If your website visitors come from the European Union and you collect their personal information, then the answer is YES, GDPR applies to you.
General Data Protection Regulation (GDPR) came into effect on May 25, 2018. It is a set of ground rules established by the European Union designed to protect the use and collection of personal information of people. It allows the European Union citizens to have greater control over what personal data companies collect and how they use them. So how does it affect you if you are in Canada?
If you are a local business and your website visitors are not likely EU citizens and do not ask them for any personal information, e.g., you do not ask for their email to download a white paper, then GDPR does not apply to you. However, if you offer services worldwide and your website offers information to anyone, including the European Union citizens, you must comply with GDPR principles.
What are the main GDPR requirements?
GDPR requirements are, to a certain extent, identical with the Canadian Anti Spam Laws (CASL):
- Forms require an explicit, double “Opt-In” process, and the option to subscribed and unsubscribe from receiving any emails from you.
- Users need to consent to your Terms and Conditions, which must be written in plain English, and explain how you use the data you collect from them.
- You must inform the visitors about any 3rd party tracking you use, e.g. Salesforce or Google Analytics. (In the form of a banner on the top or bottom of the page, people can dismiss).
- Users must be able to choose the type of marketing communication they want to receive from you (e.g., email or phone).
- Users must be able to “Withdraw Permission or Opt-Out” of anything you have collected their information for.
- You must remove any personal data from your database after a reasonable amount of time.
- Users have rights to their data and can download their data and delete some or all of their data.
Is your website set up for GDPR?
All the major open source Content Management Systems (CMS) have or are working on adding GDPR mechanisms to their core tools. If your website is built on WordPress, as of WordPress 4.9.6, the WordPress core software is GDPR compliant. At the time of writing this post (July 10, 2018) Joomla is working on the release of Joomla!3.9, which will be a Joomla GDPR compliance release. In the meantime, you can install GDPR plugins to comply.
If GDPR applies to you, contact your web designer and make sure your website is compliant.
Examples of personal data:
- a name and surname;
- a home address;
- an email address such as firstname.lastname@example.org;
- an identification card number;
- location data (for example, the location data function on a mobile phone);
- an Internet Protocol (IP) address;
- a cookie ID;
- the advertising identifier of your phone;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.