How to get your Website or App ready for GDPR and other Privacy Standards

April 30, 2019

Recently, I have been discussing data privacy with more people and I also recently spoke and blogged about data privacy concerns related to Facebook in April on Voice of America.

On May 25th, 2018, the EU will be enforcing the General Data Protection Regulation (GDPR) data privacy standard. To learn more about this new important data privacy standard check out the EU GDPR Information Portal and Wikipedia article General Data Protection Regulation.

Andreseen Horowitz, a prominent Silicon Valley venture capital firm, also known as a16z, had a recent podcast covering the basics of GDPR and a good post on how startup companies can gain an advantage in GDPR early on.

As cited from their podcast with Lisa Hawke (@ldhawke) and Steven Sinofsky (@stevesi)

Given concern around data breaches, the EU Parliament finally passed GDPR (General Data Protection Regulation) after four years of preparation and debate; it goes into enforcement on May 25, 2018. Though it originated in Europe, GDPR is a form of long-arm jurisdiction that affects many U.S. companies — including most software startups, because data collection and user privacy touch so much of what they do. With EU regulators focusing most on transparency, GDPR affects everything from user interface design to engineering to legal contracts and more.

That’s why it’s really about “privacy by design”, argues former environmental scientist and lawyer Lisa Hawke, who spent most of her career in regulatory compliance in the oil industry and is now Vice President of Security and Compliance at a16z portfolio company Everlaw (she also serves as Vice Chair for Women in Security and Privacy). And it’s also why, observes a16z board partner Steven Sinofsky, everyone — from founders to product managers to engineers and others — should think about privacy and data regulations (like GDPR, HIPAA, etc.) as a culture… not just as “compliance”.

The two break down the basics all about GDPR in this episode of the a16z Podcast — the why, the what, the how, the who — including the easy things startups can immediately do, and on their own. In fact, GDPR may give startups an edge over bigger companies and open up opportunities, argue Hawke and Sinofsky; even with fewer resources, startups have more organizational flexibility, if they’re willing to put in the work.

Europe GDPR Data

There are many factors towards getting your site or app compliant with this standard and other important regulations to avoid getting fined hefty fees and risking your reputation.

If you’re running a WordPress website on a managed WordPress host or on your own servers, you’re in luck and can save significant amount of time by using the following two plugins.

Auto Terms of Service and Privacy Policy — WordPress Plugins

This is based on work by Automattic, the creators of WordPress, that is based on their privacy policies and terms of service agreements which can be tailored to your own.

GDPR — WordPress Plugins

If you’re looking for a much more granular generator for a Privacy Policy for non-Wordpress sites I also recommend :

Privacy & Cookie Policy Generator – for Websites and Apps | iubenda

The following blog post from Kinsta provides a great summary of GDPR and some guidance for WordPress site owners.

Why you should care about GDPR and other privacy standards even if you’re just a blog

If you are using cookies, ads, analytics or tracking people’s data or collecting people’s data you probably should care because it will help build more trust with consumers and visitors and to do that not only do you have to have and publish your policies but also ensure you are taking steps to protecting and allowing control of that data. At the very least by taking a few precautions like the above suggestions and even if you’re not supporting EU or GDPR policies, it will show to the rest of the world that you’re aware of the importance of people’s data.  With the recent Facebook, Equifax and many other data breaches, and now severe penalties for GDPR regulation for any site that has EU citizen data in their databases, it’s even more important for site owners, app owners, platforms and SaaS companies to care about data privacy.

Why it’s important to not just copy and paste policies but seek expert advice

The bottom line in my view is that if you’re generating revenue with your customer’s data or use or collect more than a tiny amount of user or visitor data, I highly recommend you seek out legal counsel as this post, nor my opinions nor the plugins or tools mentioned can replace a privacy lawyer or similar expert who can provide true legal opinion tailored to your specific business or product.

Why it’s important to map and audit your organization’s policies against all relevant regulations, standards and best practices

If you’re operating in different regions or have both employees and contractors working for your organization to deliver value to your customers and consumers then you need to be sure your internal controls and policies are mapped to the most relevant regulations, standards and best practices, whether GDPR, HIPPA, FDA or ISO etc. This can be a daunting challenge to deal with and to keep up to date as the world of regulations changes.

So if you’re looking for help with defining the right policies, controls as well as possibly audit your small to large company for GDPR, HIPPA and many other technology related concerns or in general risk management concerns, we can help your organization in mapping all the regulations and standards to your own policies to detect compliance gaps, risks and assessments to conduct with our risk management solutions and services. We can help you prepare for full audits by regulators.  We can help you gain ‘line of sight’ against the external standards and regulations as well as help you understand where you are lacking policies and training to help close the gaps before audit or violations that might embarrass your organization and hurt your reputation or cause you major financial losses and lost customers. By implementing an end-to-end regulatory compliance framework, you can:

• Gain visibility, control and decision support.
• Reduce fines, penalties and reputation risk from non-compliance.
• Maintain compliance across multiple regulations and your enterprise.
• Improve operational efficiency.
• Reduce the cost of compliance.

Learn more about ways we can help you by checking out our offering Compliance Mapper

Some more background on GDPR

What is GDPR?

This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

How do Businesses benefit from GDPR?

  • Build stronger customer relationships and trust
  • Improve the brand image of the organization and its brand reputation
  • Improve the governance and responsibility of data
  • Enhance the security and commitment to the privacy of the brand
  • Create value-added competitive advantages

When is the GDPR coming into effect?

It will be enforced on May 25th, 2018.

Who does the GDPR affect?

The GDPR applies to all EU organisations – whether commercial business, charity or public authority – that collect, store or process EU residents’ personal data, even if they’re not EU citizens.

The GDPR applies to all organisations located within the EU, whether you are a commercial business, charity or public authority, institution and collect, store or process EU citizen data. It also applies to any organisation located outside of the EU if they also collect store or process EU citizen data.