2018 年,欧盟(European Union)实施了一系列数据保护改革,称为通用数据保护条例(General Data Protection Regulation)( GDPR )。从本质上讲,GDPR用一套适用于每个欧盟国家(EU state)的规则取代了所有不同的数据保护法。许多企业不得不改变他们的政策以符合GDPR(GDPR compliant),然而,尽管有过渡期(transition period),但对新规则仍有很多困惑。
那么什么是GDPR以及如何使您的业务合规(business compliant)?
在本文中,您将了解如何在不阅读枯燥的欧盟数据保护指令的情况下(EU data protection directive)遵守 GDPR(GDPR compliant)。我们将帮助您了解GDPR是什么,并告诉您需要采取哪些步骤才能使您的网站符合 GDPR(GDPR compliant)。
什么是 GDPR?
GDPR是欧盟的一项数据(European Union)保护指令(data protection directive),旨在保护欧盟公民的在线隐私(the online privacy)。它规定了个人数据的使用方式以及网站可以收集的关于您的数据类型。尽管是欧盟法规(EU regulation),但 GDPR(GDPR)适用于欧盟用户访问的所有网站。因此,网站和企业必须符合 GDPR 或阻止欧盟流量(GDPR compliant or block EU traffic)。
考虑到这一点,以下是GDPR(GDPR)可能影响您的业务的关键方面:
- 您的网站必须清楚地告知访问者他们的个人数据正在被收集。
- 您还需要披露收集和存储他们的数据的方式和原因。
- 如果用户要求您删除(delete personal data)您收集的个人数据,大多数情况下您必须遵守该要求。
- 用户还可以请求您存储的所有个人信息的副本。
- 如果您的业务的主要活动之一是收集和存储个人数据,您需要聘请数据保护官(data protection officer)。
- 如果您的网站遭到入侵并且您的用户的个人信息泄露,您有 72 小时的时间报告违规行为。
- 违反GDPR规定(GDPR regulation)可能会导致高达 2000 万欧元(fines of up to €20 million)(约 2400 万美元)或贵公司年营业额 4% 的罚款。
GDPR的主要目的是保护人们及其个人信息免受数据泄露(data breaches)。现在的问题是,哪些类型的数据属于GDPR 范围内(GDPR)?
GDPR 监管的数据类型(Types of Data Regulated by GDPR)
无论您是从头开始构建网站还是使用WordPress 主题(WordPress theme),您的网站都会收集不同类型的数据。网站以不同的方式收集信息,包括通过分析、WordPress表格、订阅表格、联系表格和电子邮件营销活动。
简而言之,所有个人数据都属于GDPR,但我们可以将其分为以下类型:
- 遗传和健康信息。
- 生物特征数据。
- 政治和/或宗教观点。
- 种族、民族和性别。
- 网络数据,例如您的IP 地址(IP address)和 cookie 数据
只要您的企业存储上述欧盟公民的任何数据,您的网站就需要符合 GDPR(GDPR compliant)。请记住,即使您不在欧盟境内,这也适用。
符合 GDPR 要求的步骤
当您了解您作为网站所有者(website owner)的责任时,您可能会感到不知所措,并决定更容易阻止所有传入的欧盟流量(EU traffic)。不要让(t let)GDPR(Don)气馁(GDPR discourage)。以下是符合 GDPR 要求(GDPR compliant)的主要步骤。
1. 改进您的隐私政策(1. Improve Your Privacy Policy)
在收集、存储和共享数据时保持透明。您的网站应包含详细的隐私政策(privacy policy),清楚地解释数据收集做法、数据保护、cookie 的使用和数据共享。一个好的隐私政策(privacy policy)至少应该包括以下几点:
- 您不会出售用户的私人数据。
- 除非法律规定您有义务,否则您不会共享(t share)私人数据。
- 您收集的数据类型。
- 您收集数据的原因以及您如何使用这些数据。
- 您如何保护用户数据。
- 您的插件如何收集和使用数据。
使用不留任何解释空间的简单语言尽可能清晰,您将拥有清晰透明的隐私政策(privacy policy)。
2. 创建 Cookie 收集通知(2. Create a Cookie Collection Notice)
根据GDPR,cookie 算作个人数据,因此您需要在使用 cookie 数据之前征得用户的同意。在您的网站上放置(Place)明确的cookie 收集通知(cookie collection notice),并确保您允许用户访问您的网站,即使他们不同意。您的用户还应该有一种简单的方法可以随时撤回他们的同意。
3. 在所有网站表格上显示通知(3. Display Notices On All Website Forms)
通过各种类型的提交表单收集一些用户数据是标准做法。(standard practice)如果您想继续收集电子邮件地址和其他详细信息,请发布数据收集通知(data collection notice)。在此之前且未经用户确认,请勿收集任何数据。否则,您的企业可能会因违反(Otherwise)GDPR而受到巨额罚款。
措辞尽可能清晰,并提供有关收集数据的所有重要细节。您还应该避免使用预先选中的复选框。用户需要了解数据收集(data collection)是可选的,并且需要他们的同意。
4. 确保所有插件都符合 GDPR(4. Make Sure All Plugins Are GDPR Compliant)
