On May 25th, 2018, when the European Union’s General Data Protection Regulation (GDPR) comes into effect, the world will take a giant step towards enforcing more stringent, water-tight privacy and data protection laws. A flagship piece of legislation, it will pave the way for better data protection practices by putting it at the forefront of business agendas worldwide and establishing one single set of data protection rules across the Europe Union.
While the law will impact EU-based businesses, no organisation that operates globally or collects data from a European citizen will stay unaffected either. Compliance is mandatory, and the penalties are severe. Therefore, it is essential that businesses are GDPR compliant.
With regard to websites, in short GDPR states that if the website collects, stores or uses any data related to an EU citizen, you must comply with the following:
- Tell the user: who you are, why you collect the data, for how long and who receives it.
- Get a clear concent, before collecting any data
- Let users access their data, and take it with them
- Let users delete their data
- Let users know if data breaches occur
This infographic from the European Commission explains the key elements:
No doubt you are already taking the appropriate steps to get GDPR-ready in your business and have completed your own data audit. This will no doubt show that your own website may need some or all of the following changes depending on your website functionality:
- Contact forms to obtain explicit consent when capturing personal data
- Privacy notifications to state your legal case for the capturing and use of this data
- Cookie Consent notification
- Email Marketing Service & sign up forms (if applicable)
Although the overall responsibility for having your website compliant will be yours, we are able to provide our customers with simple technical solutions that we can implement for you before the deadline.
If you use our email marketing service, then the following will apply:
Since we are a permission-based email marketing company, under our terms of service, you agree that you have obtained consent to email your contacts where required to do so by law, but the GDPR requires you to have documented evidence of such consent.
We can provide an email template to send to all of your email contacts. It’s a fast, easy way for you to gain documented consent for your existing contacts that have opted in to receiving emails from you.
In preparation for new EU data protection laws, we will soon be using the same method to gain our customers' documented consent for us to continue sending emails. We are also updating our own website privacy notification, contact forms and cookie consent.
If you provide us with new contacts to upload into your email marketing account, we will need to state if each contact has provided express or implied permission and the contacts will be uploaded with that permission status. Please note that under GDPR, we can only upload lists of contacts who have provided consent.
If you use manual methods to get new contacts, it’s up to you to ensure compliance with the GDPR to get and document consent to send them emails. You should maintain your own offline documentation of these contacts’ consent.
If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway.
If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.
Remember making your website compliant is just one part of your overall GDPR compliancy that will also incorporate storing and processing of personal identifiable data on your systems, access requests, right to erasure, data breach to name but a few. This short guide is by no means the full answer for your own business however it attempts to address some of the key areas that your own audit may have identified.
Please contact us directly using our contact form or on 01526 345599 to discuss your website compliancy.
If you need help making your overall business compliant, we do not provide this type of service, however we have found the link below to be a quick and useful training course for small businesses.
Disclaimer: Please note that we have provided some basic information regarding the GDPR. However neither Ginger Cow Marketing or Pier One Solutions is a legal authority for GDPR and can only offer advice on the best practices to follow while carrying out digital marketing initiatives. However, for advice regarding the legal interpretation of this law for your business, please approach a legal or data protection official.