You’re ready to start selling your products overseas, or maybe you already are. But the idea of violating the European Union’s internet privacy law is intimidating. Can your small business meet the EU’s demands? What do you need to do to make your company website GDPR compliant so you can do business internationally?
The EU’s General Data Protection Regulation (GDPR) Applies to Anyone with Customers in Europe
Online stores and eCommerce tools make it easy to take even a small business global. Anyone with an internet connection can find your company website, so you could even end up selling to someone in the European Union without trying. It is important for anyone doing business online to make their company website GDPR compliant.
A previous blog post went into the history of the European Union’s GDPR. As of May 25, 2018, the EU’s regulations require any business entity that collects an EU citizen’s personal data as part of a business transaction to become GDPR complaint or face financial penalties.
What It Takes to Make Your Company Website GDPR Compliant
The GDPR regulations come backed with fines and penalties steep enough to make any small business sit up and take notice. Staying on the right side of the regulation requires several steps:
Consent to Collect User Data
Making your company website GDPR compliant starts with providing notice of the personal data you plan to collect and giving the user the opportunity to opt into that data collection before it happens. The GDPR defines personal data broadly – including anything that can directly or indirectly identify the person, like:
- Names
- Photos
- Physical addresses
- Email addresses
- Financial details
- Credit card information
- Social media posts
- Medical information
- Computer IP addresses
The GDPR requires consent each time you access data. It’s not enough to store consent on file and then collect more data later. Under the Privacy by Design principles of the regulation, you should only process data that is absolutely necessary to do your business.
When you ask for consent to collect this information the request also needs to be clear and concise – not buried in your terms of service. You also need to build in a way to withdraw that consent that is just as easy as opting in.
Off-Line Protection of Private Information
The GDPR has requirements for companies online and off. After a user consents to the collection of personal information, you need to limit who has access to that data. Personal information should only be given to authorized employees with the credentials to handle it, and only for jobs that specifically require using it. In larger companies, you may need to designate a Data Protection Officer to deal with GDPR compliance and requests.
Right to Access
Under the GDPR, if you are storing people’s information, you must give them access to an electronic version of it on request. This includes whether the data is being processed, where, and for what purpose. The data must be provided in a commonly used machine-readable format. The user may also ask you to send it to another processor free of charge. If your company is also subject to HIPAA or other privacy laws, you may need systems in place to verify their identity first.
Right to Be Forgotten
The GDPR’s right to be forgotten is probably one of its most famous requirements. It says you need to be prepared to erase all of a person’s data if they ask you to, and immediately stop processing or distributing that information.
Notice of Security Breach
Even with top-end cybersecurity, data breaches can still happen. GDPR compliance requires that you notify anyone affected by a security breach within 72 hours. You must use as many forms as necessary to reach everyone, including email, telephone calls, and public announcements.
Get Help Making Your Company Website GDPR Compliant
With so much on the line and so many technical details to consider, business owners should take GDPR compliance seriously. A DIY solution to data privacy could leave you vulnerable to cybersecurity breaches and GDPR violations. And those can be expensive.
If your company does business in the EU, you should sit down with a Provisio Technology Solutions web solutions specialist today. We understand how to make your company website GDPR compliant, and can help you create company best-practices to stay on the right side of the regulations. Contact us today to schedule meeting with a web solutions specialist.