With the arrival of new data protection and privacy laws, especially the GDPR, it is essential that organizations of every size and type stand up and take notice. Changes are coming (and in many places have already come) which are going to profoundly affect the way that your organization interacts with your users, customers, and donors. This new landscape is something that every organization needs to understand and respond to, and failure to do so could result in major liabilities, including legal and governmental action.
What is the GDPR?
GDPR stands for General Data Protection Regulation, and refers to a set of regulations implemented in 2018 by the European Union. These regulations pertain to data protection and privacy for EU citizens, and have broad implications for how websites serving those citizens collect, share, and store user data.
Why should organizations in the US care about the GDPR?
Even if an organization is outside the EU, the GDPR may still be relevant if the organization has EU users. More broadly, the GDPR is serving as a template for numerous state-level regulations coming into law or being considered in the US. For example, California has passed similar legislation that comes into affect in 2020. Just as e-commerce providers must be concerned with tax laws in states in which they do not have a physical presence, but in which they have customers, organizations may have data protection and privacy liabilities relating to users from other states. The legal landscape is continuing to trend towards GDPR-style regulations, with more states considering such legislation. Numerous lawmakers are also pushing for federal-level regulations, and it is likely that such legislation will be passed if and when democrats gain control of the the Senate and Executive Branch.
While state and federal regulations are likely to differ somewhat from those of the GDPR, the GDPR can serve as a guide for enacting the kind of data protection and privacy policies that should satisfy most jurisdictions. The GDPR is comprehensive, so an organization that complies with the the GDPR is likely to wind up in compliance with similar US-based regulations.
Does my organization need to worry about this right now?
If your organization isn’t currently affected by the GDPR, or similar regulations, it likely will be in the next one to two years. Getting ahead of this trend is important, as it provides your organization time to fully assess its current practices, and to make informed decisions about how to modify those practices. Also, implementing the technical, legal, and other organizational changes required to comply with GDPR-style regulations takes time, and it is therefore important to start as early as possible. Many European organizations were caught off-guard by the GDPR and struggled to get into compliance late into 2018, during which time they were exposed to significant legal risk.
What needs to be done for compliance?
Full compliance can be an involved process, depending on your organization’s location and operations. Generally, compliance includes legal, operational, and technical action items, including:
- Assessing how your organization, and its partners, collect, share, and store user, customer, and donor information
- Drafting new privacy, cookie, and other policies in “Plain English” and ensuring that your organization makes the necessary changes to comply with those polices
- Implementing technical changes to your website, apps, and third-party services, including removing unnecessary third-party widgets and services, adding cookie disclosures and opt-ins, and setting limits on the preservation of form data
- Working with essential third-parties to understand and bring their data handling practices into compliance with your organization’s policies — for example, reconfiguring Google Analytics to remove personally-identifiable information, such as IP addresses
How can CviaD help?
CviaD doesn’t just build websites. We work with our clients to better understand and respond to the evolving, and often confusing, landscape of online business. GDPR-style regulations represent a sea change in how organizations interact with users, customers, and donors, with major new liabilities arising for organizations of every size. CviaD can help your organization get ahead of these changes, providing targeted insights, comprehensive technical assistance, and most importantly, peace of mind, so that you can quickly get back to business. Reach out today at firstname.lastname@example.org, and we will be happy to chat in more detail about how these GDPR-style regulations may affect your organization.
Breakdown of current state-level data protection and privacy regulations in the US: http://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-related-to-internet-privacy.aspx