The GDPR (General Data Protection Regulation) is a new regulation that aims to protect the personal data and privacy of European Union citizens for transactions that occur inside and outside of EU member states.
It governs how data is gathered and stored, and gives EU citizens control over their personal data. Any and all companies that collect data on citizens in European Union countries will need to comply with strict new rules around protecting customer data by May 25, 2018. Sanctions for non-compliance can be as high as 20,000,000 Euros, or up to 4% of an organization's annual worldwide turnover (from preceding financial year), whichever is the greater.
Who is at risk?
If an organization collects and stores information from any individuals within the EU, they are at risk. It doesn’t matter if the organization is based outside of the EU. It doesn’t matter if the data is gathered unintentionally.
Organizations must be asking for, gaining, recording and managing consent to collect personal data in ways that meet GDPR regulations.
An organization must ensure that personal data is stored as described in consent statements. Data cannot be stored or used otherwise.
An organization’s data subjects must have easy access to, and must be able to amend and/or purge their data, with ability to opt-out or withdraw consent easily.
Organizations must ensure that data protection is built ‘by design and by default’ into every aspect of the site.
There are 99 articles that lay out the rights of individuals and obligations placed on organizations covered by the regulation. These include allowing people to have easier access to the data companies hold on them, and a clear responsibility for organizations to obtain the consent of people they collect information about. Specific to website compliance, organizations will need to pay attention to a number of key changes, and make updates where needed.
Changes to the definition of personal data. Anything that contributes or links to identifying an individual is now included in the regulation, which can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
Stricter guidelines on gaining consent. Explicit consent must be obtained before personal data is submitted whenever the data provided will be stored beyond the scope of the current transaction. Under GDPR, visitors must be presented with a statement (inline or linked) specifying the nature of data that’s being collected, and the details of the decision and its effects, and they must affirm the decision with an action. Legal jargon cannot be used to request consent on webforms and the like. Consent now must be clear and distinguishable, and provided in an intelligible and easily accessible form, using clear and plain language.
Updates to individual rights and conditions for consent. These include rights of access, to with draw consent, to be 'forgotten', and to data portability. Websites must clearly communicate these rights to individuals they collect data from. This includes letting data subjects know if / how long data will be stored for, if data will be transferred to other parties / countries, and how they can access, amend, or delete their data. It must be as easy to withdraw consent as it is to give it. Organizations must also be able to prove they have been given explicit consent to hold the data, and they must be ready to prove the deletion of personal data as well.
Websites forms that collect and store personal information for purposes outside the current transaction (e.g. marketing emails) must have an "opt-in" option and this option must by unchecked by default. The 'opt-in' option must have clear language on what their data will be used for. Organizations must also provide an easy way to 'opt-out' if a data subject changes his/her mind.
Our GDPR experts can perform a free audit of your site to identify any violations, and we can help make your site compliant.
With only a short time left to prepare, organizations that collect data from individuals located in the European Union should carefully implement changes to their consent and data protection processes as required by the GDPR. These resources can help.
The UK’s Information Commissioner's Office (ICO) has been a vocal proponent of the GDPR, and offers this readable, structured site that explains the regulation provisions, one at a time, to help organizations comply with its requirements.
This slideshow presentation prepared by the IT Governance organization in the UK. It is a great introduction This helpful presentation walks through all of the articles in the regulation, and talks about what each means to you.
Some of the top issues for cookie consent that the GDPR raises are explained in this useful article.
A brief but effective outline, presented by TechTarget, detailing how GDPR can impact the forms on your website, and your email marketing strategy.
Provided by Intersoft Consulting Services (a Transforms the regulation publication into a neatly arranged website. All Articles of the GDPR are linked with associated recitals.
The EU’s official site outlines the details of the new regulations, offers an overview of key changes to look out for, and answers FAQs. The site also gives a bit of history regarding how the regulation came to be. Resource links are included on this site, as well as connections to their partner companies.
An infographic with incredible statistics, a thorough timeline of the GDPR, visual explanations of what this new regulation means for businesses that handle European data, and more. It’s easy to read and even easier to share, making it an authoritative resource to distribute across any organization.
The European Digital Rights Association, an association of civil and human rights organizations from across Europe, discusses some key issues of the GDPR following the initial proposal by the Commission. The piece reviews common misconceptions about the regulation, and interprets key issues in a clear way.
Recommendation 1: Audit your website forms
Use a progressive form. Include a country field and when an EU country is selected ensure the opt in checkbox is not pre-checked. Make sure opt in language is clear and simple. Ensure the consent is stored in your CRM.
Recommendation 2: Decide on how you will prove consent
You may be compelling by a court to prove you obtained consent from someone. This likely may require more than just saving the data field that they checked opt in to your database. You might want to consider a screenshot of the form when it’s submitting, or some other means that indicates the form presented information clearly to obtain consent at the time time it was filled out for each customer record.
Recommendation 3: Segment your marketing lists
Create segments for leads not in the US or with no country specified for which GDPR compliant consent has not been obtained, so you are ready to stop emailing this segment.
Recommendation 4: Prepare for customer deletion requests
Under the GDPR an EU citizen has the right to be forgotten, meaning they can request to have all of their information removed from your system. If you data is stored in multiple places make sure your IT team has a plan and process in place to start handling these requests starting May 25, 2018.
Recommendation 5: Explain how you will use the data
The GDPR requires you to state clearly how you will use the information you are gathering from a person. Plan for existing data. After May 25, 2018 it’s illegal to email an EU citizen if you didn’t obtain a GDPR compliant consent. You will need to come up with a plan how you want to handle this data. If you want the ability to email individuals after May 25, 2018 you will need to obtain their permission before May 25, 2018.
Recommendation 6: Check your referral system
A feature where you ask a customer for an email address of a friend to refer your service or product to and then send a single email to that person is compliant with GDPR so long as the information isn’t stored or processed. Audit how your referral system stores and uses the data it captures, and adjust as needed to achieve compliance.
Recommendation 7: Involve general counsel
After you have completed your audit and finalized your plans, meet with general counsel to review and discuss your plans.