There has been a lot of talk about GDPR, or the General Data Protection Regulation, recently. Businesses outside of Europe are scrambling a little because many assumed GDPR didn’t apply to them, or that they had plenty of time to become compliant. The EU didn’t spring GDPR on us though. It was adopted in April 2016, and will be enforceable on May 25th, 2018 so businesses had over two years to become compliant.
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation that protects the privacy of all individuals within the European Union. It’s goal is to give control to individuals over their own personal data.
This regulation increases the obligations that organizations who collect or process personal data have.
If you are interested in reading the full text of the GDPR, it can be found here.
Does GDPR apply to me?
GDPR applies to all businesses that collect or store data on European citizens. Even if you have no physical presence in Europe, you must abide by GDPR regulations if you collect or process data on European citizens. Regardless of how many employees you have, or how much money your company makes, if you collect, store, or process data on European citizens, GDPR applies to you.
If your business does not do business with European citizens, for example if you service clients local to you (outside of Europe), you probably won’t have to worry about GDPR too much. However, your area may have rules on data privacy that might be satisfied by becoming GDPR compliant. Learn about the requirements now so that you can adjust your business processes down the road if it becomes necessary.
Ultimately, the you or your attorney needs to make the determination as to whether or not GDPR applies to your business. Just know that if you are supposed to be compliant, there can be significant financial penalties for non-compliance. More on penalties is listed below.
What constitutes personal data?
Personal data includes any information that that can directly or indirectly identify a person. This can be anything from a name, photo, email address, account numbers, or even computer IP addresses among other things. Most everything in your CRM about an individual is personal data.
What do I need to do?
There are a lot of factors that your business may need to consider. While we won’t cover all of them in this post, the main concepts fall into the four categories described below.
The way you collect data from individuals in Europe is going to change. Before you collect any data, you need to obtain consent from the individual. You need to receive this consent in an “opt-in” rather than an “opt-out” manner.
For example, if you have a contact form that asks for someone’s name, email, and phone number, you will also need a way for the user to give consent to your use of the information. A simple way of receiving consent is to add a checkbox that states something like “I consent to the collection and storage of my information”. Making the checkbox a required field will make it so that submitting the form is impossible without consent to the collection and storage of their data. The user must also physically check the box. It can’t have a pre-filled check in the box when the form loads.
Data Access and Portability
Another part of the GDPR is that individuals should be able to request access to their data at any time. This means that an individual should be able to view all of the personal data that you have on them. They also should be able to request changes to their data.
The GDPR also goes further to say that individuals should have the ability to download their data and take it with them. This may mean that they can take the data to another provider, or simply download it to have for their own records.
The Right to be Forgotten
The GDPR provides individuals with what’s called the “right to be forgotten”. An individual should be able to have all of their personal data completely deleted from your system. This seems like a rather strict requirement, but it makes sense for businesses and individuals. If they no longer want to do business with your company and you continue to market to them, it will put a bad taste in their mouth about your business.
What is WP-CRM System doing to ensure compliance?
First, it is important to understand that GDPR compliance is not achievable with lines of code alone. Rather it is going to require changes in how you do business in order to remain compliant.
WP-CRM System is working on changes to our plugin that will assist our users to become compliant in the way they use data. Use of the plugin itself won’t automatically make you compliant if your business practices are not compliant with GDPR.
Contacts Access to Data
We are working on a method that will allow your contacts to view their data without the need to create an account on your site. It will create a unique link for each contact. Upon request, you can share that link with the contact in order for them to view their data.
Contacts Can Export Data
On the same page that enables contacts to view their data, there will also be a way for them to export it to a CSV file. This ensures that contacts will be able to take their data with them, and comply with the data portability requirement.
Contacts Can be Forgotten
Contacts will have the ability to request that you delete their data. When the contact requests deletion, your site’s administrator will receive an email notifying them of this request. Their record in your CRM will also have a “Marked for Deletion” post status for easy filtering.
One of your CRM users will have to manually delete the contact’s record from WP-CRM System. We do this so that you can remove the contact’s data from all systems that your company uses. This includes third party services like your mailing list. To the customer, they likely don’t care that the data they are looking at is from your CRM. They just know that they want it deleted no matter where it is being used.
When plugins have a way to output necessary text into WordPress, we will be adding that feature as well. This is on the WordPress roadmap, and you can follow it’s progress here.
When will these changes take place?
The regulations under GDPR will become enforceable on May 25th, 2018. WP-CRM System is aiming to have the new GDPR compliance features incorporated by mid-April 2018. This should give all users sufficient time to update the plugin, and add the required shortcode to their site.
What are the penalties for non-compliance?
Penalties will vary based on individual situations. According to the GDPREU.org website, fines can be up to €20 million , or 4% of the worldwide annual revenue of a company’s prior financial year, whichever is greater. Fortunately, those fines are meant as a last resort. The authorities have the option to issue warnings to companies before they fine them. It doesn’t mean that you should wait to become compliant until you receive a warning though. The authorities could still impose fines for first time offenses.
Is WP-CRM System certified to process data?
WP-CRM System does not collect or handle any of your contact’s data off of your site. The WP-CRM System plugin acts as a tool, which allows you to collect, store, and process data. As such, WP-CRM System does not hold Privacy Shield or other similar certifications. It is up to your business to determine whether or not a certification is necessary for you to collect, store, or process personal data.
If the data you collect leaves your site, which is the case if you use our Zapier or other third party add-ons, you would need to understand what those third parties are doing to be compliant with GDPR as well. You will also need to make the data that is on those third party systems available to your contacts to view, request changes to, and delete.
Where can I learn more about GDPR?
Here are a few resources on GDPR that can help you understand what your business needs to do to become compliant.
Other WordPress plugins that can help with GDPR compliance: