As of May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual global revenue OR 20 million Euro (whichever is greater). This new compliance regulation has caused quite a stir on the internet as you may have noticed by the dozens (if not hundreds) of emails where companies have notified you of their own updated policies.
And you may be saying to yourself right about now that it does NOT apply to you. You are a local business that does not sell to anyone out of your own community or to anyone in the countries of the European Union. That may not be true. Why?
- You don’t have to sell anything to European customers.
- If European people can surf your site (can you stop them?), you are liable to adhere to GDPR rules.
- If you have sign-up forms on your website that can be accessed by anyone, anywhere you could be fined if these forms are not compliant.
In fact, every large country has a legal agreement about law enforcement with EU, which means basically that everyone has to comply.
You Must have Explicit Consent. If you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and easy to understand. This means you can’t send unsolicited emails to people who gave you their business card or filled out your website contact form unless they opt-in for the thing you want to send them such as a marketing message, newsletter, etc.
ANY data stored on a website must have explicit consent to do so.
Here are the consequences of not being GDPR Compliant:
- Not being able to sell to customers from EU or serve them in any other way.
- Not being able to monetize EU based customers through ads or other means. Visitors from the UK who are visiting the US could potentially see and click on links in social media even if you exclude that geographic data from the target.
- Severe legal costs and hassles that will stop you from focusing on your business. Poor record keeping and protection can result in fines and lawsuits, making your life a nightmare.
[tweet_box design=”default” float=”none”]“Most small business owners are too busy running their businesses that they don’t have time to worry about things like data protection or how important it is to their business and their bottom line. But data is valuable. When you don’t protect it, you can lose customers, be fined or worse, lose your business And no one has yet addressed potential criminal prosecution for serious offenders. But it’s coming.” Heidi Richards Mooney [/tweet_box]
What if you have a WordPress website? Or a website builder website.
The answer is YES. You must be compliant. It applies to every business, large and small, around the world (not just in the European Union).
But don’t panic, yet.
According to the GDPR, they will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit. And as stated above, because of America and Canada’s trade agreements with the EU, they are fully enforceable under the law.
Here are some areas where you could be collecting data and therefore must be compliant.
If you allow comments on your website you will also need to be compliant. Your site will need to have a comment privacy checkbox to comply with the new law.
If your site is built using wordpress, they have addressed GDPR compliance in their latest 4.9.6 release. With WordPress 4.9.6, the default WordPress comment form will now show a comment privacy opt-in checkbox. All WordPress themes that use the default WordPress comment form will now automatically show this checkbox.
Which means if you haven’t updated your wordpress website to the latest version yet, go there now and do so!
Your contact forms
Your checklists could include verbiage similar to this:
___ I’ve read and accept the terms & conditions *
___ Yes, I want to receive member news, invitations and updates via email.
Other Optin Forms
Most, if not all, contact management systems such as aweber and constant contact, mailchimp, mailjet, sendinblue, and others have already become compliant. If you use a CMS you will simply need to go in and update all your current contact forms so they can be legal. Check their websites to make sure they have the necessary tools and policies in place for you to use.
You should also note that while the core database of WordPress as of the latest release 4.9.6 is compliant on the backend, you still have to get the right policies in place.
Updated privacy and terms of service policies with a checkbox they can check to accept those terms. These also have to be easy to find on your site, not buried in an obscure menu that the average person would not know where to look. Mine are in the footer of my sites (which is standard)
A GDPR request for personal data which means that if people on your list want to know what information you are storing, you have to give it to them.
A notification if you have a breach of information (such as your website gets hacked).
The good news is that there are now plugins created just for wordpress. One of them is the GDPR Fix Plugin, the one I am using. I have added it to all my sites and updated all my policies to reflect the new GDPR regs.
The main thing I love about this plugin is that if you don’t want to take the time to update your policies it will block traffic from the EU from being able to access your site. This works for local businesses who don’t do business with any countries other than the US and don’t care about getting their personal data to build a list. It will also give you time to update your own policies.
Here is what is included in the GDPR FIX Plugin.
- Compliance on 7 Key GDPR Requirements
- Works with your blog or any other custom implementation of WordPress including e-com stores.
- Just plug it in and set it up in less than 3 minutes for faster GDPR compliance.
- Terms and conditions policy compliance gets your visitors consent to your T&C.
- Right to forget compliance lets you delete user data manually.
- Or… Refuse to accept EU traffic on your site (Built in the plugin)
This is perfect for the do-it-yourselfer. You can purchase the plugin, use our forms and make the updates to your own sites in less than 2 hours. The plugin has simple forms included in their plugin but you still have to update your own Terms of Service, Privacy and Data Protection policies so they can link to them properly in the system.
And it’s affordable: as of the the publication of this article both the elite single site and multi-site licenses are under $25. They have a support system and 30-day money back guarantee. You can grab your copy of GDPR Fix Elite here: http://bit.ly/GDPRElite
One last thing, most of the common website builders such as Weebly, Wix, SquareSpace, Shopify, Webflow and others, have now built GDPR policies into their systems which means you will simply have to activate those policies and you should be good to go. If you have not received notifications from them, be sure and check their main sites to verify that you are covered (or not).
If your site is custom-built not using a Website Builder or Content Management System, make sure the developer has or is in the process of making these updates available to clients.
And finally, if you need help with your site, drop me a line. I have the developer rights to the plugin and have updated all the policies on Women in Ecommerce, my other websites and several of my clients. The forms I have created and updated will be available for MEMBERS to edit and adapt to their website in the member dashboard this week. Members also receive a sample email you can send to clients announcing the new policy updates.
Disclaimer: I have garnered the above information from a variety of sources including but not limited to online legal forms websites, the GDPR website, several compliancy sources and more. However, the above information is not intended to be construed as legal advice. You should seek the advice of your own legal counsel before making any major decisions regarding GDPR and your website.