HIGHER. Beyond this websites could be blocked from being accessed within the EU. In other words, this law is severe, and it doesn’t apply to just companies that operate in the EU.
One of the bigger misconceptions is that the GDPR is related to sales. It isn’t. The GDPR relates to personal data of the people that view your website whether they buy anything or not. This includes your comments, feedback, collecting emails, newsletter subscribers, etc.
Most people are using WordPress for their websites. As of late January 2018, there’s minimal plugins available. And the ones who are there have minimal installs. Jetpack, which is one of the biggest plugins available is working on GDPR compliance. They aren’t there yet, but they are working on it.
The biggest thing with the GDPR (as far as I’m concerned) is how to deliver the users request to be deleted. For DCAC the only place we have to worry about this is with comments. Our vendors (Mail chimp and Microsoft’s O365) both have or are working on GDPR compliance and will have something put together in time.
Another piece of the GDPR is that users from the EU need to be able to request an export of their data from your systems. For DCAC this is pretty simple, we just need to be able to export comments and what event data we collected. Our email sending doesn’t contain anything other than what newsletters the user received from us (and we can get this from Office 365). No matter how you export the data you need to be able to export the data and deliver it to the user that requests it. The user also needs a way to download their data. Today WordPress doesn’t have a solution for this, but hopefully, it will by the time the law kicks in.
The scary part of the GDPR is telling people if the website is breached, and you have 72 hours from when you discover the breach. There’s no real definition of user, so the assumption is that commenters, notification form submitters, etc. At least this is our assumption. Our hope, of course, is that a breach doesn’t happen, but we have to prepare for the worse.
It isn’t scary, but there’s a lot
As you can see there’s a lot to this GDPR stuff that needs to be worried about. Done correctly you can lean on vendors like WordPress’s JetPack plugin, Microsoft’s Dynamics 365 (part of the Office 365 suite) and Mail Chimp.
Hopefully, this has demystified the GDPR a little bit and made it a little less scary.