In less than two weeks (May 25, 2018), the most significant change in data privacy in 20 years and protection regulation goes into full effect. The EU’s General Data Protection Regulation (GDPR) is aimed at protecting the personal and sensitive information of all EU residents, regardless of where an organization is based. Under GDPR, individuals are allowed greater control over their personal information that is shared with organizations.

GDPR is built around the idea that organizations make good data governance a high priority. While your organization may not be required to comply with the new regulations, ensuring your site and processes embrace the spirit of data protection and privacy will gain and keep the trust of your users. Once your organization has completed a comprehensive data governance review (If you haven’t, check out our blog post on how to do this!), take these five steps to ensure your website matches your organization’s stance on data privacy by design.

1. Make sure your site is secure.

An SSL certificate is a small bit of code on your web server that creates an encrypted connection between a user’s web browser and your website. Having SSL on your website is like sealing your message in an envelope that your recipient will open and read. Having an SSL certificate signals to your users that your organization values the security of any personal information that they share with you.
There are many other benefits to having an SSL certificate installed on your site. In cases where you are collecting payment information, SSL is required to be on your site to meet the security standards set by the Payment Card Industry (PCI). In addition, major browsers like Google Chrome and Mozilla Firefox have started to include a warning for all insecure sites.

2. Review your newsletter, registration, and other email subscription forms.

When it comes to GDPR, one of the major areas of change facing website administrators and digital marketers is how to collect and store email subscription consent. To maintain compliance, organizations must collect affirmative consent that is, “freely given, specific, informed, and unambiguous.”
At a minimum, your email subscription forms must:

• Be separate from other terms and conditions: Signing up to receive marketing communications must not be a requirement for registering for a service.
• Contain a clear affirmative action: For consent to be valid under GDPR, users must actively confirm their consent, such as by checking an empty opt-in checkbox. Pre-checked boxes or inactivity does not constitute consent under GDPR.
• Describe who will be using the information and how: Each form must state the name of your organization and any other third-party services that process the information in the submitted form. You will also need to state why and how the user’s information will be processed.

3. Review installed and active plugins, as well as any information that you collect and store on the website.

Note: While the information in this step is specific to WordPress, this can be applied to any site using any content management system. For non-WordPress sites, be sure you review all modules and custom-built functionalities that may collect and process personal data.

The WordPress community is already hard at work at adding WordPress core tools for GDPR compliance and other privacy laws and requirements. As the website owner, you are ultimately responsible for ensuring your installed plugins, as well as the usage of them, are GDPR compliant.

We recommend you review every plugin that you have installed and activated on your WordPress site for the following:

• What individual data is being collected by this plugin? Of the data collected, is any of it personal or sensitive?
• What services process the data that is collected?
• Contact Form or Comments plugins: Can you add a required checkbox that allows the user to consent the storing and processing of their data?
• Analytics, retargeting, and tracking plugins: Do you have the option to anonymize the IP address of your users? Can you modify data retention settings?

In addition, make sure that you have an internal process to perform the following:
Manage requests to view and delete user information
Provide a user with a downloadable file of their personal data

There are many WordPress plugins available for download that can help you with the task of auditing your installed plugins for GDPR compliance, implementing form consent checkboxes, and even allowing your users to request secure access to their data.

4. Update your website’s Privacy Policy statement.

Any organization that processes personal data is required by GDPR to provide clear, accessible information about how user personal data is being used. This is often done through a Privacy Policy statement on the organization’s website. Once you have finished reviewing and documenting your website’s plugin and data usage, you can start working with your legal team to update your website’s Privacy Policy statement.
The UK’s Information Commissioner’s Office (ICO) comprehensive guide to GDPR includes a privacy notice checklist and what to include in your privacy notice that your organization can use when updating your site’s Privacy Policy and terms of use.
At a minimum, your website’s Privacy Policy should include details on:

• How and why your organization collects and processes personal data;
• How your organization gains and records user consent; and
• What data is shared with other third parties

As a best practice, your Privacy Policy should also include information on:

