Interactive Media Consulting, LLC has assembled a team of professionals ready to help you with any project. On staff, in our Saratoga Springs office, you will find designers, programmers, front-end developers, and customer support representatives. All projects are handled in-house, with minimal outsourcing and no off-shoring.

Are You Ready for GDPR?

Disclaimer: We are not attorneys. These recommendations are based on our research and interpretation of the General Data Protection Regulation (GDPR). Sources are cited below. GDPR is complex and interpretations vary, so we also recommend you discuss this with your attorney if you have further questions.

What is GDPR?

The General Data Protection Regulation. GDPR is a European Union (EU) regulation to protect the privacy of EU citizens as they surf the internet. It essentially requires consent to collect any information that could identify visitors to your website, including the numeric IP address of the computer they used to access your website.

Additionally, that information cannot be transferred to third parties without consent. This includes something along the lines of sending their IP address to Google Fonts when you request a font for the website they are viewing.

GDPR will be followed very closely by the ePrivacy Regulation and will complement GDPR. ePrivacy will require consent to leave a cookie on the website, consent for online marketing, and consent for cross platform ad targeting.

Opt-In vs Opt-Out

This is a VERY important distinction. In the past, many websites automatically had the box checked for “join the mailing list” type options when filling out a form. When people did not want to join the mailing list, they would “opt-out” by unchecking the box. Otherwise, it was assumed they wanted to “opt-in.” To comply with GDPR, the box must remain unchecked and users must actively check the box in order to opt-in.

Rights Under GDPR

Under GDPR, individuals have the following rights:

  • Right of access – the ability to obtain all data you have stored on that individual
  • Right to rectification – the right to correct, revise, or remove any information you have on that individual
  • Right to be forgotten – the right to have that individual’s information completely deleted
  • Right of portability – the right of an individual to receive the data you have stored in a machine-readable, commonly-used format
  • Right to object – the right to remove themselves (opt-out) from any service you are using with their data at any time (i.e. analytics, email marketing, etc.)

Data Controller vs Data Processor

GDPR operates under the assumption there are two players every time data is exchanged. The first is the Data Controller, who must be a person. The data controller determines what data needs to be collected and how that information is then processed. For many small businesses, the data controller is going to be the business owner or person charged with setting up databases and keeping track of user data.

The second is the Data Processor. This can be a person or a company/software/other entity. For example, Google is considered the Data Processor for Google Analytics data. Your hosting provider could be the processor if the database containing personal data is stored on their servers. The processor has legal liability if there is a data breach.

Am I affected if my business is US-based?

In one word, yes. GDPR was designed to protect the personal information of European Union citizens. That means that if a person from England, Germany, or any other EU country visits your website, you are bound by GDPR.

What are the penalties for non-compliance?

£20 Million (~$27 Million) or 4% of annual global income, whichever is greater, for failing to ask for consent.

2% of your annual global revenue for failing to disclose a data breach.

What does my company need to do to comply?

This is still very fluid and complicated. While the regulation was approved in 2016 and companies were given until May 25, 2018 to comply, guidance is still forthcoming and the major players (i.e. Google, Facebook, etc.) are still working on their compliance.

Based on our reading and interpretation, we know the following are very important:

