Today, May 25 2018, marks the introduction of a new law in the EU regarding privacy of data. For most of my clients (primarily based in the USA and some in New Zealand and Canada), the EU seems an awfully long way away. At best, if you're in New York, it's a little over 7 hours flight time to London. Or, if you remember that Britain is, technically, not part of the EU anymore, it's about 7.5 hours from New York to Paris. Unfortunately, in internet time, it's a few seconds at most. And that's where, if you're not ready today, you could be leaving yourself wide open for legal action through your website's behavior.
The EU is tightening up on how and when companies collect, then store, then use private information. We agree that data protection is an extremely important topic, one which most companies fail to take anywhere near enough care over. Just Google data breach 2018 to see the woefully long list of high profile companies who have been hacked. However, we believe the EU has really over-stretched itself with this one. And the reason we believe, or at least part of the reason, is their previous data privacy attempt with the "Cookies Law". It was toothless and ineffective, hence, we believe, they've taken the knee-jerk reaction with GDPR.
So, realistically, what does GDPR mean to people and companies hours of flight time away from the EU. Firstly, that we all need to stop thinking in terms of distance and flight time. We are closer to our next door neighbor via the internet than we are physically. The EU is as much our next door neighbor in terms of the internet as our physical next door neighbor. That means, anything that goes on "over there" WILL affect us "over here". And GDPR WILL affect your business even if you have no EU clients. The EU has drafted GDPR so broadly that not physically conducting business with EU clients, or not having offices there does not put you in the clear.
From our reading, almost every business in the world will be touched in some small way by GDPR. That's why we spent 2 full days updating Privacy Policies on every client website and installing cookie popups to comply with the new law's requirements. Are we paranoid? Perhaps! Are we going as over-the-top as the EU? We don't think so. We believe our clients need any, and all, protections we can give them, hence our actions with their Privacy Policies.
How would a small Mom-and-Pop shop, say a local bakery, in the middle of America be affected by this law? They don't sell to the EU, they certainly aren't an international chain of bakeries. Fair question. Ever received an random job request with attached email? Or just any email? Has your website got analytics installed (if not it SHOULD and you should be reading those reports!)? What if that email, or one visit comes from an EU resident? Boom, GDPR has caught you. We said that the scope was broad, and here's how broad. The EU courts have ruled that an IP address (and we all have them) is deemed "personal data", even if you, like the vast majority of consumers, has a dynamic IP address (one which your internet provider changes from time to time). And, if you collected it (or rather your analytics collected it) GDPR applies.
Don't think GDPR is a huge issue. As we're writing this, the BBC is reporting a number of American news sites are unavailable to EU subscribers because of it. The law makers thought it was pretty important too, drafting a pretty large document. You can see the full GDPR law here. Warning, it'll undoubtedly send you to sleep! And, on the very day the law came into effect, Google and Facebook are immediately hit with lawsuits.
Our advice is to make sure you have good data handling and protection protocols in place. No one is safe from a hack attack, the list of previous big names getting hacked testifies to that, but don't leave yourself open in the first place. Be proactive in your security and standards. From our point of view, as web developers, make sure you site is hosted on quality hosting. Just because you can get hosting for $5 a month doesn't mean you should. Make sure your website is protected by a good security suite, and ensure the server it's hosted on is similarly equipped with good security (which is why you should probably avoid the $5 per month hosting!). Get a GDPR compliant privacy policy on your site which incorporates the ability for users to self opt-out of cookies. And, the dreaded cookie popup is also a must.
GDPR is a complicated and complex issue, and ignoring it, or trying to cobble together something without fully understanding it is a bad idea. Want more info? Have a look at this post - a beginner's guide to GDPR.
