What is GDPR and where did it come from?

GDPR is the General Data Protection Regulation passed by the European Union, basically in response to data breaches like Facebook’s Cambridge Analytica one that surrounded the 2016 US Presidential Election, which leaked pretty much all of Facebook’s data on the vast majority of their users to political research and data mining companies.

So what do I have to do about it?

With this new regulation, you’ll have to put a bunch of new systems in place to protect that data that you collect from your users. Basically, you’ll have to make sure it’s rock-solid in its security, notify your users that data may be collected, and allow them the ability to request that you forget (aka delete) ALL of their data that you have on them (and you have to do it).

The seven minimum compliance aspects are:

  • Cookie Consent
  • Terms & Conditions Compliance
  • Privacy Policy Compliance
  • Right to Be Forgotten
  • Data Reporting Compliance
  • Data Breach Compliance
  • Data Modification Compliance
So how do I know if I'm collecting customer data? I mean, I'm not Facebook, I don't have all those complicated profiling algorithms, so I'm good, right?

Unfortunately for the vast majority of us, we do collect visitor data. Only the simplest (and oldest) sites do not do this.

You collect visitor info/data if you:

  • Have an email newsletter
  • Have an e-commerce store
  • Use visitor tracking software such as Google Analytics or Clicky
  • Have a contact form (that the data is stored on the site)
  • Have any sort of customer/visitor log in function
But I'm not in Europe! I'm in the US - do I still have to do this?

Unfortunately, yes. Unless you want to block ALL European traffic to your site.

The regulation applies to any site that accepts European traffic.

Additionally, the US won’t be far behind, so we’ll all have to do this anyway – so blocking all EU traffic will only keep you in the clear for 8-12 months or so.

Ok, so what if I just ignore this? If I do nothing?

The EU is really serious about this, and the regulation allows them to fine businesses substantial amounts of money. Like really substantial.

For instance, the highest level is defined as: 20m Euros or 4% of your global revenue – whichever is greater.

It’s possible that you could skate by unnoticed, but we really wouldn’t recommend it. The risk is bankruptcy. So take this as our official stance: Do not ignore GDPR. Get compliant. Period. End of story. It’s too risky to not.

Fine. Then what are my options?

The way we see it, you’ve really got four options:

  1. Ignore it. Roll the dice and pray you slip through the cracks.
  2. DIY – Do the research yourself, figure out how to implement all of the privacy features. (For reference, one study showed that 68% of companies plan to spend between $1m and $10m on GDPR compliance measures.)
  3. Block all EU traffic and deal with it when it hits the US.
  4. Have us do it! (Obviously that’s where we were going.) We’ve got a package for $397 where we’ll take care of it for you and get you GDPR compliant. Having done this a bunch of times already, we’ve streamlined the process.  (Or, we can help you block EU traffic, which runs $50.)