What is GDPR?
In May of 2018, the GDPR or the General Data Regulation Protection went into full effect. You may remember when it happened because your inbox was probably jammed up with emails from every website you ever signed with up asking for your consent — again.
The GDPR is a European Union regulation that governs how businesses collect and handle the data of its users. Specifically, the GDPR aims to impose strict regulations on the curation and processing of personally identifiable information. While the measures set forth in the GDPR are new, the idea of consumer protection in the EU is not.
EU Data Collection Regulations – A Brief History
The GDPR is the latest in a long line of regulatory measures established by the EU to protect its consumers. One could argue that American regulations tend to err on the side of industry. While conversely, European laws are focused on protecting the consumer.
Over the years, the EU has offered consistent regulatory guidance on data protection starting with the Organization for Economic Co-operation and Development (OECD) in 1980, followed by the Data Protection Derivative in 1995, and now the GDPR.
Clearly, the measures that were put in place in 1980 and 1995 were long before the internet age. They could not possibly address the current nuances of data collection, data transfer, and storage. The GDPR reflects these changes and it is more in line with how we use the internet today.
There are many moving parts to the GDPR and together they add up to an overhaul of the EU’s regulations regarding data and privacy.
Scope Of The GDPR
The GDPR lays the framework for the protection of personal data in transactions that occur within the EU as well as for the transfers of data outside of the EU. But that certainly isn’t the extent of it, the GDPR provides for the right to have access to collected data, notification of breaches, privacy, erasure, and release. Let’s take a look:
Right to access data
Simply stated customers are entitled to have access to any information collected about them by a given company. They are also entitled to receive a free copy of the data that is collected.
Notification of data breach
Customers must be notified within 72 hours of a data breach, if “...is likely that the breach poses a risk to an individual’s rights and freedoms…”
Also known as “the right to be forgotten”, customers have the right to ask companies to remove their data from their files and to cease and desist further usage.
Privacy by design
Limits data collection to only that which is necessary. Under the GDPR data collection should be “…adequate, relevant, and limited to what is necessary for the purpose…”
When a customer is asked to consent to the collection of their data the customer’s consent form must be clear and easily understood. Legalese just won’t do.
Not only does the GDPR establish regulatory guidance, but it also establishes fines and penalties for non-compliance, some of which can be quite hefty.
What Happens If You Don’t Comply With GDPR?
Failure to comply can be a pricey proposition as fines can be quite stiff. When the GDPR was established fines were laid out in a scalable way. Non-compliance could run a company a fine of 4% of its total revenue. Obviously, the more revenue you have the steeper your fine. Now, the fine of 4% of total revenue is the maximum defined in the GDPR. Infringements can be met with warnings or lower fines can be imposed, it all depends on the nature of the non-compliance.
How Does GDPR Apply To You?
I know you are probably thinking: “My business is based in America, why should I care?” Here’s why: You have no way of knowing or anticipating where your website traffic will come from. After all, it’s the world wide web, you could potentially get traffic from an EU member state.
Here’s how that might play out. If you have a website and you market goods or services on that website, or you have downloadable products, you must comply with the GDPR. Furthermore, if you have email subscribers and use those email addresses to send out marketing material (think newsletters, ebooks, special offers) you are even more on the hook for GDPR compliance because that is now considered target marketing. Now, this may seem a little daunting but as a therapist, you may be more familiar with the concepts surrounding the GDPR than you realize.
GDPR & HIPAA
HIPAA has been around for some time now and fluency in HIPAA regulations is a great foundation for understanding GDPR. Remember that, in essence, both GDPR and HIPAA are focused on the privacy of your client or patient. And while they bare some similarities to each other regarding privacy, there are some notable differences.
The GDPR is considerably more broad in its definitions.
For example, the definition of personal data is expanded to cover, anything associated with an identifiable person, such as IP addresses, credit cards, photos etc. While this measure is fairly straightforward and relatively easy to understand and comply with, there are some measures within the GDPR that may make it a little harder for U.S. service providers to reach full compliance.
The GDPR measure that would be most difficult for compliance among U.S. service providers would be the data erasure measure or the “right to be forgotten”. Remember that this measure ensures that companies will remove data when asked to do so by the customer or patient. It also places limits on how long data can be stored. Historically, U.S. service providers tend to store patient information indefinitely, this would certainly be quite a change.
Another notable difference between GDPR and HIPAA is in the breach notification process. The GDPR requires notification of a breach within 72 hours, while HIPAA allows for considerably more time at 60-days.
Now that you know what the GDPR is and all that it encompasses. You may be wondering what you can do to ensure your own compliance.
How To Ensure GDPR Compliance On Your Website
The introduction of the GDPR required some sweeping changes for many large companies that sell products to, and operate in, the EU. Those companies were required to overhaul their data collection practices and employ compliance officers for their operations. As a coach or therapists you do not need to employ someone to oversee your data collection, however, there are a few things you can do to ensure your website is GDPR compliant should the occasion arise.
Your website must be SSL compliant. How do you know if it is? If your website starts with https:// and there is a padlock icon next to it on your web browser, you’re fine. If a website is not SSL compliant, instead of the padlock on your browser bar you will see the words “Not Secure”.
As of February 2018, 77.9% of all web traffic is conducted using the Google Chrome web browser. The SSL certificate is Google’s attempt to help website owner protect their site as well as their customer’s data. The purpose of the SSL certificate is to encrypt all traffic within the domain, that encryption ensures that all sensitive information is protected. This may sound difficult, but it’s actually quite easy to make your website SSL compliant.
Every web hosting site provides the information and guidance you will need to make your own site SSL compliant. You can contact your web hosting company and they can either give you directions or walk you through it. Here are a few web hosting sites that offer quite a bit of information and guidance for SSL compliance.
Have a plan for a data breach
Remember that data breaches are serious matters these days and they must be reported within 72 hours of discovery under the GDPR. Having an action plan in place to address a data breach within your website will save you a lot of time and aggravation should this ever happen. You must know what to do and who to call for assistance. Here are a few pointers to get you started.
Do your best to identify the possible cause of the breach and if there is something you can do to stop any further losses, now is that time to do it.
Next notify your customers of the breach, keeping in mind that you have 72 hours to do so. Be sure to give your customers all the information they would need to protect themselves and their information as well.
With that said, be prepared to answer their questions. For example, your customer will most likely want to know how this happened. Ideally, you will have an answer as you have already identified the likely cause of the breach prior to notifying them.
Finally, notify your local police department immediately. Communicate the facts of the data breach and alert them to the potential risk of identity theft. If your local police department does not know how to handle data breaches, then you should contact the local FBI office. It is important to arm yourself with as much information about the breach as you possibly can and react swiftly.
If you operate your own website then you’re probably familiar with plugins. If not, plugins are little helpers on our websites that allow us to easily accomplish some of the things we want to do. Plugins can help you to incorporate things on your website like contact forms, social media links/icons, special fonts or maybe even signatures. If there is something you want to do to your site chances are there is a plugin in for it, this includes GDPR compliance.
For example, a quick search on WordPress shows 760 options for help with GDPR compliance in the form of Plugins. Plugins are helpful because an easy install and activation will quickly help you get your site GDPR compliant. The verbiage and consent boxes are all prefabricated so to speak so you do not have to write anything on your own. Using a Plugin can save you a lot of time and aggravation in your efforts to protect your website and the data of your clients.
Here are some examples of WordPress GDPR Plugins:
Clearly, this is not an exhaustive list. If you have an hour, this video digs in even deeper to the details.
The bottom line is that there are quite a few tools available to you through your web hosting and the platforms you use for website creation that can help you with your GDPR compliance.
In a nutshell, GDPR is about accountability and compliance. It is often argued that while the internet has given us so much, it has also taken away our privacy. Data breaches are a part of the new normal and they occur with increasing frequency every year.
While the focus of the GDPR is on the EU and its consumers, the fact remains that when you have a website anyone in the world can visit. You never know when someone in the EU will discover you, like your downloadable e-book, and provide their information to obtain that book.
If you need help navigating the GDPR compliance on your website, please subscribe to our newsletter list (located in the upper right-hand column on this page) or reach out to us directly to schedule a call and see how we can support you in your efforts to be GDPR compliant.