General Data Protection Regulation (GDPR) is hitting European companies Friday, May 25th. The law provides specific protections on how personal data and privacy is handled for EU citizens. The law was adopted in 2016, but compliance is now mandatory.GDPR is a new data privacy law crafted by the EU on how to store, retain, and remove private data of individuals. It affects all personal data stored by companies including medical, bank, address, photo, and even social media information.
Why Does this Matter to the Web?
GDPR also affects data analytics for websites tracked by IP addresses and cookies. Thus, Google Analytics, Facebook Analytics, and third-party apps we may install such as AddtoAny or ShareThis feeds may need to comply. To comply we have to ask for permission from the user to track their visit. If we don’t get permission, we cannot use Google Analytics and other forms of tracking.
Who Does This Apply To?
GDPR mostly effects the following companies:
- Companies in the EU;
- Companies not in the EU, but who offer services to EU residents, or monitor the behavior of EU residents.
Thus, most likely, it will not apply to your US firm, so long as you market only to the US. It mainly affects all businesses in Europe.GDPR also affects some US companies with ties to Europe. There are specific requirements that determine if the GDPR policy applies to your company and we recommend that you research them. We should note that according to some interpretations, simply having a website that is accessible to the EU does not mean you need to comply. It’s only if you are actively marketing to EU residents, list prices in the EU, or have customers in the EU.
What do Companies Need to Do?
Consult a lawyer and figure out if the GDPR applies to you and how you store all data. Although we produce a lot of kick-butt websites for law firms, we are still just a web design agency. Thus, we cannot give legal advice for each client.
What about My Website?
If you need to comply with the law, then you probably need to install a notification to allow the website visitors to ACCEPT or DECLINE analytics tracking. If you don’t deal with the EU, then you may not be subject to these requirements (again check with your lawyer).
What are Most Law Firms Doing?
Most of our US-based firms are doing nothing right now, as they are all US based and focus only on US clients. Some of our clients with EU exposure are complying with the new laws and creating pop-up confirmations to accept/decline data collection for Google Analytics and other website features.
What if I don’t Comply?
The ramifications can be real – 20 Million Euro fines for non-compliance (or 4% of revenue, whichever is greater). So, we advise all clients to read the policy and consult counsel as needed.
Additional Reading and Tools
We recommend you read up on this new law:
- Reading –https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection
- Reading –https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html?page=2
- Compliance Tool (if you need to comply) –https://www.cookiebot.com/en/gdpr/ (a tool to help test your site for GDPR, if you need that)
- Quiz –http://www.bbc.com/news/technology-44224802
- BBC –http://www.bbc.com/news/topics/cp846mrw2w0t/gdpr
- US v. EU Businesses –https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-affect-your-u-s-based-business/#137f38666ff2
I hope this information helps. Again, check with your local GDPR lawyer if you need help. If you need a reference, I am sure we have a few firms who would be willing to consult.