How will the GDPR impact businesses like ours? It’s not necessarily such a bad thing.
The EU’s new data privacy regulation, the GDPR (General Data Protection Regulation) is set to take effect on May 25th. We published an article outlining the requirements of the regulation and how you can comply with Ninja Forms back last August. Since then we’ve been keeping an eye on the GDPR itself, and looking at everything we need to do with our site to comply ourselves.
In that time, two things have become very clear:
- As a business, the steps we have to take to become compliant certainly aren’t insignificant, but they aren’t unreasonable, either.
- A lot of us are missing the point of the new regulations entirely.
Let me unpack these two thoughts a bit.
What compliance is looking like for us (and probably for you!)
Over the last number of months our CEO and CTO have been consulting with our attorney. Clocking in at 88 pages, the official regulation itself is no small beast to parse, but it isn’t exactly a novel-length monstrosity, either. We want to make absolutely sure we get this right, and for a business our size that means bringing in legal counsel. No surprise there.
We’re tackling this in two stages: brainstorming and implementation. Brainstorming with our attorney, we’ve identified pretty much everything that needs to be done at this point. We’re moving into the implementation phase now with a pretty clear idea of what needs to happen.
From that vantage point, we’re pretty comfortable making the statement that GDPR compliance isn’t looking that difficult.
The biggest thing we have to change isn’t our website… it’s how we think about personal data
To clarify that statement, our website will be changing. That process has already begun, and finishing by May should be no problem. Here are our key takeaways so far:
- Physical changes to the website are necessary but relatively minimal
- Time investment to make those changes will be significant but no real burden
- The only real cost to implement compliance is primarily in consulting our attorney
- By far and away, the biggest change we have to make is in how we think about data
1-3 are pretty straightforward. Expanding on the 4th point:
The GDPR has broadened the way that we think about and treat user data.
From a traditional business perspective, the more you understand your customers – the more user data you have – the better you’re able to serve them. It’s imperative that data is stored in a secure manner. It’s crucial to respect the wishes of a user who does not wish for that data to be used to contact them (i.e. mailing lists etc). Those two boxes checked, the more data you have, the better. That’s been the status quo.
Looking ahead to complying with the new regulations, we realize we need to become much more conscious of what data we collect, why we collect it, and where that data lives. Above and beyond what has been the status quo.
What is the minimum viable amount of data we need to take great care of our customers?
That’s the primary question we’ve come to ask ourselves. We’ve realized we don’t really need all the data we’ve asked for in our checkout process, for example. We’ve already trimmed away those extraneous data points as we become more conscious of exactly what the minimum viable amount of user data we need is in order to provide an outstanding experience for our users.
Beyond that we need to be more aware of each collection and storage point for user data, evaluate them, and make sure we have a way to deep dive each to provide or remove specific data on request.
From a technical standpoint, this isn’t difficult. It isn’t costing us much at all, time or money-wise. A little bit of investigation and automation is all there really is to it.
This is not a burden that has been placed on us. This is an opportunity to stop and reflect on how we treat our users. For developing a greater sense of respect for their privacy and personal data. And we believe that’s exactly what the aim of the EU’s new regulation is.
If you’re looking at the GDPR only as a new set of regulations to be complied with, you’re looking at it wrong.
Sure, that’s a totally subjective statement. But it’s coming from the perspective of doing what’s right by the people that trust us with their business. The goal of the GDPR is to “protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” We believe that the right to personal data privacy is something that should be shared by all individuals and not just limited to EU citizens.
The GDPR is more than a new regulation. It’s a clarion call for businesses around the world to step up and show a greater respect for the people they serve every day. The people whose trust and willingness to engage with us is the only reason that we’re in business today.