GDPR: A Guide For Website Owners & Marketeers
After plenty of discussion, the General Data Protection Regulation (GDPR) will come into force on 25th May 2018.
Its impact on business owners, marketeers and data controllers will be substantial and if you aren’t already prepared; you need to make sure you are now.
Failure to meet the new compliance levels of data protection detailed in the GDPR will be met with severe penalties. Once in place, it could see companies incur fines of up to 20 million euros, or 4% of their global annual revenue; depending which is greater.
For our own clients - as well as others seeking a recap - we wanted to produce a guide with the most important things you need to consider as a website owner; as well as a company employing a digital agency for services.
At the base of this post, you’ll also find a list of handy resources with more in-depth GDPR coverage - as well as a checklist for you to download.
Please note that the aim of this post is to provide you with the key information surrounding how your company’s website and marketing will be influenced by GDPR. The content of this post is not legally-binding and it is purely designed for informative purposes.
Embracing GDPR - Why It’s Important
First things first - why is GDPR important?
Lots of companies around the globe are already operating under ethical data collection practices - but it’s vital for GDPR to be implemented to tackle those using data in an unlawful or misrepresentative way.
Buying lists, cold emailing tactics and endless spam will all be targeted by the GDPR directive and this is something that we should embrace.
What Will Happen To the Data I Already Hold?
Before we get into how you’ll need to collect, store and manage data moving forward; it’s important to understand how your company’s existing data will be affected.
Assuming you’ve collected data with recipient consent, you’ll need to analyse the relevant GDPR legislation to assess whether you need to ask for permission to continue using that data:
"Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to processing of the Personal Data relating to him or her".
You can use this information to gauge whether consent was provided and asked for in a GDPR-compliant manner.
It’s an area that will require some thought, but you may be okay to continue your existing customer data; ensuring to add the new compliancy questions at the point of new data collection.
Obviously, if you’ve taken the route to using data without consent, you’re already breaching GDPR protocol.
Collecting Data - the Key Points
The way in which you collect data from people through your website and marketing campaigns will be enforced in several ways:
- Defaulting tick boxes to the opt-in option will no longer be suitable. At the point of data collection, you must default the selection to ‘opt out’ or leave any selection options blank
- If you want to collect data, you must lay out exactly why
- Individuals must give consent for their information to be used
- Consent for the use of data must be asked for in clear and plain English - in an informed, specific, unambiguous and revocable way
- People must be told about their right to withdraw consent
- People must be informed specifically which companies their data will be shared with, rather than just a side note mention of any affiliated parties being provided
- Terms and conditions and consent forms should be in separate sections
It may well be the case that you’re already abiding by the majority of these conditions. If you are, the GDPR process will become a lot simpler.
Following the rollout of GDPR, the amount of data a company is permitted to collect from any individual will be reduced. If there is data you require to convert a lead, it must be:
- Necessary to fulfill the intended purpose
If, by law, the data you collect is deemed to be unnecessary, then you’ll be in breach of GDPR.
Security and Storing Data
To comply with GDPR, data must be collected and stored so that it meets the security provisions of the new regulations. As a company, you must use appropriate technical and organisational security measures to protect the data you collect against:
- Accidental loss
- Unwanted access
- Unauthorised processing
In addition, people will be allowed to request for valid updates to be made to any information held about them at any point.
Please be aware that security standards will be even higher for:
- Sensitive data
- Data held about children
- Biometric data
Requests to Delete Data
You need to be prepared for any requests that come in regarding the deletion of personal data. Following GDPR, if an individual asks for their data to be removed from your records, you must do both of the following:
- Your Data Controller must delete the data from your own records and confirm compliance
- Your Data Controller must ensure that all the data held on any subsystems or with any third parties is also deleted
Who Is Accountable for GDPR At My Company?
In data terms, your organisation is what’s known as the ‘Data Controller’. This means that the responsibility for compliance is placed firmly at your door.
If you use an agency to carry out work on your behalf, the agency may take the role of what is known as the ‘Data Processor’. They could also be the Data Controller too, if they make decisions about how they use your data.
Whilst they will be required to implement their own GDPR compliance, they don’t foot the responsibility for your company’s data use. You can call upon their services for information you require for your own compliance purposes.
To prove compliance with GDPR, you will need to maintain ongoing records. You’ll also need to put policies in place for governing the collection and use of data.
What Is the Best Way to Deal With GDPR?
Whatever route you take, GDPR will require a considerable time investment. The good news is that if you’ve always looked to adopt ethical practices, the process should be somewhat more seamless than if you haven’t.
For companies of considerable size - or those happy to invest - a great option to manage the GDPR transition could be to employ the services of a DPO (Data Protection Offer).
This would provide you with a dedicated employee with extensive GDPR knowledge - and also the time to handle all potential time taken up by the area (removal requests, requests for information held, knowledge shared throughout the company etc.).
Only you can decide whether a DPO is right for your company. The amount of data you handle may be the deciding factor.
How Will Brexit Affect GDPR?
The 1998 UK Data Protection Act (which currently governs UK data protection) will be replaced by GDPR when it comes into place in May. The exact rules of GDPR will then apply until the date the UK officially leaves the EU. Although Article 50 has been triggered, the final exit date has yet to be confirmed.
Even when the UK does leave the EU, the vast majority of GDPR rules are extremely likely to still apply. In the Queen’s Speech on 21 June 2017, plans were laid out for the UK to incorporate the GDPR into national UK law, post-Brexit.
As well as ensuring an individual has the right to be forgotten where they don’t want their data to be processed, there are also advanced discussions into social media platforms being required to delete information held by individuals at the age of 18.
There may be small differences between the EU and UK implementation of GDPR, but this information is unavailable as of the time of writing this article.
E-Commerce Gateways and GDPR
For website owners operating an e-commerce gateway, there is an additional factor that requires consideration for GDPR. If you are storing personal details, prior to the information being passed along to the gateway, you need to modify your processes to ensure that the personal data is removed at some stage.
GDPR states that this needs to be after a reasonable amount of time, but doesn’t specify how long that is. Essentially, you need to be able to justify the timeframe you’ve chosen to keep hold of the data.
You can find out more about GDPR and what it means for business within the following resources: