What is it?
GDPR stands for General Data Protection Regulation and is really just regulations for handling people's information and data online set forth by the European Union and only applies to European Union Citizens (Approximately 150 million people) World image in green
If anyone from those areas inputs data on your website, YOU ARE AFFECTED.
It was put into effect on May 25th, 2018.
Those people MUST know what's to be done with the data you've collected.
If you're not in compliance you could face fines of up to 4% of your revenue.
I want this post to be clear and easy to understand so here's what you should do:
#1. Know what data you are collecting from people. (newsletter information, analytics, email, name, phone number, ANYTHING)
#2. Understand what happens to that data.
#3. Create a compliance plan.
You can only protect and control what you know about. Understand all the avenues someone could give you their information and any third parties collecting information as well including CRM systems, Email Drip Campaigns, IDX logins, etc... all data should be mapped out, classified and documented. Seems confusing? It doesn't have to be. While I AM NOT A LAWYER and CANNOT GIVE LEGAL ADVICE, I can tell you some steps to take and what we did.
First off, look at one of those privacy policies you've probably received. Look over it and see how the "big guys" have written it because you know they've probably covered their butts well. Start writing one of your own or find a similar one, reword it in your own words, and make sure it covers these areas:
2. Breach Notification
The user needs to know what you will do if ever their data is compromised.
3. Right to Access
Users have the right to request their own data and to know what you're doing with it.
4. Right to be Forgotten
Users can request you delete their information at any time.
5. Data Ownership
Users have the right to their own data and can reuse it elsewhere
Lock down your site as much as possible and tell people what you're doing with their data...all of it.
7. Prove it
Be ready to have reports on the data and what you have done with it.
If you're still stuck you can take a look at our website: https://www.personalseo.com. We've installed a widget on the top bar so that people can know and understand what we do with their data.
IF YOUR IDX SOLUTION COLLECTS DATA
Call them and ask how they are dealing with the GDPR compliance. If they don't know what you're talking about, talk to a superior. You AND them may be responsible.
You or your webmaster can block users from those countries, BUT if someone from those countries were in the states and used your website, you would still be liable. That's a risky place to be. It's just best to comply.
Make it in plain English - "On this site I use ... (Google Analytics, IDX information, Forms, CRM, Newsletter software, etc..) And link to any additional GDPR compliancy such as analytics, forms, CRM, or newsletters and their websites if possible. Seriously, cover your butts EVERYWHERE.
"But I won't or don't sell anything to overseas buyers." - But you may not have any control over whether or not they put in their information for your data collection. This really doesn't solve the problem.
"How do I know what to say?" - I would find a similar site and see what theirs is and as long as it covers the basis you can reword it into your own words or have a lawyer draw up one.
What if you don't comply? Fines range from $23 million (yes, million) or 4% of your annual revenue, whichever is greater... NOT A GREAT PLACE TO BE. This is the max though and supervisory authorities will have the scope to impose fines at will or issue warnings, reprimands, order compliance with data subject requests and inform the user of any issues. I don't know about you but these really make me want to comply.
World image By S. Solberg J., CC BY 3.0, https://commons.wikimedia.org/w/index.php?curid=2142538