2, May 2018
Is your site ready for GDPR?
If you have missed GDPR, you must have been living under a rock for the last few years 🙂
But let’s recap; GDPR (General Data Protection Regulation) is the most significant change in data protect for decades. The regulation requires businesses to protect the personal data and privacy of EU citizens. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. The GDPR penalties can reach a maximum of EUR 20 million or 4 percent of the annual revenue (whichever is greatest) of the organization, depending on the facts and circumstances of the case. Any company that does business in Europe needs to comply with GDPR.
The result of all this has been that companies have made sometimes herculean efforts in making sure their organisations are GDPR compliant before the regulation is enforced on the 25th of May 2018.
The effects of GDPR on your website
In order to describe the effect of GDPR on a website, one must first address the question; “What is personal data?”
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Examples of personal data include name, surname, an email address such as firstname.lastname@example.org, a home address, ID card number, cookie ID, Internet Protocol (IP).
If your company/organisation interacts or does business with EU citizens, for instance you sell products/services or monitor individual behaviour online (which most companies do), then your website is applicable to GDPR.
If you use third party tools from e.g. Google or Facebook, which collect personal data, then you need to collect a valid consent before a cookie or tracking technology is placed on the visitor’s computer.
If you have contact forms or newsletters collecting data from EU citizens, than you are also applicable to GDPR and need to ensure you do lawful processing of their personal data.
Many websites use tracking technologies, including cookies, pixels and tags, to advertise, collect statistics and perform marketing campaigns. Under the GDPR, you are responsible for providing notice and obtaining consent for each one of these technologies.
“By using this site, you accept cookies” will not be enough under GDPR
As you can see, a key part of GDPR is “consent” in general, and “valid consent” in particular.
In order to obtain valid consent, there are a number of specific requirements that have to be met. The consent must be “informed, unambiguous, explicit, freely given, specific and have the right to withdraw and written in a plain language that it is clearly visible”.
As a result, the standard text phrase “by using this site, you accept cookies” used by most websites will not be enough under GDPR, as it only suggests implied consent, is ambiguous and generic. You will now need subdivided levels of control, with separate consents for tracking and analytics cookies, as well as mechanisms to also signal customer consent. In essence, your visitors need to make an affirmative action.
Questions you should ask yourself:
Are you aware what trackers you have on your website?
What trackers you have on your website?
Are you gathering consent the right way?
Are your privacy banners affirmative?
Have you made it easy to withdraw consent?
Do you have the names for third party plugins that process data?
Can visitors contact you for their personal data?
Do you have evidence of valid consent?
Have you updated your data and privacy policies?
Have you cleaned up your mailing lists?
Are you collecting too much information?