如果您使用收集数据的第三方插件,例如Google Analytics,您需要将数据设为匿名。手动执行此操作可能具有挑战性,但您可以找到符合 GDPR 的插件来为您处理此过程。只需搜索(Just search)具有GDPR 合规性(GDPR compliance)设置的工具即可。
5.使用双重选择(5. Use the Double Opt-in)
GDPR 并不(GDPR doesn)强制要求双重选择加入,但强烈建议使用它们。双重选择加入意味着您要求用户两次确认他们同意收集数据。这对于电子邮件列表订阅尤为重要。
要添加双重选择加入,您需要首先通过网站的订阅表格(subscription form)请求同意(request consent)。然后用户应该通过单击他们通过电子邮件收到的链接再次同意。
使用双重选择表明您致力于数据保护和隐私(protection and privacy),它还为当局提供了进一步证明您的网站符合 GDPR 的证据。
6.添加退订链接(6. Add Unsubscribe Links)
在您发送给订阅者的每一次通信中都包含(Include)易于阅读的取消订阅链接。从您的邮件列表中退订应该是一个简单且即时的过程(process and instant)。
7. 根据要求删除个人数据(7. Delete Personal Data on Request)
GDPR赋予用户被遗忘的权利。这意味着他们可以随时要求删除他们的数据。总是按要求做。这包括从邮件列表中删除您的用户、删除他们的帐户以及擦除您拥有的有关他们的任何个人信息。甚至博客帖子和论坛评论也算作个人数据,如果有要求,也应将其删除。
8. 不要购买邮件列表(8. Don’t Buy Mailing Lists)
不建议购买邮件列表,因为您可能违反了GDPR。在大多数情况下,您无法确定这些电子邮件地址是否是在用户同意的情况下收集的。
也就是说,如果您仍然决定购买邮件列表,请确保在您发送的每封电子邮件中至少包含取消订阅链接。
符合 GDPR 是值得的
按照上述所有步骤向欧盟公民开放您的网站和业务。(website and business)一开始,遵守 GDPR(GDPR compliant)可能听起来很有挑战性,但并不难。它主要涉及在收集数据和征求同意方面保持透明。作为奖励,非欧盟用户会看到您的企业关心隐私和数据保护(privacy and data protection),他们将更有可能信任您。
8 Steps To Be GDPR Compliant With Your Website
In 2018, the European Union іmplemented a series of data protection reforms known as the General Data Protection Regυlation (GDPR). In essence, GDPR replaced all the different data protection laws wіth a single set of ruleѕ that applies to every EU state. Manу businesses had to change their policies to be GDPR comрliаnt, however, deѕpite the transition period, there’s still a lot of confusion regarding the new rules.
So what is GDPR and how can you make your business compliant?
In this article, you’ll learn how to be GDPR compliant without having to read the dry EU data protection directive. We’ll help you understand what GDPR is and tell you what steps you need to take to make your site GDPR compliant.
What Is GDPR?
GDPR is a data protection directive in the European Union designed to protect the online privacy of EU citizens. It regulates the way personal data is used and what type of data websites can collect about you. Despite being an EU regulation, GDPR applies to all websites accessed by users from the EU. As a result, websites and businesses have to be GDPR compliant or block EU traffic.
With that in mind, here are the key aspects of GDPR that might affect your business:
- Your site has to clearly inform the visitors that their personal data is being collected.
- You also need to disclose how and why their data is collected and stored.
- If users ask you to delete personal data you collected, you must comply with the request in most cases.
- Users can also request a copy of all the personal information you store.
