Website Owners: How to Get Ready for the General Data Protection Regulations (GDPR)
GDPR (the General Data Protection Regulation) is a series of changes to the way that data is captured, used and managed, for all individuals in the EU, and it comes into effect on 25 May 2018.
The law applies to businesses or organisations in the European Union. Those outside the EU who offer goods and services (whether paid or not) to people living within the EU, or monitor their behavior, must also comply. So in effect, GDPR will become the global standard for data protection.
And with businesses facing a maximum fine of £20M or 4% of your turnover for non compliance, GDPR is a very hot issue. Below I've written about how email marketing and how your website will need to change to be compliant with GDPR .
In this article I will give some common sense recommendations and suggestions based on the research that I have carried out. It's meant to give everyone with a website an introduction to GDPR, but doesn't go into too much detail. If you want to make sure that you're fully compliant with GDPR I would advise that you get some proper legal advice or carry out deeper research into how GDPR affects your particualr business. Phew.
Consent is a key part of the new GDPR legislation.
Under the new regulations you can only send emails to customers who have explicitly opted in to receive your emails. Customers have to understand what they are siging up to, and have to tick the box to agree to receiving the email. Email marketing sign up forms cannot already tick the subscribe option, it has to be blank by default, consent must be given by the customer.
I think this is 'a good thing' - GDPR is about doing what's right, not just what's legal. If you are sending less emails to a more engaged audience, it should cost you less, and you ought to get better results.
Under the new GDPR rules, the initial opt in consent does not mean you can email the customer forever. You will need to send all opted in customers a re-engagement email explaining
- How you got their details
- Why you are getting in touch
- How they can opt out
If you use a third party provider, such as MailChimp, for your email marketing you can read about how Mailchimp are working on GDPR Compliance here: https://blog.mailchimp.com/getting-ready-for-the-gdpr/.
Simple Sign Up Forms
As well as customers having to opt in, they need to give you consent for each different type of communication method (post, email, SMS, telephone etc.) For example, they need to be able to opt in to receive email communications, but not post, if you use those different channels.
Make it Easy to Withdraw Consent
You need to give your users control over their data, so they can view, update and remove the data that you hold about them - it should be as easy to unsubscribe as it was to subscribe.
This might have to be part of your website, or it could be carried out by a third party email provider, if you use one.
Consider the Information You Hold
If your website (or admin area) stores personal information about your customers then you need to look at what data you hold, where it came from, who can access it and who you share it with.
You need to write down your policies and procedures for handling this personal data. This is part of demonstrating your compliance with the regulations.
You need to make sure the data stays safe - keep in mind the technology (consider things like encryption and anonymization) and the human factors involved in data security. Unless you really need to keep the data, I'd recommend deleting it.
Prepare for a Data Breach
Should this unfortunate event take place, make sure you know what to do and who to contact
‘concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.'
Partly to tackle the ridiculous length of some privacy policies (I'm looking at you, iTunes) this should help to eradicate the legalese that plagues some websites, and make website privacy plain and simple.
If you sell online and your website is storing customer's personal details, even if it's not the credit card information, you will need to remove this personal information after a reasonable period.
The GDPR legislation isn't clear about how long is reasonable, it is up to you as to what can be justified as being reasonable and necessary.
Google Analytics is OK
Google Analytics tacking uses an anonymous tracking system so there's no "personal data" being collected. Here's what Google say about data protection laws, including their commitment to GDPR: https://privacy.google.com/businesses/compliance/#?modal_active=none.
Your 10 point plan for GDPR compliance
- Make sure that customers are actively opting in and giving consent.
- Check your current database - can you see where consent was given? You might be asked to show how and when consent was given.
- Update the forms on your website (the ones that put customers onto your mailing list) to ensure they are in line with the new regulations.
- Decide how you are going to give people a way to view, update and remove the data that you hold about them.
- Decide how long the initial opt in consent is valid for, and work out a way to gain consent after this time is up
- Make sure your admin area, or any place that you store customer details, is secure
- Write down your policies and procedures for handling personal data.
- Decide how long you need to keep customer personal data for
- Consider encrypting your website with SSL
We Are Here to Help
We are here to help make your website GDPR compliant by the 25th of May. If you need us please get in touch.
The Information Commisioner's Office website has a comprehensive guide to GDPR here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/comments powered by Disqus