It's been well over a year since 25 May 2018 when the General Data Protection Regulation (GDPR) went into full effect. I respect that people's data is theirs and not mine. Due to recent news about huge fines with British Airways and Marriott International, I performed a self-review of my own GDPR compliance and I made some changes. This post describes my efforts with my GDPR compliance.
What is GDPR?
The GDPR is a regulation on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. If you are unaware of GDPR and what to know more, here are few good places to start:
Complete guide to GDPR compliance - An actively maintained a library of straightforward and up-to-date information to help achieve GDPR compliance
GDPR compliance and small business - Published, March 28, 2019 - An easy to read and understand Microsoft article about GDPR requirements
Does GDPR Apply to Me?
There are two scenarios in which a non-EU organization or entity that operates a web site such as mine might have to comply with the GDPR:
When Offering Goods or Services
When Monitoring Behavior
I don't offer goods or services through my web site but I do use Google Analytics to monitor and analyze anonymized web site traffic, which includes the users country and locale, the type of access (direct or referral), the entry and exit page, time spent on each page, type of device (mobile, desktop, tablet), user's browser type (Chrome, Firefox, Safari) etc. I use this anonymized information to manage my web site development effort. I also have a contact form and "Members Area" registration and sign-in forms that request personally identifiable information (person's name and email) for web page personilzation and to control access to some web site pages..
Someone in the EU might visit my website and may register on my site, so I am accountable for collecting and managing people's data as well as tracking their web site behavior.
I'm not too concerned about being in the cross hairs of European regulators because:
I'm documenting GDPR review and compliance (albeit not rigorously)
I'm not targeting people from the EU or EEA
My Review Process
I used the GDPR checklist to conduct my review. I didn't hire an expert and I didn't consult a lawyer. I did find I was non-compliant and made some changes that you can read about below.
I thought about restricting (geo-fencing) my web site but I couldn't resolve how to work around the use of Virtual Private Networks (VPN). As VPN's become more common, it will be difficult for most web site owners to determine a person's true location without the use of complicated and even more intrusive methods such as with pixels or web beacons. So I dropped that idea.
What I Changed
After my internal review, I made some changes:
Changed my cookie warning to be more GDPR compliant through the use of Cookiebot
Modified my Privacy Policy and Terms and Conditions pages to more clearly state what data I collect, why, and how to contact me to remove the data
Added a new Cookie Policy page that's automatically updated by Cookiebot
Modified the way allow users to opt out of Google Analytics (this is in progress as I publish this article)
On my 'About' page added links to the new Cookie Policy and a link to request user data
Added a Calendar reminder to perform an annual GDPR review
What's up with GDPR?
I came across an infographic is interesting, but to me it's not shocking:
I guess this means that I'm more compliant than some of the EU's government web sites? I'll let you be the judge on that one. Come back next year and see my 2020 GDPR update!
References
Complete guide to GDPR compliance - Actively Maintained - a library of straightforward and up-to-date information to help achieve GDPR compliance
GDPR compliance and small business - Published, March 28, 2019 - An easy to read and understand Microsoft article about GDPR requirements
Comentários