- If one of your business’s main activities is to gather and store personal data, you need to hire a data protection officer.
- If your website is breached and the personal information of your users leaks out, you have 72 hours to report the breach.
- Breaking the GDPR regulation can lead to fines of up to €20 million (~$24 million) or 4% of your company’s annual turnover.
The main purpose of GDPR is to protect people and their personal information from data breaches. Now the question is, what types of data fall under GDPR?
Types of Data Regulated by GDPR
Whether you built your website from scratch or used a WordPress theme, your site gathers different types of data. Websites collect information in different ways, including through analytics, WordPress forms, subscription forms, contact forms, and email marketing campaigns.
In short, all personal data falls under GDPR, but we can break it down into the following types:
- Genetic and health information.
- Biometric data.
- Political and/or religious views.
- Race, ethnicity, and gender.
- Web data such as your IP address and cookie data
As long as your business stores any of the aforementioned data of EU citizens, your site needs to be GDPR compliant. Remember that this applies even if you don’t have a presence within the European Union’s borders.
Steps Required To be GDPR Compliant
When you read about your responsibilities as a website owner you might feel overwhelmed and decide it’s easier to block all incoming EU traffic. Don’t let GDPR discourage you. Below are the main steps you need to take to be GDPR compliant.
1. Improve Your Privacy Policy
Be transparent with collecting, storing, and sharing data. Your website should contain a detailed privacy policy that clearly explains data collection practices, data protection, the usage of cookies, and data sharing. A good privacy policy should at least include the following points:
- You don’t sell your users’ private data.
- You don’t share private data unless the law obligates you.
- The types of data you collect.
- The reasons why you collect data and how you use it.
- How you protect user data.
- How your plugins collect and use data.
Be as clear as possible by using simple language that doesn’t leave any room for interpretation and you’ll have a clear-cut transparent privacy policy.
2. Create a Cookie Collection Notice
According to the GDPR, cookies count as personal data, so you need to ask your users for consent before using cookie data. Place an explicit cookie collection notice on your website and make sure you allow users access to your website even if they don’t give consent. Your users should also have an easy way of withdrawing their consent at any time.
3. Display Notices On All Website Forms
It’s standard practice to collect some user data through various types of submission forms. If you want to continue collecting email addresses and other details, post a data collection notice. Don’t gather any data before that point and without the user’s acknowledgment. Otherwise, your business could receive a hefty fine for breaking GDPR.
Be as clear as possible with your wording and offer all the important details about collecting data. You should also avoid using pre-checked tick boxes. The user needs to understand that data collection is optional and that it requires their consent.
4. Make Sure All Plugins Are GDPR Compliant
If you’re using third-party plugins that collect data, like Google Analytics, you need to make the data anonymous. This can be challenging to do manually, but you can find GDPR-compliant plugins that handle this process for you. Just search for a tool with GDPR compliance settings.
5. Use the Double Opt-in
GDPR doesn’t make double opt-ins obligatory, but it’s highly recommended to use them. A double opt-in means you’re asking the user twice to acknowledge that they’re giving consent for data collection. This is particularly important for email list subscriptions.
To add a double opt-in, you need to first request consent through the website’s subscription form. Then the user should consent a second time by clicking a link they receive through email.
Using the double opt-in shows that you’re dedicated to data protection and privacy, and it also gives the authorities further proof that your site is GDPR-compliant.
6. Add Unsubscribe Links
Include easy-to-read unsubscribe links with every communication you send to your subscribers. Unsubscribing from your mailing list should be an easy process and instant.
7. Delete Personal Data on Request
GDPR gives users the right to be forgotten. This means they can request at all times for their data to be deleted. Always do as requested. This includes removing your users from mailing lists, deleting their accounts, and wiping any personal information you have about them. Even blog posts and forum comments count as personal data and should be removed if requested.
8. Don’t Buy Mailing Lists
Buying mailing lists isn’t recommended because you might be in violation of GDPR. In most cases, you can’t be sure whether those email addresses were collected with the users’ consent.
That said if you’re still determined to buy a mailing list, make sure you at least include unsubscribe links with every email you send.
Being GDPR Compliant Is Worth It
Open your website and business to EU citizens by following all the steps above. Being GDPR compliant might sound challenging at first, but it’s not that hard. It mostly involves being transparent about collecting data and asking for consent. As a bonus, non-EU users will see that your business cares about privacy and data protection and they’ll be more likely to trust you.