StudioHOF and GDPR Compliance
GDPR is a European Union Law, that impacts each and every website on the internet. Let’s forget “legal overreach” for a moment, and simply accept that
- we all get too much spam email
- scandals like Facebook and Cambridge Analytica
- constant news about data breaches
are simply bad things.
The General Data Protection Regulation is the EU’s first steps to beginning to set this right. While I believe that the EU creating legislation that impacts sites hosted outside of their jurisdiction is an overreach, I wholeheartedly believe in what they are trying to accomplish. I also believe that with all the scandal in data breaches here in the US, US legislation is not far behind. Not a single client asked StudioHOF to help them prepare for the GDPR, but we took the initiative anyway for all of our clients, because the intent of the law simply makes sense, and because every website owner is at risk of huge fines for non-compliance (as in 20 Million Euros!).
How can my US or Canada based site be impacted by the EU GDPR?
If you think you aren’t impacted, consider these scenarios.
- A husband in Germany decides to file for divorce from his estranged wife, living in Tampa. The husband goes online to find a divorce attorney in Tampa. That attorney may be subject to the GDPR laws.
- An investor in Denmark has a few condos on the beach in Indian Rocks Beach, between long-term rentals, they want to get the marble floors refinished. They search the internet for a Floor Cleaning Expert and contract the work. That Floor Cleaning Expert is subject to the GDPR laws.
- A creditor in France is owed money by someone in South Dakota. They search the internet for a debt collection agency that handles international collections. They land on your debt collection agency website. Whether or not you engage that person as a client – you are now subject to the GDPR.
- If anyone from Europe touches your site, they will leave tracks in audit logs, in analytics information collected by Google, and by requesting information. The simple act of visiting your site, makes you subject the GDPR. in short, if your site can be reached by people in the EU, you are impacted by this law.
Steps made to be GDPR Compliant
Here are the specifics of what we have done to ensure that you are GDPR compliant.
Permission To Contact
A requirement of the GDPR is that one must specifically give you permission to contact them digitally. It is not enough that they filled out a form with name and contact information (which in my mind certainly shows they are OK with being contacted!). They must also acknowledge that it is OK to contact them. I get it. The other day, there was a white paper offered on Search Optimization that I wanted. To get it, I had to give my email and phone number, which I did. Not 3 minutes later, I got a high-pressure phone call and got bombarded with email marketing that I never asked for. All I wanted was the free white paper. So, I understand the need. All contact forms on every client site have been updated with a required checkbox that says you (our client) can use the information provided to contact the person that left the information. This is a requirement of the GDPR, and it makes sense.
Encryption. Your site should be encrypted. It’s really simple, and it amazes me how many sites are not encrypted. We implemented encryption as the standard for all sites that we host last year. It is also a requirement of the GDPR. In addition to being a GDPR requirement, it’s also a ranking factor for Google. Google has outright told us, an encrypted site still gets ranked higher than an unencrypted site, all other things being equal. Finally, some browsers, on encountering an unencrypted site will display security warnings telling you the site is not safe! How’s that for a user experience? We weren’t asked, but all sites became encrypted as of late last year that are hosted by StudioHOF.
Terms and Conditions Acceptance
Terms and Conditions of use on a website were always “you kinda should have them”, but few people actually read them. The new requirements for the Terms and Conditions are pretty clear from the EU’s new law, and they make sense. All clients of StudioHOF now have updated Terms and Conditions for the EU, and if your visitor is from the EU, they have to Accept those terms and conditions. It is not enough that you have Website Terms and Conditions on your site, they have to be physically accepted by an EU visitor.
Data Access Requests.
Visitors from the EU have the right to know what information you have about them digitally. I am sure you can imagine that the data is buried in a bunch of technology, and this is NOT something that the typical small or midsized business wants to deal with. We’ve provided a simple form, again with automated emails, as required by the EU, that will send the Data Access Request directly to us, we’ll satisfy the request, and also forward to you, so that you can respond in case they have data about themselves in any system you have, that isn’t on your website.
Right To Be Forgotten
There’s a new term called “Right to be forgotten”. That means that visitors to your site, or people that have registered for anything on your site, from contact forms on down, have the right to wipe that data from your system. We cannot do a wipe from outside of our infrastructure. So if someone requests to be forgotten – we have a form for that, an automated email that goes to the site administrator. We can wipe them from the site, but we’ll let you know that you need to wipe them from your contact software (like Constant Contact or MailChimp). We have the emails come to us, not you so that we can do the wipe on your behalf, and we’ll notify you so that you can check your software systems outside of the web.
If we respond to a Data Access Request, and the user responds with a correction that is required, we’ve automated that entire process. The user can request a change to their data on your site, that request will come to StudioHOF, and we’ll execute the change within the website, and of course, will forward that to you, so that you can adjust your own systems.
Should a visitor want to be unsubscribed, as opposed to forgotten (no longer receives updates, but is still in your system to contact one on one), they would use the Unsubscribe request.
Data Breach Notification.
Sears, Kmart, BestBuy, Delta, Saks, Lord & Taylor, Under Armour, Panera Bread, Forever 21, Sonic, Whole Foods, Gamestop, Arbys and more, all had data breaches in 2017/2018. If they are vulnerable to a data breach, you can be sure that your site is also vulnerable. This is not the place for us to discuss our own security, although you can ask at any time. This is the place to say, if there’s been a data breach, you are obligated to tell the users of your site. We’ve automated that process on your site in a dashboard to make it simple and fast. Bad enough to deal with a data breach, do you want to also deal with the mechanics of telling all the users of your site that you’ve had a data breach? It’s now the law, at least in the EU, and for any EU citizen that visits your site. We’ve made it easy to comply.
Refuse EU Traffic
This is the GDPR nuclear option. If you chose to say, “this is just too much, I don’t want any traffic from Europe” – we can shut off traffic for all of the EU, or for specific countries with the click of a button for you.