Digital Scribe

Writing , Technology & The Technology of Writing

A Different Kind of Animal

How to stop worrying and learn to love the GDPR

Published / by Shannon Doyle

The first 911 email I received about the GDPR was from fellow writer Debbie Burke. I was aware of this new set of rules from the European Union,which take effect May 25th, before Debbie reached out but I hadn’t really dug in to it.  Debbie was concerned that her website where she markets her best selling book would need immediate changes to be GDPR compliant.

Debbie’s email to me was after reading  this post  by Randy Ingermanson  from his excellent blog at advancedfictionwriting.com.  Randy’s article is worth a read, he gives some excellent tips on how you can comply with the rules.  I won’t say Randy is wrong, but I think he  – like so many others who have written on  the topic – overstates the reach of the  GDPR.

Gargling with Scope

Reading the full text of the GDPR  is an  exercise I can only recommend for policy geeks  like myself or as relief from insomnia. That said there are some parts that bear out what Randy and others are saying. Consider for example  this from Article Three, titled Territorial Scope.(emphasis is mine)

  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

That paragraph and the one that follows it do say that the entity processing the data  does not have to be in the European Union. How can that be?  How  can the European Parliament pass a law that affects companies that are completely outside it’s borders?  Furthermore, how can this be enforced?

I’ll leave those questions for the pundits, politicians  and international law wonks.  I have no doubt that high-falluting  attorneys have already rolled  up the sleeves of their Brioni shirts and gotten to the business of sussing out cracks and crevices which can be used to challenge these rules for corporate clients.  Consider though that any company can say hell no to these rules; all they have to do is never process certain kinds of data from anyone who is physically in the EU at the time of the transaction.

A different animal.

The GDPR is a regulation that says in effect if you wan’t people in the EU to do business with your company, you will need to follow the GDPR rules on how you handle the data they provide.  The issue then, is how do you know they are located in the EU.  Without getting technical  let’s assume it is possible to be fairly sure a user  of your website is somewhere physically in the EU, but is fairly sure good enough?  The GDPR provides stiff fines for violations  (again we’ll leave the enforcement of those fines for the lawyers). Knowing that,  what you really need to do is refuse to let those  in the EU do business with you, or even to interact with your web site at all. You need to put up some digital equivalent of a No Irish Need Apply sign, and you need a way to enforce it.

If it seems like it might be easier to  make your web site complaint with the GDPR  than to put a bouncer in place and  hope no undesirables flash a bit of leg to get past, that’s becuase it is. The good news is  that compliance may not be that big of a lift.  The better news is that you may not have to worry about it.

A better mousetrap

To be fair to the Europeans, if all companies followed  the the provisions of these rules the internet would be a better place for everyone, not only for those in the EU.  It boils  down to an endearing  philosophy.  Keep customer data secure, inform users of any breaches,  and make the communications you use in marketing as clear as you can.

Briefly here are the provisions of the GDPR that might affect you.

  1. No Spam – This broadens the definition of what spam is to include companies you do business with.
  2. Contact Form Changes.  If you have a contact form (who doesn’t), or any others form which asks the user to enter personal data, the form must now include a box which the user will need to check stating that they agree to the terms of your site. Another box must also be provided which  the user must check if they agree to to further communications.  If you will be contacting them in multiple ways, such as via email and text there must be a box for each.  All of these check boxes must be unchecked by default.
  3. Privacy Policy – You need to have a published  policy specifying  how you will use the data you collect. This has always been a good idea, not is required.
  4. Right to be Forgotten  –   You website must have a method for EU users to request that you delete data. The privacy policy is a good place to spell this procedure out.
  5.  Data Handling – All data for customers in the EU must be stored on servers in the EU and must be stored in an encrypted  environment.  This provision might be the most difficult for many website owners becuase it could involve switching web  hosts.

Easy-Peasy

My website is built using WordPress, in fact all my websites are,  so is Debbie’s.  Your’s might be as well. If it is the news get’s even better.  WordPress made some changes to it’s software which help you deal with the data retention rules.  WordPress plugins, which make the software do things it doesn’t normally do such as web forms, have jumped on the GDPR hay wagon  too. if you are not on WordPress no reason to panic. many websites are on one of the many platforms that have done similar things to hep you have a compliant  web site.

There are web services such as this one  which help you craft a privacy policy  as well  as several good guides to help you get going including this one from techradar .  If making these changes seems to be beyond your skill set you may need to get help from whoever designed your site. I am available for this kind of work. Click the contact link here  to get in touch .

Not For Everyone

I mentioned a few hundred words ago (seems like only yesterday)  that I thought Randy over stated who is subject to these rules. I make this claim based on my thorough reading of the GDPR and other  sources such as this piece in Forbes  and  this article at newsmediaalliance.com.

The Title of the Forbes article suggests that you will need to get busy, but  a few paragraphs in it says that the company would only be subject to compliance requirements if it targets users in the EU.  A user simply browsing to your site  becuase you came up in Google  does not put you n danger of a fine according to Yaki Faitelson who wrote  that article.

The other article I linked gets into  a bit more detail as to why you may not be subject to the law.  First its it seems to back up that compliance is required.

“It is intended to cover any company, anywhere in the world, that either (1) offers “goods or services” to EU users or (2) “monitors the behavior” of EU data subjects.”;;

The paragraphs which follow this one draw the conclusion that you don’t need to worry unless you:

  1. Target people in EU member states.   Recital 23 of the GDPR it says that “mere accessibility” of a digital service from Europe is “insufficient” to confer EU jurisdiction over that service.
    OR
  2. Extensively track people in the EU.  Again casual use of your site and the placement on a cookie on the users machine is not enough.

Getting compliant with the rules of the GDPR is not that difficult and it’s a good idea, but  it may not be something you need to worry about,   That said under no circumstance should you  mistake anything I say for legal advice.

 

By day Shannon is a mild mannered IT technician and business owner, who’s been shepherding bytes for three decades. When Shannon isn’t at someone’s computer he’s probably taking pictures, working on his novel, writing his blogs, walking in the woods with his dog Cooper, cooking or tinkering with something. He teaches social media, blogging and technology classes at the local college. Oh and he’s the worlds oldest beginning drummer.