GDPR ComplianceMonterey Bay Design

GDPR Compliance

DISCLAIMER: This information has been provided as a guide only and does not constitute legal advice. Monterey Bay Design will bear no responsibility for errors or misinformation.

Over the last year or so, you’ve received many emails about data protection, your privacy and the new-ish regulation in Europe called the GDPR or General Data Protection Regulation.

You may wonder about what the GDPR is or if you know, you may be unclear about how it affects you if you are a small United States-based business. There is a lot of information; hopefully, this will boil it down to its most important details.

What is the GDPR?
The GDPR is the European Union’s General Data Protection Regulation. It covers all individuals within the EU and it was introduced to give control back to citizens and residents of the EEA (European Economic Area) over their Personal Data. (The US has data protection laws, too, but the EU’s GDPR is much more rigid – both in compliance and penalties.)

What Is Personal Data?
Personal Data has a broad scope and it includes any information that can be used to directly or indirectly identify someone: basic contact information such as name, address, phone #, email address, IP address, photo or special categories like sexual orientation, ethnicity, income, etc. This can be online in your website’s database or in a filing cabinet in your office.

I’m in the United States– under what conditions does this affect me?

  • If you market to or sell online to the EU directly
  • If you allow commenting on your website/blog (and the commenter is from the EU)
  • If you have online forms that can potentially be filled out by someone from the EU – even if that is not your intention
  • You have visitors from the EU on your site and
    • If you track with Google Analytics (or similar)
    • If your website uses cookies
      • most websites use cookies in some form

I’m a small, US-based business or individual – do I really have to comply?
~ Even if you only target your local US market, unless you have a very basic, static website, you are technically affected by the requirements of the GDPR. ~

If any of the above applies to you, yes. Irrespective of the requirements by the GDPR, solid privacy and data protection should be standard operating procedure – where ever your site visitors are from.

You can prevent those in Europe from accessing your site which will remove the much stricter GDPR compliance requirement. Many US businesses chose this route (at least as a stopgap procedure,) but it’s not really advisable long term or for anyone other than  a very large organization with complicated privacy issues to overcome.

Officially, compliance is not optional nor is the degree to which you are compliant. Fines (according to GDPR Article 83) “…shall in each individual case be effective, proportionate and dissuasive.” Therefore, enforcement of fines, penalties, or other consequences for non-compliance will be based on your footprint as an organization, the degree to which you collect and process data from Europe, and the severity of the infraction.

Though not stated officially, a small or micro-organization or individual with only incidental contact with EU users will likely not be singled out and penalized or fined for non-compliance.

However, fines are potentially steep, so your decision to comply either wholly or in part should be based on your own assessment of your business (with the help of lawyers and GDPR professionals, if you choose) and its relationship to personal data collection and the EU.

How Monterey Bay Design Can Help

Monterey Bay Design provides a default GDPR service on all new website builds in WordPress. It can also be done post-build. Any other platform will need to be evaluated first.

  • GDPR Compliance
    • Basic compliance setup: from $150
      • Includes privacy page, valid cookie consent, form submission consent
    • Additional costs are dependent on complexity of site
      • i.e. sites with mailing lists, ecommerce, membership, etc.
      • Larger sites may require a monthly fee for cookie consent of $10 – $40

The business of implementing anything else is up to the client. For example, hard copy paper trails and in-office security, in-office policies, and Document creation (other than a generalized privacy policy) will be up to the individual. A dedicated resource and/or a lawyer familiar with the GDPR should be engaged for any additional questions.

Ask About GDPR Compliance

Additional Information:

https://www.iubenda.com/en/help/5428-gdpr-guide
https://www.iubenda.com/en/help/5720-legal-requirements-overview
http://www.wpbeginner.com/beginners-guide/the-ultimate-guide-to-wordpress-and-gdpr-compliance-everything-you-need-to-know/
https://www.techrepublic.com/article/the-eu-general-data-protection-regulation-gdpr-the-smart-persons-guide/
https://www.compliancejunction.com/gdpr-for-small-business/
https://ico.org.uk/media/for-organisations/documents/2258293/eight-practical-steps-for-micro-business-owners.pdf

Leave a Reply