Why? Because effective May 25, 2018, a new European Union law called the General Data Protection Regulation (GDPR) requires businesses to be compliant with changes to website privacy policies and how they collect personal information from their website visitors.
I can hear the pushback already – Why are you bothering me with EU law when I am a writer or blogger in the US?
Because the Internet has no definable borders and reaches people all over the world, which is why the EU requires any business in the world that collects personal data of an EU citizen to adhere to the new stipulations in the GDPR. This includes all non-EU based bloggers and authors with readers/subscribers from the EU, regardless of whether the website makes money, offers free services, or just collects personal data to build an email list.
Got your attention now?
What you need to know about GDPR.
The regulations are somewhat complicated. But spend a little time with me and we will slog through this together. In the simplest terms, the GDPR manages the digital privacy of EU citizens by requiring businesses worldwide with an Internet presence to adhere to strict regulations if the business collects personal data from EU citizens. The goal of GDPR is to make sure the collection of personal information is necessary and handled fairly.
Under the GDPR, personal data includes but is not limited to names, emails, billing and shipping addresses, phone numbers, credit card information, demographics, bank details, social security numbers, and IP addresses. Basically, any information that could identify an individual qualifies. Even if a business with an Internet presence does not collect personal data for itself, most business websites, including authors and bloggers, use third-party apps that collect various degrees of personal data (e.g. Google Analytics, ad links, social media sharing, mailing lists, Mailchimp).
The list of EU members
Here is a handy link with a list of EU countries (current as of the date of this post). This list may change (like if the UK Brexit deal is ever finalized), so make sure you have a current list.
The penalty for not being GDPR compliant
- You must take measures to protect the collected data. This means protection against unauthorized use and accidental loss. SSL certificates and encryption are a good start. If you need help, consult a technical expert on data protection measures.
- Users must be notified of a data breach within 72 hours after the breach is discovered.
- You are required to delete a user’s personal data if requested. Make sure you have a process for this request.
- Businesses with more than 250 employees must appoint a separate Data Protection Officer (DPO). If you have a DPO, include how to contact the DPO for questions or concerns.
- Email List Prior to May 2018 — For those subscribers who you have already collected personal data from prior to May 25, 2018, like those email lists you use for your newsletter distributions, thankfully you will not need to resubmit consent forms to the list provided the subscriber previously consented, especially if the subscriber had to authenticate their sign-up to your newsletter. When you signed up for our Sidebar Saturdays newsletter, we send an authentication email to the email address provided.
- Consent from these subscribers must have been via a separate form, like a pop-up menu or sidebar request, and not made a condition to receive other products or services (unless the newsletter is necessary to deliver the service/information or how your subscriber or reader learns of the products or services available).
- If you want to be overly cautious, send your mailing list another authentication email to update their preferences. Explain again what data you collect and how you use it, so they know what they have signed up for originally.
If you have a lot of free time and are eager to devour more information about the overhaul of personal data privacy policies by GDPR, you can read the official 261-page GDPR document here. Knock yourself out!
Legal Disclaimer: This information is provided for educational purposes only. Consult a qualified lawyer in your jurisdiction for all legal opinions for your specific situation.