By now you are probably aware that European Union is rolling out the GDPR (General Data Protection Regulation) on 25th May 2018.
The goal of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.
In a nutshell, GDPR states that if a website collects, stores or uses any data related to an EU citizen, you must comply with the following:
- Tell the user: who you are, why you are collecting the data (for what purpose), how long you are going to store it and who receives it.
- Get a clear consent, before collecting any data
- Let users access their data and correct it if it is incorrect
- Let users delete their data or take it with them
- Let users request that you stop processing their data
- Let users know if data breaches occur
You, as a Data Controller, also have an obligation to keep the data safe. This means you need to ensure that any communication between the web server and a browser is via a Secure Socket Layer (in layman terms you need to have an SSL certificate installed on your site).
Do you REALLY need to be GDPR Compliant?
If people from European union can visit and interact with your site (e.g. post comments on your blog, subscribe to a newsletter, share your content to social media, place orders, send enquiries or contact you via an online form, you need to be compliant.
GDPR does not require you to be a European citizen, or for you to be a European based business to find you guilty and impose a violation.They can do it even if you’re located across the Pacific ocean and have absolutely no care what’s happening in France. If people from the EU can surf your site, you are liable to adhere to GDPR rules.
The Consequences of your website not being GDPR Compliant
- A fine of up to €20 Million or 4% of your global revenue. Whichever is the GREATER!
- Not being able to sell to customers from EU or serve them in any other way.
- Not being able to monetize EU based customers through ads or other means.
- Severe legal costs and hassles that will stop you from focusing on your business.
Website Owner Obligations to ensure GDPR Compliance
SSL Certificates are not an optional extra. If you have a contact form on your site, or a clickable email address, or someone can leave a comment, download content or place an order, you absolutely have to have an SSL certificate. If your website does not have a // in the URL or there is no green padlock, then the connection to your website is not secure.
All forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You will need to check your forms to ensure this is the case.
When sending out email
When sending out email (as a newsletter, or as a purchase confirmation etc), you need to include information on why you are emailing them, how you got their data and provide them with an unsubscribe option and “forget me ” option. Email-optout is not enough in GDPR you also need to give people a way on your website to opt-out of future emails.
If you share data with anyone you need to tell the owners of the data and ask for their consent.
Terms & Conditions
You will also need to update your terms and conditions on your website to reference GDPR terminology. In particular, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office systems.
If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway e.g. to send emails with additional offers.
If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.
Third Party Tracking Software
Things now start to get tricky when it comes to third-party tracking software.
Many websites are configured to use Google Analytics to track user behaviour. Google Analytics has always been an anonymous tracking system. There is no “personal data” being collected, so I believe GDPR does not impact on its usage.
If you use other third-party marketing automation software solutions e.g. lead tracking applications like Lead Forensics, Leadfeeder or CANDDI, you need to ensure that their software is GDPR compliant.
It Isn’t Only Your Website That Needs to Be GDPR Compliant. The changes being introduced with GDPR will permeate your entire business, but in this series of articles, we are focusing purely on your digital marketing.
Planning your GDPR compliance strategy
As you start planning the detail of your website, you will uncover a Pandora’s Box of issues you will need to consider, but here are a few key questions to be considering now as we approach the May deadline:
- You probably have lots of personal data stored in various places around the business. Do you have a good understanding, and documented record of the data you hold?
- Do you need to either gain or refresh consent for the data you hold?
- Do you have a defined policy for how long you retain personal data, so you don’t retain it unnecessarily, and ensure it’s kept up to date?
- Is your data being held securely, keeping in mind both technology and the human factors in data security?
- Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?
- Even if you do not collect and store personal data yourself the onus is on you to ensure that any data that is passed to you some from a compliant source and if you pass data on that the receiver is also compliant.
As all businesses are different the previous point should be regarded as guidelines on the things you need to be aware of and not as instructions.
Not sure what to do next? Then give us a call and we can help you make your website GDPR-compliant?
The price starts from €199 plus VAT and that includes a number of very important things:
- We then implement the changes identified by the audit and let you know what kind of personal data is being collected through the website, how it is being used and how long it can be kept for.
- If you don’t have an SSL certificate as yet on your website, we install it for you to ensure your website, customer data and emails are protected and secure at all times (optional service priced separately – from €50 depending on the complexity of your site.
- We provide you with a mechanism to keep track of, correct or delete any type of personal data you may have stored on your website. This includes client subscriptions, past orders, blog comments or testimonials which include personal details.
- Provide you with a mechanism to notify your users if a data breach occurrs.