Will You be Ready When the GDPR Comes into Effect in May?
The GDPR will dramatically affect the way businesses handle personal data, and the consequences of non-compliance could be catastrophic.
The General Data Protection Regulation that comes into force on 25 May represents the most dramatic change to the rules governing personal data in 20 years. Plenty has changed since the Data Protection Act of 1998, in terms of the type and quantity of personal data that websites handle, as well as the way they use it.
Here, we expand on this GDPR checklist for marketers and run through some of the key points to think about in making sure your website is compliant when the new regulations come into force. The penalties for non-compliance will be severe, and there can be little doubt that there will be a media frenzy over non-compliance over the first few months, so now is the time to sit down with your SEO consultant and make sure everything is in order.
One of the key differences with the new regulation is that individuals must specifically opt in to having their data used. Forms in which users can subscribe to marketing contact, newsletters and so on must be updated accordingly. Most important, those “pre ticked” opt in boxes are no longer good enough. The default has to be “no” or an unchecked box.
The GDPR also states that such opt in must be for a specific purpose. In other words, the user agrees that you can use their data for marketing communications, so that’s fine. But if you want to use it for another purpose, they need to specifically opt into that too. If your form uses “bundled opt in,” get it changed now to a more granular approach to ensure compliance.
eCommerce sites should take note here. If a customer purchases from your website, this no longer means that you can automatically send them regular offers and updates – you will need to ask them to opt in to these emails when they make their first order.
If you share data with other parties, you need the individual’s consent. Nothing new there, but under the GDRP, you must be specific about who those other parties are. Simply saying “trusted third parties” or “partner organisations” will not cut the mustard. You will need to specify every company that you plan to pass the information on to so that your customers can make an informed decision.
Individuals need to be able to opt out as easily as they opted in. This means providing an interface where they can take a similarly granular approach to the types of data use that they are happy to continue with, or the ones for which they wish to withdraw consent. All emails should have an unsubscribe option that works seamlessly, so check you existing set-up to ensure that customers can opt out one a single click.
Right to be Forgotten
The concept of Right to be Forgotten first came to light in the news following requests to Google to remove personal information from the search engine. This concept now extends to all businesses. If a customer asks for their personal data to be removed from a company’s databases, this request must be carried out whenever possible. Obviously, there are exceptions, such as when an existing customer has outstanding invoices
Any organisation found to be breaching GDPR rules can be fined up to 4% of their annual global turnover, or EUR20 million, whichever is larger. This maximum fine will be imposed on companies that make the most serious infringements, such as not providing sufficient customer consent to use their data, or violating the core of Privacy by Design concepts.
Lesser fines of 2% gross turnover can be imposed on companies that do not have their records in order (article 28), failing to notify authorities and customers following a data breach, or failing to carry out a GDPR impact assessment.
Practical tips for ensuring compliance
The GDPR has attracted plenty of attention and media coverage, as well as a good few scare stories, but the positive news is that with a logical approach from someone who knows what they are doing, ensuring compliance is not too arduous a task.
The first step is to arrange an audit of your systems to fully assess the type of data you hold and the way it is stored. With those preliminaries out of the way, the next stage is to look at the way your site invites, receives and handles personal data.
This will mean paying close attention to those forms and WordPress plugins by which data is typically obtained.
Perhaps the most important advice of all, however, is to take action now to ensure you can rest easy at night when 25 May comes around.