The EU, back in 2018 introduced a new level of consumer protection and transparency for int’s internet users.
The new rules that were brought into effect on 25 May 2018 and stipulates that if a company records any data of EU citizens on it’s website, it must comply with it’s three pillars of concern:
Transparency
Companies establish policies and procedures to protect personal information in the event of a data breach and inform all suspected victims if the breach was successful.
Consent and Control
All EU residents are guaranteed the right to have control over their data and entities must prove they’ve given consent to use it in any way.
Right to be Forgotten
EU residents can choose to remove consent from a company to use their data.
The consequences for transgression can be severe and before you say, well I’m not in the EU so my website doesn’t count, I’m afraid you’re wrong. The EU has set its stall out to protect its citizens and its reach is far and wide. If you have data of a EU citizen, regardless of where your server is located, you must comply to the GDPR regulations. A current list of GDPR cases in process can be found here: https://www.enforcementtracker.com/
Well, to be sure, the best method is to employ a lawyer to check over your site and ensure that you meet all the requirements, but in reality, most of the sites I come across rely on off the shelf plugins to satisfy the regulations. How stringent these will hold up in court is questionable, but I believe that the ferocity of the EU’s stance on this is also sure to be measured. While the fines are punitive, they do give you a warning beforehand to get your shop in order.
But it’s best to at least go in with an adequate level of adherence. Here are some things you want to check:
Default opt-in on submission forms.If you ask for permission to store data or send information, the default must not be set to yes.
It also must be easy for a user to change it’s subscription settings, whereas once upon a time you had to write letter to change anything, this now must be as easy as it was to opt in.
Updated Terms and Conditions must include GDPR statement. See the ICO example for more information.
Customers also have the right to be forgotten, so you must make obvious a route whereby they can
Request from you the data you hold on them, and a method of them either changing that data or removing it.
If you collect data for payment processing, you must remove this data from your site within a reasonable amount of time. You cannot mine this data indefinitely.
If you have any third party apps that record data, the use and intention must be stated in the Ts&Cs and there must be a notification that you are using such a service. The obvious example here would be the use of Cookies.
GDPR has far greater reach than listed above and this shouldn’t be an exhaustive list of to do's. The only real way of ensuring GDPR compliance is to speak to a lawyer and have them audit your practices, but digitally and physically if you handle customer data from the EU.
But the sole intent on the GDPR regulation was to have companies think more about how they handle and store users information. There is no black and white cookie cutter solution to implementing GDPR regulation solutions, it should be audited and acted upon in a considered way, but think of GDPR as a principle.