*** DISCLAIMER: This is not legal advice. We are not lawyers. ***
The General Data Protection Regulation (GDPR) which aims in improving data protection for individuals across the EU will become directly applicable on May 25th, 2018. Organisations doing business in the EU, irrespective of the location of their corporate headquarters, will need to be compliant with the new rules and should act immediately. It is a binding legislative act and in effect becomes the the global standard for data protection.
According to the EU GDPR Portal, Personal data constitutes: “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
GDPR has been introduced to provide people with more control over their personal data and such private information must be acknowledged and respected by businesses which collect, manage and store such information.
Websites and other digital platforms occasionally require information or permission from visitors (users) to use certain private data. Gathering data will definitely not be that easy any longer. With GDPR in force, users must be given complete control over their data and websites must offer clear, optional and understandable directions for opting in or out.
Regarding GDPR, marketing departments need to be cautious in terms of:
- Collecting focused and meaningful data
- Ensuring that users control their data
- Provide clear, optional and comprehensible instructions for opting-in
- One of the biggest changes with GDPR is how websites gain permission to use an individual’s information. Such individuals (or visitors or users) muse be clearly informed what personal data is being used and how this will be used, by whom and for how long.
GDPR is an 88-page A4 PDF with 11 Chapters, 99 Articles and countless paragraphs and sub-paragraphs. The document can be viewed here or for an e-version, check out Intersoft Consulting’s dedicated GDPR website.
8 Key Points to Consider so Your Website is GDPR Compliant
1. Personal data audit to identify which data processors are first and which are third party. For each, you must consider: what is the data used for? where is it being stored? do you still need it? “Data is a liability to you so, unless you need to keep the data,” it is recommended you delete it.
3. Active Opt-In for FORMS. Check forms so that the default is blank or “no” to subscription preferences or sign ups (e.g. for newsletters).
4. Opt-In should be unbundled. You need to ensure you have a separate section for acceptance of Terms & Conditions and a separate opt-in related for each contact preferences (e.g. email, sms, post).
5. Every communication path should have a separate Opt-In. The visitor should be able to select what he/she wants in terms of communication method and reason.
6. There should be an easy way for a visitor/user to withdraw permission granted or Opt-Out or Option to Withdraw. The visitor/user must be able to change frequency, stop communication entirely, or even select type of communication being received (e.g. special offers only, company news, industry news, etc.).
7. Any data being submitted to your website must be encrypted. Ask your developer to fit an SSL certificate to encrypt data.
8. You must ensure there is separate identification and naming of third-parties. And don’t forget that the third-party tools and solutions being used on your site must be GDPR compliant as well. If a third-party is not yet GDPR compliant, contact them to find out wat their plans are. Should such a third-party have no intention of becoming compliant by May 25th, 2018 then you should seek to replace with a similar but compliant provider.
Site owners and marketers should perform clean ups of the data they keep in lists or CRM systems. This data must be up to date and stored securely. GDPR applies to businesses within the EU and businesses outside the EU who offer goods and/or services to people living within the EU. A designated Data Protection Officer should be responsible for monitoring all your internal compliance of GDPR. Such an individual can be appointed from your in-house staff or employed specifically for the respective duties. There are defined processes to monitor compliance and huge fines are in place for non-compliance (up to 4% of your global revenue or 20million EURO – whichever is greatest).
So, check the methods used in collecting data, put mechanisms in place to ensure a visitor/user can control his/her data, avoid collecting data where unnecessary, and, check out your third-party tools and solutions to ensure they are GDPR compliant.
Though GDPR may seem quite intimidating, we must remember that the Internet is highly unregulated and the GDPR’s ultimate aim is to protect people.