- What is GDPR?
- Implications of Non-compliance
- How to Make Your Website GDPR Compliant
What is GDPR?
General Data Protection Regulation (GDPR) is legislation that will update and unify data privacy laws across the European Union. GDPR was approved by the EU Parliament on April 14, 2016 and went into effect on May 25, 2018.
The purpose of this regulation is to give all individuals increased control over the data that can be captured and used about them. Under the General Data Protection Regulation, data subject rights include:
Right to be forgotten - data subjects can request personally identifiable data to be erased from a company's storage. The company has the right to refuse requests if they can successfully demonstrate the legal basis for their refusal.
Right of access - data subjects can review the data that an organization has stored about them.
Right to object - data subjects can refuse permission for a company to use or process the subject's personal data. The company can ignore the refusal if they can satisfy one of the legal conditions for processing the subject's personal data, but must notify the subject and explain their reasoning behind doing so.
Right to rectification - data subjects can expect inaccurate personal information to be corrected.
Right of portability - data subjects can access the personal data that a company has about them and transfer it.
GDPR is about personal data protection and affects much more than your website. For more on the wider issue of GDPR and how it will affect your business please review the following checklists:
Implications of Non-compliance
Fines are discretionary rather than mandatory; they must be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”.
There are two tiers of administrative fines that can be levied:
Up to €10 million, or 2% annual global turnover – whichever is higher.
Up to €20 million, or 4% annual global turnover – whichever is higher.
The fines are based on the specific articles of the Regulation that the organisation has breached. Infringements of the organisation’s obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level.
Under data protection legislation:
Consent must be a positive action, that makes it clear the individual agrees to the use of their information for direct marketing; pre-ticked opt-in boxes are not permitted – silence or inactivity from the data subject will not show consent.
Ensure consent for marketing is “unbundled” from other requests for consent; inform the individual what methods of marketing communication you are going to use, e.g. email, text, phone, automated call, post; and provide the individual with the option to choose their preferred method(s) of contact. (This is termed granular consent). Individuals should not be forced to agree to all or nothing; make it easy for the individual to withdraw consent and tell them how; and name your business and any third party relying on consent.
You should be able to identify the:
Name or other identifier of the individual; the time and date when they gave consent; the platform or mechanism you used to gain consent; and exactly what it covers.
How to Make Your Website GDPR Compliant
Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. Pre-checked boxes that use customer inaction to assume consent aren’t valid under GDPR.
“Silence, pre-ticked boxes or inactivity should not constitute consent.”
In addition to the above, you need to clearly set out the options separately and in plain English. Under GDPR, email consent needs to be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services, unless email consent is necessary to complete that service.
“When assessing whether consent is freely given, utmost account shall be taken of whether… the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
Example: When someone downloads an ebook or other resource from a website, they should have the option to subscribe to marketing emails by checking a box. Signing up for emails must be optional—you can always download the resource without subscribing to marketing emails.
Users need to be able to provide separate consent for different types of communication (post, email, SMS, telephone etc.) For example, they need to be able to tick email communications, but not post, if they want to.
Make it Easy to Withdraw Consent
It needs to be as easy to withdraw permissions as it was to grant them. So make sure your contact preferences page is really, really easy to find. Each promotional email you send must include an option to unsubscribe.
“The data subject shall have the right to withdraw his or her consent at any time. (…) It shall be as easy to withdraw as to give consent.”
Use the following best practices to make it easy for consent to be withdrawn:
Don’t charge a fee.
Don’t require any other information beyond an email address.
Don’t require subscribers to log in.
Don’t ask subscribers to visit more than one page to submit their request.
What exactly are they agreeing to? Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations, they now need to be named.
For example, John Lewis' forms ask for permissions for updates each from Waitrose, John Lewis, and John Lewis Financial Services.
Privacy Notice and Terms and Conditions
You'll also need to update your terms and conditions on your website to reference GDPR terminology. You'll particularly need to make it clear what you intend to do with the information once you’ve received it, and how long you'll retain this information both on your website and elsewhere. You'll also need to communicate how and why you're collecting data, so you should transparently detail any software or applications you're using to help facilitate that.
The GDPR says that your privacy information must be:
Concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.
Please view the following resources for information on what should be included in a privacy notice and examples of good and bad privacy notices:
The rules on cookies are in regulation 6. The basic rule is that you must:
Tell people the cookies are there;
Explain what the cookies are doing and why; and
Get the person’s consent to store a cookie on their device.
As long as you do this the first time you set cookies, you do not have to repeat it every time the same person visits your website. However, bear in mind that devices may be used by different people. If there is likely to be more than one user, you may want to consider repeating this process at suitable intervals.
Cookie Control is a popular method for facilitating cookie compliance:
The following are examples of cookie notices:
Google Analytics and Google Tag Manager
Loads of websites these days are configured to use Google Analytics to track user behaviour. Luckily, it's always been an anonymous tracking system — there's no "personal data" being collected. So it seems that GDPR might not have much of an impact on its usage.
Nevertheless, Google has stated its commitment to complying with applicable data protection laws. They said they're working hard to prepare for the new changes and have placed keeping user information safe as one of their highest priorities. You can read all about it here.
With regards to Google Tag Manager; it’s a powerful tool that enables your website to send information to third-party applications by inserting small amounts of code. You can integrate in-house data repositories, as well as external remarketing and retargeting systems, and a host of other services. The issue for businesses with regards to Tag Manager is to ensure you have a contract in place with the individuals that have access to your Tag Manager (which may well be your web designer or digital marketing agency) to ensure they understand their legal responsibilities as a data processor on your behalf as data controller.
Google, Mailchimp, Salesforce, Facebook etc.
The GDPR rules call these ‘third party data processors’. They are processing the organisation’s data on their behalf. Most of these sites and systems are based in the US. Although they have a requirement to become GDPR compliant they will be compliant with the US-equivalent called Privacy Shield.
You need to make sure that your processes and policy clearly states what third party data processors you use and where a subject’s data is passed to.
Check Your Existing Data
GDPR does not only apply to signups that happen after May 25th, it applies to all existing EU subscribers on your email list. If your existing subscribers have given you consent in a way that’s already compliant with GDPR—and if you kept record of those consents—there’s no need for you to re-collect consent from those subscribers. If your existing records don’t meet GDPR requirements, however, you have to take action.
Audit your existing email list.
Figure out who on your email list already provided GDPR-compliant consent, and ensure that you have a clear record of those consents.
Implement a re-permission program
If for any of your contacts you don’t have GDPR-proof consent—or if you are unsure about whether or not their consent is compliant—you’ll have to run a re-permission campaign to refresh that consent, or remove the subscriber from your mailing list.
While data encryption is not mandatory under GDPR it is strongly recommended. The first step is having a security certificate on your website that encrypts all the data entered into a website through form fields (like when you set up an account, buy something online or sign up to a newsletter etc.
Much of the above information has been obtained from the following resources.