What is GDPR and why should I care?
The European Union (EU) General Data Protection Regulation (the GDPR) contains new data protection requirements that will apply from 25 May 2018.
These will harmonise data protection laws across the EU and replace existing national data protection rules. The introduction of clear, uniform data protection laws are intended to build legal certainty for businesses and enhance consumer trust in online services.
For Australian businesses covered by the Australian Privacy Act 1988, may need to comply with the GDPR if you have an establishment in the EU (regardless of whether they process personal data in the EU), or do not have an establishment in the EU, but offer goods and services or monitor the behaviour of individuals in the EU (e.g if your website will be seen by anyone in the EU). (Thanks to OAIC for this info – read more about GDPR )
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements. There is a tiered approach to the fines whereby a company can be fined 2% for not having their records in order (Article 28), not notifying the supervising authority and Data Subject about a security breach or for investigating and assessing the breach.
Does This Apply To Me?
The short answer is yes. If you collect any personal data it affects you. This includes (but is not limited to) any information or type of data that can directly or indirectly identify a natural person’s identity. This can include information such as Name, Address, Email, Photos, System Data, IP addresses, Location data, Phone numbers, and Cookies. nFor other special categories of personal data, there are more strict regulations for categories such as Race, Religion, Political Views, Sexual Orientation, Health Information, Biometric and Genetic data.
If you answer YES to any of the following – keep reading – you need to comply:
- Do you have Google Analytics on your site?
- Do you have a Facebook pixel on your site?
- Do you collect email addresses?
- Do you use MailChimp forms?
- Do you have a contact us form on your website?
- Do you sell products?
- Do you have downloadable resources?
Did you answer yes to any? If so, keep reading. If not, then you might be lucky, but happy to answer your questions if you want to contact me.
How To Make Your WordPress Website GDPR Compliant in Australia
As I see it (and this is not legal advice!) for your website in Australia you have 4 main options.
Option 1 – Do Nothing
Option 2 – Exclude The EU
Now, this is a short-term solution and not 100% full-proof but will work for some businesses. If you are a local business and don’t deal with anyone from the EU (e.g they can’t buy products from you online or in person, and you are unlikely to ever want to do business with them) then you can block all EU IP Addresses. The easiest way to do that is through your hosting provider or a plugin like Wordfence Premium (which can also give you added security benefits). Keep in mind, though, the GDPR applies to EU Citizens, so if they are on holidays and access your site in a non-EU country, you may still collect personal data on them accidentally. However, it is unlikely that unless you had a major data breach, anyone would ever care.
Option 3 – GDPR WordPress Plugin
This is probably my favourite option as it is quick and easy. You can download a plugin for WordPress called WordPress GDPR Plugin. This plugin is meant to assist a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR. It is also free and fairly easy to install. All the information is there and you just need to add in the details.
You will need to provide a link to facebook.com if you use their pixels on their site – which is this link- https://www.facebook.com/about/privacy/update you will also need to provide a link to google analytics data policy https://privacy.google.com/businesses/compliance/
I am not affiliated with this plugin (i.e., I make no money for recommending it but am using it on my site as it was easy and free. You can look around and there are other plugins out there but this ticked the boxes for me with compliance.
Option 4 – Get Expert Advice
If all this does your head in, or you deal with the EU a lot, speak to an expert. The GDPR regulations go way beyond just website data collection and you want to make sure you are covered. Please note, I am not a lawyer or an expert, I can help you with website compliance, but if your business requires a more intensive option, you may need expert advice for a lawyer.
So there you have it, 4 quick ways to get your site up to speed with GDPR. If you have any questions, let me know, I am always happy to help.
Disclaimer: I am not a lawyer and this blog post is based on my own research and interpretation of the General Data Protection Regulation (GDPR) and e-Privacy Regulation. You are advised to seek legal counsel that specializes in the GDPR and e-Privacy Regulation to ensure that your organization conforms to these regulations. GDPR is complex and interpretations vary. If you have questions or suggested clarifications, please contact me and provide sources, as appropriate.