Short Version: I don’t have a service yet formulated to help with this. Read below if you want to learn my take on this emerging issue.
On May 25th the European Union implemented a law called the General Data Protection Regulation (GDPR) designed to reduce the rampant misuse of customer information and abuse of trust that large social media websites, search engines, media conglomerates, credit checking bureaus, and more have subjected all of us to over the years. Remember the famous hack that occurred because employees at Sony stored user names and passwords in an an alarmingly insecure manner? When an industry fails to self-regulate ethically, government steps in. For better or worse, that’s where we are now.
Though it is a European Union-based law, it does have teeth worldwide and can be used to prosecute website owners anywhere in the world that house information on the citizens of any country in which the law was passed. It is far from clear how such prosecution would occur, but waiting to find out is not really a great strategy because there is some evidence to suggest such laws are desired by US Citizens for their protection as well. Here is a great summary of the GDPR’s scope from Wikipedia:
The regulation applies if the data controller (an organisation that collects data from EU residents), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances, the regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. The regulation does not apply to the processing of data by a person for a “purely personal or household activity and thus with no connection to a professional or commercial activity.” (Recital 18)
According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
I am not a lawyer, so this page cannot be construed as legal advice. It does seem for now that, aside from large companies with a global business footprint, it’s not likely the EU is going to focus on other types of website owners for non-compliance (along with the intimidating fines). But, if you have any kind of international presence at all, it couldn’t hurt to get familiar with your exposure to any potential litigation. At this point it might be simply that you post up a few disclaimers and that’s it. I just am not sure. But my research leads me to believe, so far, it won’t be that simple.
The GDPR’s premise is that, as the owner of a website that collects personally identifiable information (for example, in web forms you might collect an e-mail address, or you have membership accounts) you are now responsible for providing to any EU citizen who requests it all the details about how their information has been used by your company; including if you’ve shared their e-mail address with a a third party like ConstantContact or Aweber, whether their IP address is showing up in your Google Analytics…the list goes on. You cannot, in most situations, charge to fulfill this request. For this reason, it’s a good idea to have a method in place to verify that the requester is whom they claim to be. You are expected to have GDPR compliant approaches in place that make it possible to discern from posers, and provide this information without undue strain on your organization.
As far as I can tell, the EU can in fact reach in to the United States and impose itself if you are housing personal information on even a single EU citizen. Again, how that would happen and the actual chance it would happen are not clear.
For me the focus will be on helping WordPress sites achieve and maintain GDPR Compliance once I understand it better. This will likely involve some plugins, and tech writing for HR manuals your organization might need for guiding content managers and technical individuals; since both types can negate GDPR Compliance if they aren’t aware of the rules.
The websites I built under the now defunct MJ Penner Consulting used best practices for security. A lot of what the GDPR is asking for I already view as the only ethical way to build websites from the beginning. This means my previous clients can prove some of the things the GDPR requires are in place already. For instance, the GDPR requires a statement about what proactive measures were taken to keep user data safe. This is known as “Data protection by design and by default (Article 25)”. My build approaches and SMASH Service help fulfill that requirement.
As as technical writer and WordPress integration expert, I am in a good position to create a solution that will help; especially if already I built your website. Over the next couple of weeks, I will be learning more and testing approaches until I find something I believe will protect both my agency clients and individual clients well into the future when similar laws are likely to be embraced for US Citizens.
It would be a good idea to have an attorney who is knowledgeable about this specific issue give you paid, legal advice. I certainly will be doing so in order to understand what things need to be prioritized under the GDPR that include not only my own website properties, but those of related systems like Google Analytics.