The European Union has decided to level up it’s policies for data protection concerning it’s citizens given the trend towards big data collection of users for marketing & online social connection purposes.
** ALERT 1 ** If you do not serve any citizens of the European Union, then stop reading, because this will not affect you.
However, if you do serve European customers EVEN if your company is not based in the European union this affects you.
** ALERT 2 ** I am not a lawyer! None of what I write should be taken as legal advice and am writing this solely as an interpreter of the GDPR, reading others’ articles, and from general understanding of data protection laws. When designing compliant processes you should always consult a lawyer.
Without getting too much into it, GDPR has a few minimum requirements for compliance that you need to follow in order to not get hit with the fine hammer which can nail you with a fine up to $20,000,000.
We’re not really sure how the EU will be able to collect that if your company is located in any country outside the EU, but I will say if you receive a notice in the mail, you’ll probably want to avoid vacationing in France anytime soon.
Avoiding fines however, is quite easy. Here are the few things you need to implement in order to be compliant.
** Alert 3 ** As a North American company I have focused on the aspects of GDPR which are most likely to affect the “average” North American company. If your company is based in the EU, you should absolutely consult a GDPR specialist or a lawyer when designing and implementing your GDPR compliant processes.
- Compliant Web Forms With Explicit Consent
This is the easiest requirement to meet. Simply add a checkbox to every form on your site that collects PII (personally Identifiable Information)
Something like this should do: “By checking this box you consent to receive marketing and transactional materials from [Your Company]. For more information see our terms of service”
- Information Requests
Any user which comes under the purview of GDPR (so anyone in the EU) must have an easily accessible way to send a request to you company that will allow them to request any information you may have on them.This one is a bit trickier and you have a few things to consider.
Obviously the easiest way to do it is place an information request form on your site, but that request form should have a way to identify someone not only by email, as doing it by email only is very insecure.
Should you have a fair amount of information on someone, anyone with an email address can just request a ton of information about someone else without verification of identity.
Thus you should have a way to identify customers on another basis, for example the amount of their last payment, their last billing order ID, or another form of Personally Identifiable Information so that you can quickly verify someone’s identity.
- The right to be forgotten
Upon request from a user, you are obligated to erase ANY trace of that contact data from your company databases.
However this comes with exceptions if you require specific personal information for explicit purposes. For example…
- Order receipts for Tax Declarations
- The person’s information is necessary for legal reasons
- There are more exceptions and I highly encourage you to do your own research.
- Notification of erasure
Once you complete the erasure of the contact, you are obligated to notify the contact of the erasure, and notify them of all the other parties that have had access to that person’s information, in the case they may want to remove themselves from those parties as well.
Those are the big ones that I discovered. Of course your proximity to the European Union might affect these regulations and you may need to pay attention to others as well.
For those most part, understanding and implementing the above as a small-medium business operating in North America should keep you safe.
To read the GDPR articles for yourself, visit this site where you can browse and search the articles form items that may directly affect your company.
Is FormLift Compliant?
If you use FormLift, you may be wondering if it is GDPR compliant, or at least how you can ensure GDPR compliance with it.
The short answer is mostly. We have plans to make it completely compliant BEFORE the deadline enforcement date of GDPR which is 25 May 2018.
The item that has to be added for compliance is the ability to easily delete contacts from the submissions table, however you can do that VIA the PHPAdmin if need be.
EDIT: 2018/05/05: FormLift is fully GDPR compliant as of version 7.4.0 which was released on May first.
As for most regulations, Infusionsoft is responsible for GDPR compliance,
We are also adding a special custom field types to FormLift. The GDPR field which will auto generate a compliant checkbox.
This will not be sent to Infusionsoft, but it doesn’t need to. As long as it is present in the form you are fine.
So, simply add this field to your form, and you should be good to go.