Every day, it becomes more normal for us to share personal information online. Right now, chances are high that multiple websites and online services have access to sensitive data about you. This can include your address, contact data, and even credit card numbers. As a website owner, you need to ensure that you’re treating your users’ data with the care you would want for your own information.
Data protection regulations are essential if we want to enforce higher security standards and transparency, both as customers and administrators. This article will give you a crash course on the two most important pieces of data privacy regulation in 2018. We’ll explain what they mean for you, and how to enforce them on your website. Let’s take a look!
What Data Protection Regulations Are (And Why You Should Care About Them)
Data protection regulations set rules for how and when you can collect personal information from your website’s users. Details such as email addresses, names, and IP addresses all fall under the category of personal data, and most websites collect at least some of this information.
As an internet user, it’s easy to see why such regulations are essential. Let’s break down the main reasons:
- You probably share more information than you realize online. Most of us are signed up to dozens of services and websites, some of which ask for more personal information than others. Social networks are an example of this tendency taken to the extreme.
- At the same time, it’s important for you to protect your privacy. Ideally, you should be able to check out how each website treats your data, and take that information into account when deciding whether to use it or not.
Once your information is out there, websites can share or sell it to third-party services. Those with malicious intent can even gain access to it after a data breach, which often results in massive databases of stolen information circulating around the web. All of this means that if you run a website, you may need to step up your game when it comes to security and transparency. Users have a right to know what happens with their information, and you may even have a legal obligation to inform them.
2 Data Protection Regulations You Should Become Familiar With
Before we dive into specifics, it’s important to note that we are not lawyers. If at any point you’re unsure whether certain legislation applies to you, or you think you may be liable for a breach of any of these regulations, you should consult with a professional.
To be fair, you probably don’t need to worry about fines for breaching these regulations unless you’re running a massive website. However, you should still take the time to read through them and understand how they work. That way, you can ensure that your website is always fully compliant with any applicable legislation.
1. The General Data Protection Regulation (GDPR)
The The General Data Protection Regulation (GDPR) was created in December 2015, and designed to ensure the right of EU citizens to basic data protection standards. It was ratified in early 2016, replacing the erstwhile Data Protection Directive (1995-2018), and it will become enforceable on May 25th, 2018. That means you still have a little time to acquaint yourself with this regulation, and figure out what you need to do in order to comply with it.
Lately, the GDPR has generated a considerable buzz online, since it’s the most comprehensive set of rules for data privacy drafted so far. This legislation’s primary goal is to create a set of easy-to-follow rules for the entire EU, which uphold the highest standards of data privacy.
Why You Should Care About the GDPR
Despite being an EU regulation, the GDPR will apply to any site that collects data from EU citizens. This means that if you’re running a WordPress website with registration enabled, and some of your users reside in the EU, the GDPR technically applies to you.
You might still be tempted to ignore this legislation if you operate elsewhere, but remember that its main goal is to protect EU citizens. Since non-EU businesses also need to comply with the GDPR, it stands to reason that you could get fined for breaching its rules, no matter where you’re based.
The GDPR can impose several types of penalties. For example, you could get fined 2% of your worldwide annual revenue for failing to disclose a data breach, or up to 4% for failing to ask for user consent when storing data. These are steep fines. However, the good news is that complying with the GDPR is relatively simple.
What You Need to Do to Comply With the GDPR
The GDPR is a massive piece of legislation, but we can ultimately boil down its contents to the six fundamental rights it grants to users. Here’s what they are and how to comply with each of them:
- Breach notification. Under the GDPR, you must inform your users within 72 hours if any breach occurs that might compromise their data.
- Right to access. Users have a right to access the information you have about them.
- Right to be forgotten. Your users have the right to ask you to delete their accounts and all personal information you have. You may also need to cease sharing that information with third-party services.
- Right to portability. Users will be able to request that you forward their records to other ‘controllers’ or services if need be.
- Privacy by design. You may be held liable for data breaches if your system isn’t secure by design. In other words, you can be held responsible for failing to take precautions to protect user information.
- Data protection officers. If you handle massive amounts of user information or sensitive data, such as criminal records, you’ll need to work with a Data Protection Officer (DPO).
That’s a lot of information to process. However, as you can see, most of those rights are relatively simple to enforce. We’ve already talked about how to comply with user account deletion requests in the past, as well as how to create privacy policies. Other clauses, such as informing your users about data breaches, simply require you to send an email notification. Complying fully with the GDPR may take a little work, but it’s very achievable for nearly any website.
2. The ePrivacy Regulation
The ePrivacy Regulation is a piece of legislation that is still in the middle of its approval process. It should be approved during the 2018-2019 period, however. Its main goal is to complement the GDPR. To put it another way, the GDPR’s primary focus is on protecting your personal data. The ePrivacy Regulation, on the other hand, is all about your right to privacy as an individual.
Before we move on, let’s briefly discuss the difference between a regulation and a directive within the EU. Regulations approved by the EU automatically become enforceable within all member states. However, directives simply specify a goal, and members are free to use to use the methods they want to achieve it. In other words, replacing the ePrivacy Directive with the ePrivacy Regulation is meant to make things easier for regulatory bodies.
Why You Should Care About the ePrivacy Regulation
The new ePrivacy Regulation is a complement to the GDPR in more ways than one. For example, the regulation will share the same fine system outlined for the GDPR.
Also, if you have users or customers located within the EU, you can be held liable for breaches. This means that you will almost certainly need to adapt to it, no matter where you’re located.
What You Need to Do to Comply With the ePrivacy Regulation
Keep in mind that the ePrivacy Regulation is still not in effect. That means it could be subject to change before it actually passes. However, as it stands now, here are the main stipulations you’ll need to adjust to:
- Consent for online marketing. You will now need to ask users for their consent before you contact them with any online marketing.
- Cross-platform ad targeting is out. Under the new ePrivacy Regulation, you will need to ask for users’ consent to use their private data across platforms. In other words, cross-platform ad targeting will become a lot more complicated.
When you boil it down, the ePrivacy regulation is all about consent. Users have a right to online privacy until they specify otherwise, and you can’t take consent for granted. If a lot of your business comes from online marketing, you’ll have to stay away from avenues such as cold emails, for example. We recommend keeping an eye on the latest news about this regulation as it becomes finalized.
In other words, you need to be aware of what the latest data privacy regulations are. Otherwise, you won’t be able to keep your users’ information secure. These two recent pieces of legislation are a great place to start:
- The General Data Protection Regulation (GDPR): This regulation focuses on the protection of EU citizens’ private data.
- The ePrivacy Regulation: This related law is all about the right to privacy itself.
Do you have any questions about how these data protection regulations affect you? We’re not lawyers, but let’s talk about it in the comments section below!
Article image thumbnail by Chris Bain / shutterstock.com.