Design & Development

Amanda Eldreth Posted by Amanda Eldreth on June 19, 2018

GDPR—What Is It and How Does It Affect Your Business?

GDPR—What Is It and How Does It Affect Your Business?

A European Regulation with Global Implications

GDPR—or General Data Protection Regulation—refers to new rules set by the European Union around the data collection and analysis of its residents’ online activity. GDPR goes into effect this month and because of the global nature of the World Wide Web, all businesses with an online presence—regardless of their HQ’s location—need to be mindful of how they’re treating website visitor data.

For example, there’s nothing stopping a European user from reaching out to you via your contact form—if they provide information like name and/or email, thanks to Article 3 you’re subject to GDPR law.

Put briefly, if you’re involved in any way with your company’s online marketing projects, the sooner you learn about how these laws impact your business, the better.

GDPR and the Handling of Data

Under the terms of GDPR, organizations need to ensure personal data is gathered legally and under specific conditions and that data is not misused or exploited. Any business that fails to respect the rights of users to ownership over their data may be subject to penalization.

So, What Qualifies as Personal Data, Anyway?

Any information you receive from your website that could be used to identify someone—directly or indirectly—is considered “personal data.” Things like name, email, IP address, and more are all included in this list.

The GDPR also outlines specific restrictions around “sensitive personal data”—race, sexual orientation, religious beliefs, etc. This special class of data should be treated with even more caution.

What Rights Do EU Users Have to Their Data?

Site users—aka data subjects—have the right to the following in regards to their personal data (per ico.org.uk):

  • “The right to be informed.” All businesses that collect data need to be transparent about the information they are collecting. Your Privacy Policy would be a good place to house answers to questions like the following: What is the info being used for? Who will it be shared with? How long will data be stored?
  • “The right of access.” Users who request a copy of their data must be provided that information in “an electronic digital format free of charge” within one month of the verbal or written request.
  • “The right to rectification.” If a user feels their data is inaccurate, they have the right to have it corrected or completed.
  • “The right to erasure.” This is also known as “the right to be forgotten” and allows users to ask that their data be permanently erased. Exceptions may apply.
  • “The right to restrict processing.” Users may request the processing of their data be restricted or suppressed; while exceptions to this rule may apply, if processing is restricted, businesses may store the data, but not use it.
  • “The right to data portability.” Users have the right to obtain and reuse—for personal use—personal data given to your business.
  • “The right to object.” Users have the right to stop their information from being used for direct marketing purposes; your Terms of Service or Privacy Policy should have a clause communicating this right to them. You may have the right to object to the user’s request if you can show just cause for doing so.
  • “Rights in relation to automated decision making and profiling.” The GDPR has provisions on “automated individual decision-making”—aka, decision making that occurs without human involvement—and automated evaluation of user data.

For complete details and guidelines, check out ICO’s full guide.

How Are Businesses Being Held Accountable?

Breach Notification Rules

Businesses are required to notify users directly—not by social media or press release—of any potential compromise to data within 72 hours of a security breach if it is likely to “result in a risk for the rights and freedoms of individuals.”

Privacy as Part of the Design and Development Process

Businesses are required to integrate data protection into their processing activities and business practices, from early in the website design stage through the total life cycle of each online marketing project. All data must be transferred and/or stored in a secure environment and SSL certificates are almost always necessary in order for your website to be in compliance with this effort. (Fun fact: at efelle, we make SSL certificate installation a keystone part of the launch process for every website we develop).

Data Storage

Any data about EU citizens should be stored within the EU’s territorial borders unless the user has given “explicit permission/consent” for your business to store their info elsewhere. This consent may be added to your Terms of Service.

Penalties for Noncompliance

If your business fails to comply with GDPR, it could be subject to a fine; fines range from tens of millions of euros to four percent of your earnings. The total amount depends on the severity of the breach and the efforts you make toward compliance.

The Cookie Law (Not Quite as Delicious as It Sounds)

Cookies are managed by the ePrivacy Directive—aka the Cookie Law. While this directive stands apart from the GDPR, if your site uses cookies to track and store data, the laws may overlap and you may be subject to GDPR rules.

As a best practice, you should notify visitors that your site uses cookies and provide a direct link to your cookie policy; you may use your Privacy Policy to explain what these cookies are and how they're being used.

