Background – GDPR
GDPR (General Data Protection Regulation) is the most significant change in data protect for decades. The regulation requires businesses to protect the personal data and privacy of EU citizens. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data.
The GDPR penalties can reach a maximum of EUR 20 million or 4 percent of the annual revenue (whichever is greatest) of the organization, depending on the facts and circumstances of the case. Any company that does business in Europe needs to comply with GDPR.
The effects of GDPR on your website
In order to describe the effects of GDPR on a website, one must first address the question; “What is personal data?”
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Examples of personal data include name, surname, an email address such as email@example.com, a home address, ID card number, cookie ID, Internet Protocol (IP).
If your company/organisation interacts or does business with EU citizens, for instance you sell products/services or monitor individual behaviour online (which most companies do), then your website is applicable to GDPR.
If you use third party tools from e.g. Google or Facebook, which collect personal data, then you need to collect a valid consent before a cookie or tracking technology is placed on the visitor’s computer.
If you have contact forms or newsletters collecting data from EU citizens, then you are also applicable to GDPR and need to ensure you do lawful processing of their personal data.
Many websites use tracking technologies, including cookies, pixels and tags, to advertise, collect statistics and perform marketing campaigns. Under the GDPR, you are responsible for providing notice and obtaining consent for each one of these technologies.
“By using this site, you accept cookies” will not be enough under GDPR
In order to obtain valid consent, there are a number of specific requirements that have to be met. The consent must be informed, unambiguous, explicit, freely given, specific and have the right to withdraw and written in a plain language that it is clearly visible.
As a result, the standard text phrase “by using this site, you accept cookies” used by most websites will not be enough under GDPR, as it only suggests implied consent, is ambiguous and generic. You will now need subdivided levels of control, with separate consents for tracking and analytics cookies, as well as mechanisms to also signal customer consent. In essence, your visitors need to make an affirmative action.
Below is one example how you can communicate and receive a valid consent, enabled by Secure Privacy:
1) Consent should be affirmative, specific and unambiguous 2) Details of recipients and data controller
3) Purpose of processing and notification of profiling 4) Duration 5) Withdraw consent
6) Link to complain, correct and transfer data 7) Can decline