• Consequences of not providing personal information – for example, declining to provide an email address will result in not being able to receive member e-newsletters;
• What your organization is doing to ensure the security of personal information;
• How users can manage and update their personal information;
• Information about data subject rights; and
• What you will not do with their data

By now, you may have heard about the European Union General Data Protection Regulation (GDPR) that is rattling companies from technology titans like Facebook to small businesses with a website. In short, the GDPR is a legal framework that sets guidelines for the collection and processing of personal data of individuals residing in the EU. The new policies set by GDPR and the ePrivacy Regulation are some of the most significant changes in data privacy regulations in 20 years and will dramatically change how organizations worldwide collect and process data.

If your organization works with data on EU residents, you will be required to comply with GDPR once the regulation goes into effect on May 25, 2018. Non-complying organizations may be faced with fines of up to 20 million Euros or 4 percent of total yearly revenue per incident.

The main purpose of this historic regulation is that GDPR grants consumers and individuals a range of data subject rights. With significant data breaches and other data scandals such as Cambridge Analytica, Equifax, and, most recently, MyFitnessPal, continuing to make headlines, organizations are being pressured to treat data privacy as a right.

GDPR will have strongly affect how your organization processes data, regardless of which side of the Atlantic you are on. By complying with GDPR, your organization shows that you prioritize your members’ and users’ trust.

Ten Steps to Embracing Privacy by Design at Your Organization

1. Educate your staff, and get buy-in from your top stakeholders.

Don’t be mistaken — GDPR is not solely an IT issue . Whether they work in accounting, membership, or government relations, your staff handles a great deal of data.

Educate your staff on personal and sensitive data , and have everyone, from your leadership team to your boots-on-the-ground staff members, make privacy compliance and data governance a priority in your organization. Privacy by design and default is a key part of data protection. Make it a point to regularly discuss data protection at senior management meetings to maintain staff awareness.

2. Appoint someone on your staff to be the Data Protection Officer (DPO).

While your organization might not be legally required by the GDPR to appoint a DPO, we recommend having someone — or even better, a group of staff members — in your organization to be your internal advocates for data protection.

These people should be well-versed enough in your organizational structure and IT infrastructure to help internal staff understand data protection as it relates to a staff member’s tasks and goals. They should also maintain records of data processing activities, and lead regular audits to ensure privacy compliance and proactively address potential issues.

3. Comprehensively assess your data.

One of the best ways to prepare for your transition to privacy by design and solid data governance is to understand your organization’s data inside and out.

The more honest, transparent, and comprehensive your data audit is, the easier it will be to identify ways to change your business process to ensure GDPR compliance.

When reviewing your organization’s data, think of the 5 W’s:

• Whose data is being collected, processed, and stored?
• What data is being collected, processed, and stored? Of the data you collect and process, what is personal and what is sensitive?
• Where is data being collected, processed, and stored? Remember: Excel workbooks also count!
• When is data collected, processed, and stored?
• Why is data being collected, processed, and stored?

4. Review how you are getting data and consent from your users.

In addition to answering the “5 W’s” in your data audit, make sure you are also taking note of how you are gathering data and getting consent from your users to gather, store and process their data. Under GDPR, user consent must be explicit, freely given, specific, and unambiguous . This means that users must not be required to hand over their information to use a service, nor should they be automatically opted-in for emails and communications upon signing up for a service.

Be sure to take note of all your organization’s methods of data collection, including member registration, newsletter subscription, and meeting registration forms and well as any cookies and tracking pixels installed on your web properties.

5. Review your third party vendors.

Under the new data protection regulations, any third-party data processors that you use is legally obligated to be compliant with GDPR. This is the time to take stock of any third party vendors that process information on your behalf, and note whether they are GDPR compliant, or if not, what steps they are immediately taking to be GDPR compliant.

Common third-party vendors that associations use include:

• AMS or CRM
• Websites
• Web Analytics Software
• Email service providers or marketing automation platforms
• Meeting planning or registrar services
• E-Learning services