  • Create a Privacy Policy – You must have a privacy policy that answers the following questions:
    • Who you are
    • What data you are collecting
    • Why you are collecting the data and how you intend to use it – it is no longer okay to blanket collect everything because you might need it someday. Only collect what is exactly necessary to get the job done.
    • How long you will be keeping that data
    • Who will have access to the data – this includes plugins and third party applications, such as Google Analytics, your CRM (i.e. Salesforce, Hubspot, etc.), accounting (i.e. Quickbooks online), and anywhere else you store personal or sensitive data.
    • How a person gets a copy of the data you have stored on them
    • How a person goes about deleting (not just unsubscribing) all the data you have on them
    • How you will notify users of a data breach
  • Ask for explicit consent everywhere you ask for information
    • Every form should have a “I consent to my submitted data being collected and stored” type statement. It is a good idea to reference your privacy policy. This must be a required field.
    • Consider a plugin to provide a notice that you use cookies and will be collecting and storing information according to your privacy policy.
  • Anonymize IPs for Google Analytics – an IP address is typically in the form: ###.###.###.###, where the complete set of numbers identifies the location of the computer. Anonymizing the IP address will set the last octet to 0, sending ###.###.###.0 to Google Analytics. This protects the privacy of your website visitor but does sacrifice some granularity with geocoding your users.
  • Discover what data your company collects:
    • Review URLs – make sure that you never transmit user ids, IP addresses, or other sensitive data in the URL when a form is submitted. This data will end up in your log files.
    • Review all personal data collected across all platforms – is any personal? Is any sensitive*?
    • Determine where your data is stored and its expiration policy – if you keep backups, for how long do you store and archive data?
    • Determine whether any third parties (i.e. Google Analytics) store any data on your behalf
    • Check the security of your data
  • Consider a Data Protection Officer – each company should appoint a Data Protection Officer to understand and manage all the data you collect.
  • Document everything – what are your policies and procedures for handling and securing personal and sensitive data?

* See “The GDPR: What is sensitive personal data” for a good definition

What About Cookies?

Websites, Shopping Cart, Google Analytics, Facebook Pixels, and others use ‘cookies’ to track where users are on the website and what they do while on the website. The European Union has an ePrivacy Regulation that will take effect later this year or early next. It essentially bans unsolicited marketing and cookies.  As with GDPR, the use of cookies comes down to the consent of the user.

How to Comply

GDPR is complex and even less than three weeks from implementation, WordPress, Google, Facebook, and other major players are still working out exactly what they need to do to their applications to make them compliant.

IMC is offering the following GDPR Checkup based on our research. Again, we are not attorneys and suggest that you have an attorney review any documents created. However, with so many questions still surrounding what exactly US-based companies need to do to comply, we recommend taking some basic steps now, that are considered good practice anyway.

We recommend the following steps:

  1. Website Audit – during a website audit, we will click through every page and complete every form to determine the following:
    • Are there any 3rd party applications in use – what data do they collect and will they comply with GDPR?
    • Are there any links/urls that contain personal or sensitive data?
    • Do you ask for consent every time you collect information on an opt-in basis?
  2. Software Additions/Upgrades – we will do the following:
    • Upgrade you to WordPress 4.9.6 to help with your Privacy Policy generation
    • Install a GDPR Compliance plugin to help guide us through your website
    • Install a warning bar stating the website uses cookies and tracks your IP address
  1. Review your Google Analytics Settings – this is done to make sure the IP addresses are anonymized and that sensitive data, such as usernames, are not sent to Google.
  2. Review Data Storage Policies – what do you do with any data sent to you via the website?

The cost for this service will depend on the size of the website and the number of 3rd party plugins and applications.


General Data Protection Regulation
Wikipedia: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
Last Accessed: 5/8/2018

EU GDPR Information Portal

Last Accessed: 5/8/2018

IT Governance – The GDPR: What is sensitive personal data
Last Accessed: 5/8/2018

Information Commissioner’s Office: Key Definitions
Last Access: 5/9/2018

Google: Our Commitment to GDPR
Last Accessed: 5/8/2018

Google Support: IP Anonymization in Analytics
Last Accessed: 5/8/2018

Elegant Themes Blog: How to Make Your Websites GDPR Compliant
Last Accessed: 5/8/2018

Elegant Themes Blog: A Quick Guide to Data Protection Regulations in 2018
Last Accessed: 5/8/2018

Constant Contact Blog – GDPR: What You Need to Know and How Constant Contact Helps You Comply
Last Accessed: 5/8/2018

WPMUDEV – Is Your Website GDPR Compliant?
Last Accessed: 5/8/2018

Download this document as a PDF: What is GDPR