What is GDPR Compliance and Does Your Website Need It
In 2012, the European Commission set out a plan for data protection reforms across the European Union (EU) countries to make Europe fit for the digital age.
The only way to build Europe's digital future was to base it on trust. Among the reforms was to create robust standards for data protection every day, which gives the European Union citizens control of their personal information. Nearly four years later, a new regulation, the General Data Protection Regulation (GDPR), was adopted.
Countries were given two years to comply, and on May 25, 2018, The General Data Protection Regulation came into force. It is expected to set a new standard for consumer rights regarding their data. This strict set of rules applies to all 28 EU member states and businesses outside Europe. Non-compliance with this regulation will have far-reaching implications for businesses. This is why every business owner in Europe needs to know about GDPR.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation is a European Union privacy law that replaces the Data Protection Act 1995 and regulates how any organization treats or uses the personal data of EU citizens. It standardizes data protection laws across all European Union countries and imposes strict new rules on controlling and processing personally identifiable information (PII). It also protects personal data and data protection rights by giving control back to EU citizens. It's all about creating transparency of communication regarding how the website and company will use personal data and protect it to ensure it does not fall into the wrong hands. Under the new regulation, any business that unlawfully holds or processes personal information about residents of the EU, including organizations situated outside of the EU, risks being hit with a hefty financial penalty, which is a fine of £20 million or 4% of the company's annual turnover, depending which is higher.
What type of business must comply with this regulation?
One of the most critical aspects of the GDPR is that it does not only apply to European Union businesses but any entity, anywhere in the world, whether in the United States or China, that collects, uses, or processes the personal data of EU citizens must comply with GDPR. The new GDPR will affect your business if your website:
Uses any personal data from EU residents. If your business collects personal data from EU citizens, then you need to comply with the GDPR. Personal data refers to any data that can be used, alone or in combination with other data, to identify a person. Personal data protected by GDPR includes Name, Address, ID number, Health information, Racial or ethnic origin, Sexual orientation, Political views or affiliations, Religious beliefs or affiliations, Genetic data, Biometric data, Location data, IP address, and Cookie data.
Collects email addresses or newsletters sign up. If your website collects email addresses for a marketing list to EU residents and uses a third-party service for email listing, this, too, must be GDPR compliant.
Process data from EU citizens on behalf of another entity. Suppose you are in the hospitality industry, travel, software services, or any e-commerce company that serves individuals from the EU and is embedded in third-party services like Google and Facebook. In that case, your websites must also be GDPR compliant.
How to make your website GDPR compliant.
When consumers visit your website and interact with it, GDPR requires you to make it clear and transparent as possible what is happening. You need to show the consumers what information you are gathering, offer options for consent and be able to delete that information from your systems as soon as clients ask you to. For this to be possible, you need to make some changes to your website to stay on the right side of the law and protect your customers. Some of the changes include:
Private Policy First, you need to analyze the data you are gathering and assign a Data Protection Officer (DPO) responsible for monitoring this data. You then need to revisit your existing privacy policy and set out what personal information you're collecting. Your privacy policy needs to be concise, transparent, and easily accessible. Showing how and why you are capturing data, where you are storing it, how long you intend to keep it, how people can view what information you have saved, and finally, how they might go about having their data deleted from your systems.
Website Forms or Opt-in. Forms that invite users to subscribe to newsletters or indicate contact preferences must no longer include pre-ticked boxes. This is considered implied consent and not freely given. Users should be able to provide separate consent for different types of processing.
Easy to Withdraw Permission or Opt-Out. It must be easy to remove consent as it was to grant it, and individuals must know they have the right to withdraw their support. This means that a consumer can selectively unsubscribe from specific types of communication or quickly change the frequency of contact, or stop all communications entirely.
Online Payments. If you are an e-commerce business, you will likely use a payment method for financial transactions. Your website may be collecting personal data by bypassing the payment details onto the payment method. In this case, your site is storing personal information after the information has been passed along. You must modify your web processes to remove personal information after a reasonable period, for example, 30 days. The GDPR needs to be clarified about the number of days; it is your own decision regarding what can be defended as reasonable and necessary.
Cookies. Some companies use cookies to track consumers' activity online for marketing purposes. You will specifically need to outline in your privacy policy that cookies are being used on your website, and customers can also opt out of cookie tracking in their browser's privacy settings.
GDPR presents a real opportunity for organizations to drive data efficiencies. Since it's a new regulation, business owners may find it challenging to get it right. For more information on GDPR, visit the following links.