Before starting our discussion on whether your website is GDPR compliant or not, you should understand what GDPR actually is and how it is going to affect you. GDPR stands for General Data Protection Regulation and it aims to change the ways in which data is extracted and used for everyone in Europe.
When this regulation comes into effect, individuals will have a higher degree of control over data that will be taken from them. GDPR will be officially applied on 25th May 2018 and there is no grace period once this date passes by. Nevertheless, you should be compliant before this date no matter what.
Even though this regulation will affect literally everyone, marketing and business organizations that collect customer data will be affected more. They need to make sure that they are not breaking any of the clauses present in the regulation. GDPR is aiming to be the global standard in data protection as it is applicable to people in Europe as well as businesses and organizations outside Europe that provide services or offer goods to people in Europe.
Website owners have to be really careful now since most of the forms that capture data on websites fall within the scope of GDPR. It is interesting to note that nearly 35% of the web pages that are owned by FT30 firms collect personally identifiable information (PII) through insecure means. The startling fact is that 29% of these web pages don’t even use an encryption and 1.5% of these pages have security certificates that have gone past their expiry date.
Things that you should know as a website owner
The complete GDPR document is massive, but we have a summary of the most important points that you need to watch out for, to be on the safer side. Let’s dive in.
Understand what personal data means
As part of GDPR, a whole range of data can now be categorized as personal data. Below is the exact sentence quoted from the regulation:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The most important change is the fact that IP addresses and location data are also considered as personal data. IP addresses fall into personal data in the hands of a website operator if:
- There is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
- The website operator has a “legal means” of obtaining access to the information held by the ISP in order to identify the individual.
What, why and how long?
If your website collects data from customers, they have the right to ask you three questions and you’ll need to answer them. They have the right to know what kind of data is being collected, why the data is being collected and for how long it is going to be stored with you. Above all that, you’ll need to state with whom the customer should get in contact with, regarding the data collection and use.
Everything requires flow of information
Until now, if a person had some sort of an inquiry that was made through your site, you could easily add them to your email marketing list. It was possible to send them details about promotions, deals or newsletters. But with GDPR, you need to clearly state in advance the purpose for which you will use someone’s personal data. The person from whom you are collecting data still object to its use at ANY time. If the person is a minor, their guardian or parent can do the same. A website can only use the data specifically for what they have informed the user beforehand.
As a website owner, you will need to have certain precautionary measures in place in the case of a data breach. Moreover, the data breach must be reported within 72 hours depending on the severity of the breach itself, especially if it poses a threat to the rights and freedoms of natural persons.
Αs a risk to the rights and freedoms of natural persons can be perceived the processing of personal data that can lead to physical, material or non-material damage. In particular:
- where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage;
- where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data;
- where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures;
- where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed;
- where processing involves a large amount of personal data and affects a large number of data subjects.
Data Protection Officer (DPO)
DPO stands for Data Protection Officer and they are the ones who will be monitoring your organization to see whether you’re complying with GDPR. Organizations that process a significant amount of data, public authorities and bodies need to appoint a DPO, but it would be a great idea to appoint one nevertheless, just to be on the safer side.
They say, you do!
The whole point of GDPR is to give people more control over their personal data. This means that they can ask you to get rid of all their data from your systems, and you have to comply. Erasing the data means deleting absolutely everything that can be traced back to the person.
What if you don’t comply with the GDPR?
Since the GDPR is aiming to be the global standard in data protection, they do have some strict laws in place for those who do not comply with it. For instance, if you’re not GDPR compliant, you can attract a penalty of up to 20 million euros or 4% of your annual turnover worldwide, whichever is higher.
7 important steps that you need to take to make your website GDPR compliant
GDPR will definitely create a huge dent when it comes to things like social media marketing and email marketing. The main idea of GDPR is about having to give consent for very specific purposes and the need to be informed. Here are some of the major changes that you’ll need to make in order to be GDPR compliant.
1. Conduct a data audit
This is the most important part of the entire process. If you’re a website that has been functioning for quite some time, it is pretty obvious that you have loads of data. Moreover, the amount of data that consists of personal information and other information that comes within the scope of GDPR may not be prominent at first. So, to get an idea of the steps that you need to take, a data audit is of utmost importance.
The next step is equally important: GDPR is slowly gaining traction but a lot of employees working in various organizations don’t really know about it. This needs to be taken care of by giving them proper GDPR training sessions.
2. Retain active opt-in forms
Most of the forms and newsletters on websites are active opt-out forms. Imagine you’re creating an account with a website and they have a newsletter for which you’re already subscribed as part of the account registration. This will need to be modified and users should have the option of opting for the newsletter along with the registration. Also, the tick box for the newsletter should not be ticked by default.
3. Erasing personal information with regard to online payment
If you’re running an e-commerce website, it is inevitable that you collect personal information from the user that will be passed on to a payment gateway during a purchase. Under the GDPR rules, the personal information that you have with you should be erased after the purchase has been made within a reasonable period of time, though they haven’t mentioned the number of days.
4. Modify your Privacy Notice & Terms and Conditions
The Privacy Notice along with the Terms and Conditions need to be updated to reflect the new GDPR terminology. The privacy notice should be transparent, and should explicitly mention what kind of data will be collected, why is it collected and for how long it will be retained. Privacy notices will explain what grounds for processing are used and how long the data will be stored for (among other issues) and if the ground for processing is consent, it should be asked before or at the collection of data.
You also need to make sure that all the parties, to whom the user is giving consent to, must be explicitly named. Rather than opting for generic terms or categories, everything should be replaced by names.
5. Make it easier to opt-out
The user must have an easy time in granting consent as well as in withdrawing it. Take the example of subscribing to a newsletter: if the user no longer wishes to receive it, they should be given the option to reduce the frequency of the newsletter or stop it entirely. Even though this is available even now, the whole process is not as easy as it should be and it doesn’t bring about the desired effect.
6. Segregate different sections with crystal clear instructions
Everything that you need consent for must be laid out separately and each of it should be detailed, taking into account the points mentioned above. You need to have separate fields for terms and conditions as well as contact permissions and separate tick boxes for each of these to get consent from the user.
7. Keep an eye on third-party data processors
This is one area of the GDPR that is slightly confusing. Most of the websites use third-party tracking software as well as email marketing services. Some examples of tracking software include Google Analytics and email marketing services, such as MailChimp. All of these services are working hard to be GDPR compliant by the time it comes into effect, so it might not pose a problem as of now. You can read thoroughly about the measurements taken by both Google and MailChimp.
You’re not the only one out there
Complying with GDPR might seem like an overwhelming task at the moment. But just remember, you’re not alone. There are hundreds of thousands of organizations that are battling against time to be compliant. According to ComputerWeekly.com, only 15.7% of over 200 companies present in the UK and US are expected to be compliant by May 2018. It is interesting to note that 24% of these organizations reported that they will miss the deadline and a whopping 30.6% of these companies have reported that they don’t even have a strict timeline for being compliant.
GDPR is happening and it is coming in fast, so keep check of everything given above and read the GDPR document here, to make sure that you too are a part of the GDPR bandwagon. And don’t forget to leave us a comment about the action you took on your website!