The General Data Protection Regulation (GDPR) is a big shift in the way businesses may process and control personal data within all 28 EU countries. The new law focuses on giving European citizens full control of their data. They control who has it, what they can have, and how they can use it.
The GDPR goes into effect on May 25, 2018. The consequences for noncompliance are hefty. Organizations found to be out of step with the regulations can face fines of €20 million or 4% of their worldwide revenue, whichever is bigger.
Does GDPR affect my organization?
Most likely. It is safest to assume that. Even if you don’t do active business in the EU, you may well have site visitors from countries protected by GDPR. It can be difficult, if not impossible, to passively determine who qualifies. Making your website compliant is the safest route, and the basics are fairly simple. However, GDPR affects much more than just your website.
We are not lawyers. We are here to help! But we’re not a substitute for talking to your legal counsel to ensure you’re complying with the new regulations.
What should I do if I market to the European Economic Area (EEA)?
If you company markets to users in the EEA, GDPR should be a focus for you. we recommend discussing compliance with both your legal counsel and with a security expert. We have a security ace on staff who can work with you to help create a plan for your site. Reach out and our team of experts will get you started. Reach out and our team of experts will help you get started.
What counts as “personal data?”
The GDPR broadly expands the definition of personal data. According to Article 4 of the GDPR:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In less legal-sounding language, personal data is anything that can, in isolation or in aggregate, be used to identify a specific individual. The “in aggregate” piece is important. A person with a generic sounding name may not be easy to identify. But pair that with a physical location or a device signature and they absolutely are.
It’s important to note that cookies count as personal data, too.
What do I need to do know about GDPR and my website?
Here is a basic overview of some of the pieces of GDPR that will be most relevant to your online presence. That said, GDPR affects many more aspects of your organization than just your website.
Everyone loves a good memory device. I like to think of GDPR as something you can distill down to four Cs: Consent, Communication, Clarity, and Care.
Consent: Data Collection
GDPR greatly expands the definition of user consent. EU citizens have a right to know exactly what you are going to store and how you are going to use it. Any time you collect their information, make sure it’s okay with them first. Explicit consent is critical to all aspects of GDPR compliance. And a person must be able to revoke their consent, too, at any time.
This means that implied opt-ins, pre checked checkboxes, or consent given through some sentence buried deep in your terms and conditions won’t hold under GDPR. Consent must always be active and informed.
It also means that you can no longer box someone in to an all or nothing acceptance of cookies to use your site. Cookies required for the site to function are one thing. A user can’t opt out of those, or the site would cease to function. (Which is something you need to explain, given the need for clear Communication according to GDPR.) Things like your analytics cookies aren’t strictly necessary, though. Users must be allowed to opt out of them.
Similarly, it should be as easy to revoke consent as it was to give it. This applies to cookies, mailing lists, and any other data collection point. So if all it takes is a checkbox to get in… it has to only take a checkbox to get out again.
Ensure that third party partners you work with are in compliance with GDPR as well. Analytics platforms, mailing tools, CRM systems, and the like are all affected. You’ve probably started seeing notifications from your vendors about this already. There may be steps you need to take to keep your account current with the new regulations. If you haven’t heard from your partners, definitely reach out. Now is the time.
Communication: Informing your Users
Another major focus of the new legislation is the clarity and transparency of your communication with your users. Article 12 of the GDPR states that the data subject has a fundamental right to communications that are “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” This means no more “legalese” in your term and conditions or your privacy policy. Language must be easy to understand. You must be fully transparent about what you collect and how you use it to be in compliance with GDPR.
Chapter Three of the GDPR outlines the rights of the data subject in full. The first thing to tackle on the road to GDPR compliance is your privacy policies and terms and conditions. Ensure these notices make it easy for EU citizens to exercise their rights with regards to their personal data.
Clarity: User Rights
It is worth highlighting a few specific points in the rights of data subjects. These can affect how you may manage user data in the context of your content management system.
Users have the right to access and modify their personal data. Users must be able to request clear, transparent access to the data that you have collected on them. They have the right to change or request changes to their data at any time. The preferred scenario is giving them direct access to their own information. Profiles work well for managing this for logged in users.
Users have the right to portability of their data. Users cannot only request access to the full spectrum of data you have on them, but they can request that you hand it all over to them or to another party in a portable format. So ensure that users can download their history and any data you have collected on them directly from your systems to make this requirement as easy as possible.
Users have the right to be forgotten. At any time, a user can revoke their consent to your use of their personal data. They can request that all processing cease and that you destroy all copies of that data. So don’t collect or store more data than you absolutely need. Set up your sites to delete any stored content after a reasonable period of time.
Care: Data Protection & Retention
There is always an important distinction between privacy and security. You can have security without privacy. But it doesn’t work the other way around. There are some important steps you should do to take care of the data you do choose to collect on your site users.
Run your site over HTTPS. Hopefully you’re already doing this. This is what encrypts and protects the information transferred between your users and your servers. If you need help wrangling this, you can start with the talk I gave at the Nonprofit Technology Conference this year. Or reach out to us and we’ll help you get started.
Don’t collect what you don’t need. With GDPR, less is more.It seems like a smart idea to collect and keep everything you can think of about your users. GDPR makes that risky. Only collect what you need to meet your relationship objectives with your users. Let go of the rest. For forms, you’ll see your conversion rates go up this way, too.
Encrypt personal data. There are encryption modules for Drupal and encryption plugins for WordPress that will help with this. If you’re storing personal data on your websites, make sure that you are doing your due diligence to keep it secure.
Expire your personal data. This goes for data you have now, and data you’re collecting moving forward. Only hold on to data for as long as you need to. For some form plugins and modules, there are entry automation tools that can help with this. Or have a developer set it up a solution for you that will run at a regular interval.
Need help with GDPR? Contact us to help.
Where should I start with GDPR?
This is the hardest part of all. Where to begin? Here’s our short list of the most impactful things you can do today to get ready for GDPR. The bad news is that if you’re just starting down this road, May 25, 2018 is right around the corner. The good news is there are impactful steps you can take now to get moving in the right direction.
- Check with your legal counsel. Learn how GDPR affects your organization and your marketing activities.
- Update your privacy policy and terms and conditions. Reference all the required “information to be provided” in Article 13 and Article 14 of GDPR.
- Update any form where you request personal data. Require explicit consent to having the information stored. Link to your (simple, clear) policy notices of how you process and use the data.
- Allow for more granular acceptance of cookies. Provide an explanation of the differences in the types of cookies you set on your site with a cookie policy.
- Check on your third party tools. Make any data retention adjustments needed as your vendors get ready for GDPR. As a Data Processor, this change in regulation affects them too. Most of our clients are using Google tools in some form or fashion. Here are some quick links to help you get your Google Analytics and Google Tag Manager accounts compliant.
- Google Analytics – data retention controls
- Google Tag Manager – data processing amendment
- Google Optimize, Google Attribution, and Google Data Studio also have changes in policies
- Start with a handy-dandy checklist! Create a roadmap for GDPR and what in your policies and procedures may need to change.