Is your business prepared for the General Data Protection Regulation? Even if your business is located in Toronto, if your business handles employee and personal data from the EU through websites, you must ensure you are ready. A crucial and far-reaching piece of legislation for 2018, it will impact almost every business and government entity across the EU to some degree.
First announced in 2016, the legislation will be in place from 25 May and will comprise a range of new regulations designed to transform the way businesses are permitted to handle personal data. Organisations will be held increasingly accountable for the way in which they share, use and store information about EU employees and customers. Organisations that run apps, websites, internal databases, CRMS or even email will have to meet the new regulations.
What is the General Data Protection Regulation?
General Data Protection Regulation is a fresh set of regulations concerning data protection designed to equip EU citizens with more privacy and control regarding their personal information and how organisations use it. It will have a huge impact on website design, which in turn will have an effect on how your website integrates with digital activity such as social media, email marketing and e-commerce activities.
The regulations introduce a range of new rights for European citizens, putting additional restrictions and responsibilities on the methods used by organisations that store, collect, share and manage employee and customer data. Websites should become more transparent and consent must be given freely, specifically and users must be kept informed.
What are the new regulations and rights?
Your business will almost certainly be affected by the General Data Protection Regulation changes. If your organisation processes, stores or collects the personal data of any UK or EU citizens, the regulations will apply to you and will affect all the data you currently have stored and all the data you will collect in future.
Provable consent must be explicitly given by the subject prior to their data being processed. For example, when an individual contacts you via your website with some form of enquiry, this does not give permission for you to add them to one of your email marketing lists. Verifiable consent must be given first, through active opt-in forms, which can be withdrawn at any time.
How can I Make my Website Compliant?
There are several ways to make sure your website is regulation ready. Firstly, take a personal data audit which will help identify all data processors, and for each processor consider; what are you using the data for, where is it being stored and if the data still needed. The weaker parts of your website will also be exposed as well as any contact form submissions saved onto your website’s database that have long since been replied to or acted upon and are no longer needed. For example, any insecure or unencrypted website traffic or email accounts will come to light.
In terms of web user experience, unsubscribing should be simple and consist of the selective withdrawal of consent relating to specific channels of communication, changing the frequency or stopping it completely. Forms that indicate contact preferences or invite customers to subscribe to newsletters must be set blank or to a default “no”. The consent you ask for on your website should be separately set-out on a terms and conditions page which also explains the acceptance of consent for the use of data.
If you operate an e-commerce business, your website will also be collecting personal data prior to passing the data onto the payment gateway for financial transactions. Your web processes will need to be modified to remove any personal information after a certain time period, such as 60 days. Website users should be able to give separate consent for different types of processing. For example, users should give specific permission for each type of processing such as email, post or telephone and for passing details onto third parties. Each third party must also be identified on web forms in terms of consent being granted, rather than categorised.
Many websites also use third-party marketing automation software solutions, with lead tracking applications such as Leadfeeder or call tracking applications such as Infinity Call Tracking. Ensure you thoroughly check any applications your website is linked to as acting Data Controller, identify any compliance risk involved, and mitigate this by reviewing your contracts with software providers.
Many websites are also configured to use Google Analytics which they use to track user behaviour. As an anonymous tracking system, the regulations are unlikely to affect website usage of this system. Google Tag Manager is another popular tool which enables your website to pass information to third-party applications through code. If you use this tool, ensure you have a contract in place with the individuals that access it, such as a web designer, and make sure they understand their legal obligations as a data processor.
Organisations that fail to comply or experience a data breach that exposes personal data could face serious consequences. Maximum fines can be as high as four per cent of the company’s global turnover or €20m ($17.7m), whichever amount is higher.
We are offering a $250 GDPR audit of our clients’ websites from which we will provide specific compliance-related recommendations and associated costs. Please contact us on firstname.lastname@example.org if you are interested in this service.
Please note Blue Flamingo clients in Toronto with web design and maintenance agreements need not worry; we will review and implement remedies to make your site compliant at no additional cost.