Update on GDPR
2022 update: Read our new blog post for the latest information.
The regulation could have implications you haven’t considered. And with related regulation being passed in California, it’s wise to take another look at your potential exposure.
Article 3 of the GDPR suggests that a non-EU-based company is subject to the new law if it processes personal data of an individual residing in the EU. To assess your current practices, ask yourself these questions:
- Where do we offer goods and services within and outside the U.S.?
- What personal data do we collect and where does it come from?
- How do we collect it and where is it stored?
- Who needs to have access to that information?
- Who’s responsible for that information?
If the answers to these questions leave you feeling like you might, indeed, need to comply, contact your attorney to get an expert opinion.
It’s unlikely GDPR will apply to state and local governments, but if you do international marketing, you should take a closer look.
For instance, what if the City of Raleigh launched a marketing campaign to get people from Germany to visit. “Since the campaign is targeted at people in the EU, it likely would fall under GDPR. Which means the government organization or its marketing agency would need to be compliant,” Bailey says. Your take-away: Pay attention to who you’re targeting with your marketing, website, and campaigns. And where those people are located.
Colleges and universities are more likely to fall under GDPR. If your institution has campuses, programs and partners in the EU; if it markets to EU students to study here; or if its students go abroad, you need to pay attention to the regulation.
It’s the same if your faculty and staff do research that uses data from EU residents.
“In these cases, if the institution isn’t complying, what’s at stake isn’t just the penalties, but also the risk of losing the partnership with an EU institution,” Bailey cautions. “It’s also tempting to think that if you comply with FERPA, you’re complying with GDPR, but that’s not necessarily true.” That’s because the US and the EU/UK look at privacy differently. “Here, there’s not a fundamental right to privacy, while in the UK and EU, you do have a fundamental right to privacy and to be forgotten.”
Medicine & Healthcare: GDPR vs. HIPAA
HIPAA is a US law ensuring the privacy and security of protected health information. “HIPAA applies to a defined group of ‘covered entities’. Generally health plans, health clearinghouses, and healthcare providers – and their ‘business associates’,” Bailey explains. “GDPR, on the other hand, has a much broader scope, both in terms of the type of data it applies to. Generally, anything that is personally identifiable – and in terms of the entities within its reach – any entity that offers goods or services to citizens in the EU.”
Even if you don’t need to comply with GDPR, re-evaluating your data privacy and protection policies is a good idea. As more nations and states begin to enact their own versions of the regulation, a little advance work can make it easier to know if and how you need to comply.
Good News for WordPress Website Owners
WordPress has created a GDPR Compliance Team to develop and test data privacy tools for inclusion in the WordPress core. The team is focusing on creating a comprehensive core policy, plugin guidelines, privacy tools, and documentation.
In the meantime, want to know more about making your WordPress website GDPR compliant? We recommend these reader-friendly resources:
- Web Privacy and WordPress GDPR Compliance – The Definitive Guide (WPMUdev)
- How to Make Your WordPress Site GDPR Compliant (WPExplorer)
DISCLAIMER: This information is not intended as a substitute for professional legal consultation. It is provided “as is” without any representations or warranties, express or implied. Always consult an attorney when you have specific questions about any business matter of this kind.