So... what is GDPR?
The GDPR (General Data Protection Regulation) is a hot topic at the moment.
In short, the GDPR is a new data privacy regulation that aims to give individuals in the EU (European Union) protection and control over their personal data. It is designed to give greater protection to an individual’s personal information and how it’s collected, stored, and used. There are strict requirements placed on companies that possess the personal data of people located in the EU.
With these new regulations coming into play on May 25, 2018 it is important for businesses to know how it could impact your data collection, and what you may need to do to make sure your business is compliant.
How does it affect your business?
After May 25, 2018, organisations that aren’t in compliance with GDPR’s requirements i.e. significantly breaching people's online privacy, will face serious ramifications that could include large fines (up to 4% of a company’s annual global turnover or €20 million), which vary based on the severity of the infraction.
It could also make companies liable if their security systems are weak and customers' data is hacked.
How can you avoid these big fines for non-compliance?
If you’re collecting personal data from an EU resident, such as IP address, cookies, location data, name, and email address, you must obtain explicit consent.
Obtain Explicit Consent
The consent should be:
- Voluntary. Have the user take affirmative action.
- Specific and informed. Make sure people are aware of what you’re collecting, how it’s being used, and whom it may be shared with.
- Unambiguous. Don’t disguise with redirects to terms of service overflowing with legal jargon.
How is it relevant to Australia?
Given the GDPR is a European Law, it would seem to have little relevance for Australia. Any company with customers in the EU will be affected.
Strict Privacy by Default
Strict privacy settings should be the default setting. A user shouldn’t have to go into their settings to make manual changes to opt into stricter settings.
Rights to Data
Under GDPR, individuals have greater control over how their personal information is collected, stored, and used. Individuals have a right to access their data, which means the right to know where, why, and how their data is processed. This includes the right to request a report to access their data. Additionally, individuals have a right to be forgotten, which means their data can be deleted.
Organizations have a duty to report certain types of data breaches to the relevant supervisory authority within 72 hours, unless the breach is harmless and poses no risk to the individual. If a breach is concluded to be high risk, the company must also inform the individuals impacted.
How does your business take action?
Retargeting Ads and Tracking Pixels
If your website uses retargeted ads, pixels or cookies to capture personal information to remarket to your audience, you must inform website visitors of this immediately when they enter your site and obtain informed consent.
On the subscription form, have a checkbox for the visitor to consent to everything they’re about to subscribe to. If your newsletter uses tracking pixels to see when they open it, put a visible disclaimer before they subscribe. Verify if your email service provider offers GDPR tools.
If you use affiliate links, you need to get consent for cookie usage. Consent must come before the visitor clicks the affiliate link because a cookie will be placed on their browser to track sales activity.
Before users submit their information in a contact form, get their explicit consent with a checkbox.
Before users can leave a comment, get consent by using a checkbox and disclose that your site will store their comments and, as needed, information relating to the comment such as the date and computer’s IP address. Let them know how the information is used. Also, include a reminder that some information may be displayed publicly, such as name or URL, if they’re submitted with the comment.
If you’re selling services or products to EU residents, only collect necessary information from your customers upon checkout and obtain explicit consent prior to submitting the purchase to let them know how you’ll use that information.
Concerned about GDPR compliance?
If you’re interested in getting our assistance on this matter, please call your Account Manager or Director and we can discuss the potential impacts on your business and craft a solution for you.