It’s also worthwhile to note that even without explicit consent, cookies can be stored on a user’s device only if their usage is necessary for how the site operates and only if they are not used to store personal data or information about the visitors’ activity. Any data storage of this kind does require explicit consent from the user, and regardless of what kinds of cookies your site uses, it’s still a good idea to provide users with a readily available link to your policy (many sites are opting to display a small banner at the top or bottom of their site with a link to their Cookie and/or Privacy Policy). You should also consider providing users with a checkbox that allows them to “opt in”—or consent—to data collection (just make sure they’re also able to revoke that consent at any time).

Feel free to ask us for more information about cookies and how your site may be using them.

How to Obtain Data and Stay GDPR Compliant

The list below outlines the criteria surrounding the consent process.

  • User must opt in. Users must be given the right to consent to the tracking of personal data. You may add a checkbox to a user form to “Opt In” as long as the box is not preselected—the visitor must click it themselves to indicate consent.
  • Consent must be “unbundled.” All consent requests should remain separate and should not be required in order for users to sign up for a service. As an example, if a user signs up for an account on your site, this does not mean they also consent to receiving promotional materials via your newsletter.
  • Consent must specifically name your organization—as well as any third parties that require the consent. An example of a compliant statement may be: "I consent for [YOUR ORGANIZATION/THIRD PARTIES] to use my data for the purposes of [WAYS YOU WILL USE DATA]."
  • What users are consenting to must be explained in detail, a record of the consent must be saved, and options to revoke must be easily available.

How Do I Make Forms and Account Registrations Compliant?

Forms that collect anonymous data—quizzes, surveys, etc.—likely don’t require extra GDPR-compliance efforts. However, as soon as you ask for a name or email address, you’re subject to GDPR rules.

For starters, you’ll need to have users consent to this data collection. The methods noted above for consent apply here, too—feature a required opt-in checkbox (make sure it’s not preselected) at the bottom of your form for users to click before they’re able to submit their information. Also, provide a handy link to your Privacy Policy so they know the ins and outs of what they’re agreeing to.

Note: Additional offers or newsletter sign ups require additional consent boxes; you may also require different consent options if you’re collecting phone numbers and other contact data. Be clear to users about how you intend to use this personal information.

What About Newsletters and Marketing Campaigns?

Do not send out marketing materials to users who have not consented to receive items from that specific promotional realm. If a user fills in a form on your site and provides their phone number then checks off the “Yes to Email Newsletter” box, you may not send them promotional materials via text message (unless they also give you explicit consent to do so elsewhere).

In addition, be sure to make it easy for users to unsubscribe and provide clear instructions for how to do so.

As previously discussed, opt-in checkboxes can be placed in forms, allowing for visitors to indicate consent for signing up. The checkbox must be specific to the newsletter or marketing campaign, and cannot be looped in as part of a “package deal” with account registration.

Can I Still Use Google Analytics?

Some good news: when using a basic configuration of Google Analytics, you will most likely be GDPR-compliant as a basic GA set up does not collect personal identifying information.

If, however, you have configured the following features, you may be subject to GDPR law:

  • User ID tracking
  • The processing of demographic reports
  • Remarketing functions

These features collect personal data; if you do use these features, and especially if you share any of the obtained information with a third-party organization, make sure you request consent from users, outlining the specific parameters of the information you’re requesting and what you’re using it for.

The following is a list of best practices for getting your Google Analytics data collection to comply with GDPR standards:

  • Enable IP anonymization. This removes the final two numbers of the IP from your view. In addition, do not conduct “user ID matching” outside of your own website.
  • Set cookie expiration dates. Make sure your Google Analytics cookies are configured to expire after 12 months.
  • Do not use cookies to share user information with external systems. This includes customer relationship managers and all advertising platforms.
  • Provide visitors with information about what information you’re tracking and how. Offer them the ability to consent to that collection (see above).

Still Uncertain About What You Need to Do to Stay Compliant in the Ever-Changing Landscape of Data Collection? efelle’s Got Your Back

We’re nuts about all things digital, and this includes making sure the sites that we design and develop are compliant with international data collection standards. With the recent enactment of GDPR, now is a better time than ever to consider a redesign for your company website—this will not only score you a fresh, modern look, it’ll help ensure that your site is up to snuff on privacy standards. It’s not only great for your brand, it’s great for your bottom line. Call up the experts at efelle at 206.384.4909 or reach out to us online and let’s talk about how we can help make your online marketing efforts compliant with international law.