What is the EU GDPR and when does it become law?
Considering the basics of GDPR, in a nutshell, it’s a set of regulations that replace previous directives from the EU on data protection. The way that data is handled today – and the amount of it – is almost unrecognizable to 20 years ago when the last directive was made.
Do the new laws apply to every business or do you have to be in a specialized industry?
What are the key changes surrounding the basics of GDPR?
As you can imagine, in 200-odd pages there are quite a number of elements that every needs to pay attention to, but for the basics of GDPR, some highlights include:
- Mandatory breach notification– if an organisation discovers it has suffered a data breach it will have to inform the supervisory authority (in the UK’s case, the ICO) within 72 hours of first identifying the issue
- Consent– any business that is going to store and use a person’s data must ask that individual for consent, as well as explain what the data will be used for
- Right to access– individuals will be able to submit a Subject Access Request (SAR) to a company requesting all the data it holds on that person. The company must be able to provide electronic copies of that data, as well as explain where the data is stored and what it is being used for
- Data portability – linked to the right to access, individuals, will also be able to obtain and reuse their personal data for their own purposes across different services and businesses will, therefore, be required to provide that data in an appropriate format
- Right to be forgotten– individuals can request a business holding their data not only delete it, but also don’t share it with third parties
- Data protection officers (DPO)– anyone holding or processing personal data will have to appoint a DPO (although that person can be a member of the organisation’s existing staff)
- Penalties – fines for failing to comply with the laws can be up to four per cent of the businesses global annual turnover or up to €20m.
Steps for GDPR Compliance
1. Forms: Active Opt-In:
Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You will need to check your forms to ensure this is the case.
Eg: Registration form should not have Newsletter Subscription option checked for the user to receive offer and other emails from the website by default.
2. Unbundled Opt-In:
The consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data.
Eg: Registration form should have Terms & Conditions.
3. Granular Opt-In:
Users should be able to provide separate consent for different types of processing.
Eg: In this example, Chemistdirect.co.uk are asking for specific permission for each type of processing (post, email, telephone) and also asking permission to check Terms & Conditions.
4. Easy to Withdraw Permission or Opt-Out:
It must be just as easy to remove consent as it was to grant it, and individuals always need to know they have the right to withdraw their consent.
In terms of your web user experience, this means unsubscribing could consist of selectively withdrawing consent to specific streams of communication or easily change the frequency of communication, or stop all communications entirely.
5. Named Parties:
Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations. They need to be named.
In this example, you can see John Lewis understands the gist that we need to give named permissions for updates each from Waitrose, John Lewis, and John Lewis Financial Services.
But it’s a shame that it is opt-out rather than opt-in.
6. Privacy Notice and Terms and Conditions:
You will need to update your terms and conditions on your website to reference GDPR terminology. In particular, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office systems.
7. Online Payments:
If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway.
If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgment as to what can be defended as reasonable and necessary.
8. Third Party Tracking Software:
Many websites are using third-party marketing automation software solutions on their website. These might be lead tracking applications like Leadfeeder.com or CANDDI.com or they could be call tracking applications like Infinity Call Tracking or Ruler Analytics.
These applications track users in ways they would not expect and for which they have not granted consent. For example, it is tracking user behaviour each time they return to your website, or view a specific page on your site.
The providers of these tools are confident that they are GDPR compliant. But if the software is doing something illegal, then it is your businesses responsibility as the Data Controller to avoid these tools. The real question is to identify the GDPR compliance risks in using this kind of software, and to mitigate your risks as a business owner. As a result, you need to review your contract with these software providers carefully.
9. What About Google Analytics and Google Tag Manager?
Many websites are configured to use Google Analytics to track user behavior. Google Analytics has always been an anonymous tracking system. There is no “personal data” being collected, so GDPR does not impact on its usage.
With regards to Google Tag Manager; it’s a powerful tool that enables your website to send information to third-party applications by inserting small amounts of code. You can integrate in-house data repositories, as well as external remarketing and retargeting systems, and a host of other services. The issue for businesses with regards to Tag Manager is to ensure you have a contract in place with the individuals that have access to your Tag Manager (which may well be your web designer or digital marketing agency) to ensure they understand their legal responsibilities as a data processor on your behalf as a data controller.
So, the underlying issue with the new GDPR is to identify and have in place contracts with your third-party data processors to protect both your own interests.
If you are interested in Google’s commitment to GDPR then a good place to start is this website: How Google complies with data protection laws
10. Appointment of a data protection officer:
This person does not need to be exclusively appointed as the data protection officer, this can be your webmaster or one of your existing staff. Ideally, a new alias should be created for this person as [email protected], all data requests for lawful extraction, rectification, and deletion should be honored immediately.