But that’s not the reason.
In 2016, the European Union passed the General Data Protection Regulation (GDPR) after deliberating over it for four years. The regulation gave two years for companies to get in compliance, which is typically more than enough time. The reality though is that companies and even regulators are not ready.
The Ponemon Institute surveyed 1,000 companies in April, and over half said they would not be compliant by the deadline.
What is GDPR?
The General Data Protection Regulation is a set of rules. These rules span from requirements like notifying regulators about data breaches to transparency for users about what data is being collected. They even cover why it needs to be collected. It is a new data protection law in the EU, which came into force Friday, May 25th, 2018.
The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.
The GDPR provides much stronger rules than existing laws and is much more restrictive than the “EU cookie law.”
The GDPR applies to data collected on EU citizens from anywhere in the world. As such, any website with EU visitors or customers must comply with the GDPR, which means all businesses that want to sell products or services to the European market need to comply.
So what does GDPR entail?
Unfortunately, everything is not always black or white when it comes to laws like this, but the GDPR alliance has a great overview what it entails:
- Applies to any personal data that relates to or can be used to identify someone (Art. 4).
- Applies to any sensitive personal data such as race, ethnic origin, sexual orientation, and health status. (Recital 51, Art. 9)
- Requires that consent is given or there is a good reason to process or store personal information.
- Allows a person to request that their personal information about them is completely erased (unless there is a valid reason, such as a bank loan). Also referred to as the right to be forgotten (Art. 17).
- Gives a person the right to know what information is being stored about them.
- Privacy by design and default: Makes sure that personal information is properly protected. New systems must have protection designed into them and access to the data is strictly controlled and only given when required (Art. 25).
- If data is lost, stolen or is accessed without permission, the authorities must be notified within 72 hours (Art. 33) along with the people whose data was accessed (Art. 34).
- Data can only be used for the reason given at the time of collection and is securely deleted after it’s no longer needed.
- Right to access and data portability: A person can request their information is an downloadable format at any time, as well as use or transfer the data to another service. (Art. 20)
- Allows national authorities to impose fines on companies breaching the regulation.
- Parental consent will be required to process the personal data of children under the age of 16 for online services; can vary per member state, but it will not be below the age of 13 (Art. 8).
What are the Consequences of Not Complying with GDPR?
Site and Store Owners have until May 25, 2018, to comply with the regulations set by the GDPR. There are hefty penalties for non-compliance. If you are found non-compliant, you are looking at a fine up to € 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. High penalty fines have been proposed to try an increase compliance.
However, you may wonder what steps for supervision of websites are in place. Supervisory Authorities (SA) of different member states are going to be set up, with the full support of the law. Each member state may have multiple SAs, depending on the constitutional, administrative and organizational structures. There are various powers that SAs will have:
- carry out audits on websites,
- issue warnings for non-compliance,
- issue corrective measures to be followed with deadlines.
SAs have both investigative and corrective powers to check compliance with the law and suggest changes to be compliant.
It is too early to speculate how SAs of various member states would interlink and work together, but one aspect is clear; SAs would enjoy considerable power to enforce the GDPR guidelines.
What do you need to do?
Consult a lawyer.
Disclaimer: I’m not a lawyer. Please first seek the advice of a lawyer that can help you sort out what you need to do.
WordPress pushed an update, 4.9.6, that gives you many features for starting to get compliant with GDPR. And of course WooCommerce also pushed out a release, 3.4.0 that also gives you many features for getting compliant with GDPR.
Upgrading WordPress (and WooCommerce, if you use it) are some of the first steps you can take, after talking to a lawyer.
Did we mention reaching out to get legal advice?
Hosting with Liquid Web?
If you are hosting with Liquid Web, you can check out our article on GDPR that answers some questions as it relates to hosting with Liquid Web.
If the GDPR deadline stressed you out and you waited to figure out what you needed to do, we recommend getting legal advice. Our sense is that every site is unique and has to get its own counsel, but that GDPR will affect about everyone online.