The General Data Protection Regulation (GDPR), known as Regulation (EU) 2016/679, is “a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union.” This regulation has been there since April 2016, with the intention for it to become enforced starting 25th May 2018. Its tentacles are far reaching for your business presence online, including changes in the way entities like Facebook and Google will want to do business with you.
The good news is, as a small business owner and as of March 13th (date this article was written), there is still time to comply. The bad news is, no matter how much we think the regulation doesn’t apply to us, because (insert xxx reasons), it does, and it is here to stay. To understand the regulation from its very roots, it is important to know some basic terminology. Tech talk, if you will.
- Data Subject: the person whose private data is gathered by businesses/ search engines.
- Data Controller: the person or business that gathers private data such as name, email, payment info. Vendors you do business with are also data controllers. They gather your data for their own purposes. If you are gathering data manually in a spreadsheet, you are still a Data Controller, and the regulation applies.
- Data Processor: storing private data in digital format and using it to e.g. place ads. Processing means any operation performed on personal data, such as storing, collecting, recording, organising, sharing, deletion, consulting, etc.
- Personal Data: Any data that can be traced back to a person. This includes name, email address, payment info, date of birth, address, IP address (a computer’s address online)
- Sensitive Data: is any personal data that reveals more information about the person - no just identifying information, but relevant - medical information, purchase history, credit card numbers, etc.
THE GOAL OF THE GDPR
The main goal of the GDPR is that the rights of the Data Subject are protected. The responsibility for protecting the Data Subject’s rights is placed with both the Data Controller and the Data Processor. By following the GDPR regulations and putting the appropriate measures in place, the Data Controller and the Data Processor are in compliance. The regulation to protect the data rights of EU residents is far reaching. The rules apply to everybody, even small business with less than 250 employees, and even companies outside the EU in a role of Data Controller or Data Processor for EU Data Subjects.
You are responsible for Data. This responsibility is not optional. The amount of responsibility you have, and the role you fulfill, is clearly defined by this regulation.
If your business practice is older than these new regulations, it’s time for a revision. Because, the repercussions for non-compliance are fines (up to 20 Mil. Euros or 4% of your income, whichever is higher) as well as compensation claims in the event of a data breach. A breach is to be reported within 24hrs, to no more than 72hrs.
WHICH MEASURES YOU CAN PUT IN PLACE, TO ENSURE COMPLIANCE?
- Install “fair processing notices” on your website notifying individuals of the GDPR and their personal data rights in clear, concise text. Inform the website user or Data Subject, about how their data is collected, what it is being used for, how long it should be retained, how and where the data is stored.
- Double opt-in for newsletters (by using a service like Mailchimp, with easy opt-out and that extra confirmation email after sign-up, incl. reference to the GDPR)
- Get organised. Know how and where your data is stored, and how it is processed (e.g. newsletter via Mailchimp). You might even prepare a document on your pc that addresses this issue, so that you are ready to respond… because…
- ...the GDPR ensures a right of access to the data you hold on customers (or employees.) Be prepared to reply to access requests within one month.
- The Data Subject has a right to be erased.
- Keep the personal data you collect to a minimum. Consider having comments/discussion on social media pages only rather than your website.
- Once more: understand your role within the scope of the GDPR regulation, and your responsibilities
- Employee awareness and training: ensure that your employees know about the GDPR as well.
- Think you don't store any personal data? Think again; if you operate a website you are almost certainly storing the IP address of visitors, which is considered personal data. Even if you store data like email addresses in a spreadsheet, this regulation applies to you!
- SSL is also in line with the GDPR, which recommends security from the beginning and throughout.
WHAT IS WEBSITE ENCRYPTION?
Providing encrypted access to your website protects your client data as it travels across the Internet, providing privacy Website encryption can be accomplished by installing an SSL Certificate-a cryptographic file issued by an authority, used to provide privacy and/or identity assurance. These are often offered through your web host, sometimes as part of a hosting package, and sometimes for a fee. The very basic level of certificate necessary for a secure website is called a Domain Validation Certificate-an SSL cert. which allows privacy through encryption and assures the identity of your site. The latter are often free but requires more technical know-how to install and maintain.
While SSL is not (yet) mandatory, it will probably have a negative effect if your website is not considered secure. A secure site should be more visible in search engines, while an insecure site may be reduced. Do not mix SSL and non-SSL on your site. Some widgets such as a weather plug-in may need to be switched to one which supports SSL. Browsers will label non-SSL or mixed content sites as “insecure”. Please read more in-depth about SSL in our blogpost here.
Example of how a secure website is presented to the Internet user. This website has an SSL installed and Google tells us the certificate is valid.
Our website is protected by a Domain Validation Certificate. We have no log-in on our website, but we do have a newsletter sign-up with free guides attached to it.
Example of a site without protection. Google tells us this site is not secure, and it doesn't show Certificate information.
HOW FACEBOOK AND GOOGLE ARE MEETING THE GDRP…
Securing your site is your due-diligence response – it would be reckless not to. As mentioned previously, even companies outside the EU in a role of Data Controller or Data Processor for EU Data Subjects must comply to the European Union’s GDPR. Therefore, companies like Google and Facebook are taking their own measures to protect themselves. They are meeting the GDRP by changing their business practices.
- Google intends to use its position as the world’s dominant search engine to push a more secure Internet. Through its actions of placing responsibility for privacy and protection of the Internet user with the business owner, it encourages the use of encryption across the Web. They too are minimizing the amount of data they are responsible for. You may have already noticed notifications when you go to a website that is not secure (http:). Google also lets you know when a site is secure or https:// and it also explains the level of security. Having a site where traffic is encrypted, builds trust in our website users and (potential) customers.
- Facebook is making a clear distinction between business and personal pages. A business page is meant for marketing purposes. When advertising on personal pages for the benefit of informing family and friends, your post will (through complex algorithms) not be shown. If you have a business, and you only use your personal page to promote it, the time you spend on Facebook may not be very fruitful. Instead, create a business page, link it to your website, and be meticulous about who you follow. Don’t follow other pages that aren’t useful to grow your business. Choose your audience for adverts wisely and create them in the Facebook Publishing Tools tab, rather than boosting posts from your page.
By holding businesses responsible for ensuring their own compliance with the GDPR and general Internet security, they don’t have to own the data, to be the processor of that data. Facebook and Google are major data processors, which sometimes e.g. through advertisement they do on our behalf. They will know if your website has been encrypted, if they are dealing with a secure website or not.
The General Data Protection Regulation has been created to protect the rights of the Data Subject. We are ALL a Data Subject in one way or another. The vendors you do business with must adhere to the same regulation. We are all responsible. Which means that no matter how small or large your business, due diligence is in order. The clock is ticking. As of 13-3-2018, we have 72 more days to put an action plan into place. We have created a more in-depth GDPR summary in a handy PDF, which you are welcome to download with sign-in. Please do not hesitate to ask your questions on our Facebook page. Your questions are valuable to everybody, and we will address them.
Price & Brenda