So... what is GDPR?
The GDPR (General Data Protection Regulation) is a hot topic at the moment.
In short, the GDPR is a new data privacy regulation that aims to give individuals in the EU (European Union) protection and control over their personal data. It is designed to give greater protection to an individual’s personal information and how it’s collected, stored, and used. There are strict requirements placed on companies that possess the personal data of people located in the EU.
With these new regulations coming into play on May 25, 2018 it is important for businesses to know how it could impact your data collection, and what you may need to do to make sure your business is compliant.
How does it affect your business?
Potential Fines
After May 25, 2018, organisations that aren’t in compliance with GDPR’s requirements i.e. significantly breaching people's online privacy, will face serious ramifications that could include large fines (up to 4% of a company’s annual global turnover or €20 million), which vary based on the severity of the infraction.
It could also make companies liable if their security systems are weak and customers' data is hacked.
How can you avoid these big fines for non-compliance?
If you’re collecting personal data from an EU resident, such as IP address, cookies, location data, name, and email address, you must obtain explicit consent.
Obtain Explicit Consent
The consent should be:
- Voluntary. Have the user take affirmative action.
- Specific and informed. Make sure people are aware of what you’re collecting, how it’s being used, and whom it may be shared with.
- Unambiguous. Don’t disguise with redirects to terms of service overflowing with legal jargon.
How is it relevant to Australia?
Given the GDPR is a European Law, it would seem to have little relevance for Australia. Any company with customers in the EU will be affected.
Strict Privacy by Default
Strict privacy settings should be the default setting. A user shouldn’t have to go into their settings to make manual changes to opt into stricter settings.
Rights to Data
Under GDPR, individuals have greater control over how their personal information is collected, stored, and used. Individuals have a right to access their data, which means the right to know where, why, and how their data is processed. This includes the right to request a report to access their data. Additionally, individuals have a right to be forgotten, which means their data can be deleted.
Breach Notification
Organizations have a duty to report certain types of data breaches to the relevant supervisory authority within 72 hours, unless the breach is harmless and poses no risk to the individual. If a breach is concluded to be high risk, the company must also inform the individuals impacted.
How does your business take action?
Make sure your Privacy Policy is up to date
Ensure your privacy policy is updated to address GDPR. Discuss what information you collect, how it’s used, and any third-party service providers you share the information with. Include the process to follow to invoke the right to access personal data or the right to be forgotten.
Remember, while your privacy policy will reference the requirements of GDPR, having it installed doesn’t mitigate your need to obtain informed consent.
Google Analytics
If you use Google Analytics you may be collecting user ID/hashed personal data, IP addresses, cookies, or behaviour profiling. To be GDPR-compliant while using Google Analytics, either 1) anonymise the data before storage and processing begin, or 2) add an overlay to the site that gives notice of the use of cookies and asks for the user’s permission prior to entering the site.
Retargeting Ads and Tracking Pixels
If your website uses retargeted ads, pixels or cookies to capture personal information to remarket to your audience, you must inform website visitors of this immediately when they enter your site and obtain informed consent.
Email Opt-In
On the subscription form, have a checkbox for the visitor to consent to everything they’re about to subscribe to. If your newsletter uses tracking pixels to see when they open it, put a visible disclaimer before they subscribe. Verify if your email service provider offers GDPR tools.
Affiliate Links
If you use affiliate links, you need to get consent for cookie usage. Consent must come before the visitor clicks the affiliate link because a cookie will be placed on their browser to track sales activity.
Display Ads
If you have ads on your website from a third-party ad server, upon entering your site, users should immediately consent to your use of a third-party server that collects user data for advertising and marketing purposes. If your ad server uses cookies to gather data on the visitor for targeting purposes, inform visitors upon entering your site and get consent for using cookies for this purpose.
Contact Forms
Before users submit their information in a contact form, get their explicit consent with a checkbox.
Comments
Before users can leave a comment, get consent by using a checkbox and disclose that your site will store their comments and, as needed, information relating to the comment such as the date and computer’s IP address. Let them know how the information is used. Also, include a reminder that some information may be displayed publicly, such as name or URL, if they’re submitted with the comment.
Product Sales
If you’re selling services or products to EU residents, only collect necessary information from your customers upon checkout and obtain explicit consent prior to submitting the purchase to let them know how you’ll use that information.
Concerned about GDPR compliance?
If you’re interested in getting our assistance on this matter, please call your Account Manager or Director and we can discuss the potential impacts on your business and craft a solution for you.