This article describes how GDPR impacts the build process and best practices for the websites Thomas builds for clients.
What is GDPR?
GDPR, or General Data Protection Regulation, is a set of regulations set by the European Union (EU) controlling the processing, collection, and management of personal data by businesses.
What is GDPR compliance?
GDPR compliance is a broad range of data protection practices companies must comply with in their everyday use of personal data. For clients with websites, this means managing the personal data submitted via website forms or collected through digital data collection tools such as Google Analytics. These practices include data consent, storage, access, deletion, and usage restrictions and requirements.
Does GDPR compliance differ by country?
Yes! GDPR is an EU standard, so it covers the countries that are currently members of the EU. The United Kingdom (UK) also has a similar data protection law as do other countries. Some countries are considered “third countries” and covered by the same GDPR practices as the EU. For more information, please review the details by country here.
Why do US companies comply with GDPR?
Many US businesses comply with GDPR for several reasons:
- They do business within the EU. This is the most common reason to be compliant, as GDPR compliance covers countries not physically located within the EU but doing business in the EU or are handling personal data of EU individuals.
- They do business in a US state with strict data protection laws. In 2020, California enacted strict data protection laws with its Right to Privacy Act that required California businesses and businesses outside of California that have certain data of individuals in Californiato follow practices similar to the EU’s GDPR.
- They want to be safe. Data privacy is a topic getting more attention and priority from consumers, and many businesses feel it’s better to be safe than sorry. Some also anticipate the US enacting similar legislation in the coming years and want to be proactive.
What happens if you are not GDPR compliant?
Businesses that are not GDPR compliant can face fines or penalties. Businesses can also face challenges from individuals who request their personal data to be sent to them and/or destroyed, which requires businesses to already have data management practices in place.
How are Thomas’ websites built for GDPR compliance?
We build and migrate websites to WordPress, which offers several build-in GDPR compliance features. Our marketing automation deliverables and programs are primarily executed through Hubspot CRM, which also provides options for GDPR compliance on forms and web pages.
For our clients who do business in Canada or the EU, we recommend that your website contains:
- A CMS with built-in GDPR compliance: Many CMS (content management system) tools include options to export or delete customer data, a core feature of GDPR compliance. WordPress is an example of this type of CMS.
- A cookie policy statement. This can be in the form of a banner or pop-up that contains basic information about how your business and its agencies collect client data. These have become common practice and are easy to install.
- Privacy Policy and Terms & Conditions pages. These pages include language that outlines how your business collects and uses personal data.
- A safe CRM: If you have a CRM, looking for one with built-in GDPR compliance tools can be a time-saver. Hubspot is a great option and is used by many of our clients for safe customer data management.
Please let your Thomas team know if the above information applies to you and if you wish for us to implement these best practices on your website.
What else do I need to know about GDPR compliance?
Website build and development for compliance is a healthy data privacy practice. Having a set of standards and practices for the management of personal data within your organization can help avoid issues down the road. Getting familiar with the basics of GDPR and assessing the various areas of your business that collect peronsal data can be a helpful starting place. You should also consult with your legal advisors about your compliance obligations regarding protecting personal data that you collect.