GDPR—What Is It and How Does It Affect Your Business?
A European Regulation with Global Implications
GDPR—or General Data Protection Regulation—refers to new rules set by the European Union around the data collection and analysis of its residents’ online activity. GDPR goes into effect this month and because of the global nature of the World Wide Web, all businesses with an online presence—regardless of their HQ’s location—need to be mindful of how they’re treating website visitor data.
For example, there’s nothing stopping a European user from reaching out to you via your contact form—if they provide information like name and/or email, thanks to Article 3 you’re subject to GDPR law.
Put briefly, if you’re involved in any way with your company’s online marketing projects, the sooner you learn about how these laws impact your business, the better.
GDPR and the Handling of Data
Under the terms of GDPR, organizations need to ensure personal data is gathered legally and under specific conditions and that data is not misused or exploited. Any business that fails to respect the rights of users to ownership over their data may be subject to penalization.
So, What Qualifies as Personal Data, Anyway?
Any information you receive from your website that could be used to identify someone—directly or indirectly—is considered “personal data.” Things like name, email, IP address, and more are all included in this list.
The GDPR also outlines specific restrictions around “sensitive personal data”—race, sexual orientation, religious beliefs, etc. This special class of data should be treated with even more caution.
What Rights Do EU Users Have to Their Data?
Site users—aka data subjects—have the right to the following in regards to their personal data (per ico.org.uk):
- “The right of access.” Users who request a copy of their data must be provided that information in “an electronic digital format free of charge” within one month of the verbal or written request.
- “The right to rectification.” If a user feels their data is inaccurate, they have the right to have it corrected or completed.
- “The right to erasure.” This is also known as “the right to be forgotten” and allows users to ask that their data be permanently erased. Exceptions may apply.
- “The right to restrict processing.” Users may request the processing of their data be restricted or suppressed; while exceptions to this rule may apply, if processing is restricted, businesses may store the data, but not use it.
- “The right to data portability.” Users have the right to obtain and reuse—for personal use—personal data given to your business.
- “Rights in relation to automated decision making and profiling.” The GDPR has provisions on “automated individual decision-making”—aka, decision making that occurs without human involvement—and automated evaluation of user data.
For complete details and guidelines, check out ICO’s full guide.
How Are Businesses Being Held Accountable?
Breach Notification Rules
Businesses are required to notify users directly—not by social media or press release—of any potential compromise to data within 72 hours of a security breach if it is likely to “result in a risk for the rights and freedoms of individuals.”
Privacy as Part of the Design and Development Process
Businesses are required to integrate data protection into their processing activities and business practices, from early in the website design stage through the total life cycle of each online marketing project. All data must be transferred and/or stored in a secure environment and SSL certificates are almost always necessary in order for your website to be in compliance with this effort. (Fun fact: at efelle, we make SSL certificate installation a keystone part of the launch process for every website we develop).
Any data about EU citizens should be stored within the EU’s territorial borders unless the user has given “explicit permission/consent” for your business to store their info elsewhere. This consent may be added to your Terms of Service.
Penalties for Noncompliance
If your business fails to comply with GDPR, it could be subject to a fine; fines range from tens of millions of euros to four percent of your earnings. The total amount depends on the severity of the breach and the efforts you make toward compliance.
The Cookie Law (Not Quite as Delicious as It Sounds)
Feel free to ask us for more information about cookies and how your site may be using them.
How to Obtain Data and Stay GDPR Compliant
The list below outlines the criteria surrounding the consent process.
- User must opt in. Users must be given the right to consent to the tracking of personal data. You may add a checkbox to a user form to “Opt In” as long as the box is not preselected—the visitor must click it themselves to indicate consent.
- Consent must be “unbundled.” All consent requests should remain separate and should not be required in order for users to sign up for a service. As an example, if a user signs up for an account on your site, this does not mean they also consent to receiving promotional materials via your newsletter.
- Consent must specifically name your organization—as well as any third parties that require the consent. An example of a compliant statement may be: "I consent for [YOUR ORGANIZATION/THIRD PARTIES] to use my data for the purposes of [WAYS YOU WILL USE DATA]."
- What users are consenting to must be explained in detail, a record of the consent must be saved, and options to revoke must be easily available.
How Do I Make Forms and Account Registrations Compliant?
Forms that collect anonymous data—quizzes, surveys, etc.—likely don’t require extra GDPR-compliance efforts. However, as soon as you ask for a name or email address, you’re subject to GDPR rules.
Note: Additional offers or newsletter sign ups require additional consent boxes; you may also require different consent options if you’re collecting phone numbers and other contact data. Be clear to users about how you intend to use this personal information.
What About Newsletters and Marketing Campaigns?
Do not send out marketing materials to users who have not consented to receive items from that specific promotional realm. If a user fills in a form on your site and provides their phone number then checks off the “Yes to Email Newsletter” box, you may not send them promotional materials via text message (unless they also give you explicit consent to do so elsewhere).
In addition, be sure to make it easy for users to unsubscribe and provide clear instructions for how to do so.
As previously discussed, opt-in checkboxes can be placed in forms, allowing for visitors to indicate consent for signing up. The checkbox must be specific to the newsletter or marketing campaign, and cannot be looped in as part of a “package deal” with account registration.
Can I Still Use Google Analytics?
Some good news: when using a basic configuration of Google Analytics, you will most likely be GDPR-compliant as a basic GA set up does not collect personal identifying information.
If, however, you have configured the following features, you may be subject to GDPR law:
- User ID tracking
- The processing of demographic reports
- Remarketing functions
These features collect personal data; if you do use these features, and especially if you share any of the obtained information with a third-party organization, make sure you request consent from users, outlining the specific parameters of the information you’re requesting and what you’re using it for.
The following is a list of best practices for getting your Google Analytics data collection to comply with GDPR standards:
- Enable IP anonymization. This removes the final two numbers of the IP from your view. In addition, do not conduct “user ID matching” outside of your own website.
- Set cookie expiration dates. Make sure your Google Analytics cookies are configured to expire after 12 months.
- Provide visitors with information about what information you’re tracking and how. Offer them the ability to consent to that collection (see above).
Still Uncertain About What You Need to Do to Stay Compliant in the Ever-Changing Landscape of Data Collection? efelle’s Got Your Back
We’re nuts about all things digital, and this includes making sure the sites that we design and develop are compliant with international data collection standards. With the recent enactment of GDPR, now is a better time than ever to consider a redesign for your company website—this will not only score you a fresh, modern look, it’ll help ensure that your site is up to snuff on privacy standards. It’s not only great for your brand, it’s great for your bottom line. Call up the experts at efelle at 206.384.4909 or reach out to us online and let’s talk about how we can help make your online marketing efforts compliant with international law.