The General Data Protection Regulation (GDPR): What You Need To Do
The General Data Protection Regulation (GDPR) is a European Union privacy law that sets a very high bar for privacy and compliance standards. It will be enforceable from May 25th 2018 and the potential fines are high, so you need to make sure your business is ready.
It will be enforceable from May 25th 2018 and the potential fines are enormous (20 million euros or 4% of global annual turnover, whichever is higher), so you need to make sure your business is ready.
NOTE: We hope you find this guide useful, but please note that it is for informational purposes only and should not be relied on for legal advice. We highly recommend that you work with professional legal counsel to determine precisely how the GDPR might apply to your organisation.
Who does the GDPR affect?
Bottom line: pretty much every organisation. If you are in the EU or deal with information about people from the EU, it will apply to you. It doesn’t matter where a company is based, if it handles any personal data about EU citizens, this regulation is something you have to abide by.
What is ‘personal data’?
This definition is now much broader: it means any data that is associated to an identified individual or could be used with other data to identify an individual. So as well as what we usually understand to be personal data (name, email address, postal address etc.) it will now also include analytics and profiling data such as IP addresses, location data, behavioural records and financial information.
This means that pretty much every website will be processing ‘personal data’ of its visitors, most commonly through contact forms and web analytics.
New rights for individuals
As well as expanding the scope and the core definition of personal data, the GDPR gives new protected rights to individuals:
- The Right to be Forgotten: An individual must be able to request that an organisation deletes all data held about them and have that request actioned without unnecessary delay.
- The Right to Object: An individual must be able to prohibit certain uses of their personal data.
- The Right to Rectification: An individual must be able to correct or complete the data held about them.
- The Right of Access: An individual must be able to find out what data is held about them and how it is being used.
- The Right of Portability: An individual must be able to request that data held about them by an organisation is transferred to a different organisation.
New requirements for getting consent
The GDPR requires that an organisation has a ‘legal basis’ for processing an individual’s personal data. While there are several legal justifications that may apply, the easiest and most robust way is to make sure you’ve gained explicit consent to use the data.
The GDPR has put in place stricter requirements around gaining consent of a person to use their personal data.
- The consent must be specific to the distinct purposes you are collecting data for. You will need to avoid catch-all statements like “and other marketing purposes.”
- The consent must be given through an action. Implied consent like “by continuing to use this site you consent to us using your data” isn’t good enough. You can’t use pre-checked tick boxes in your forms to provide consent either.
- The consent must be explicitly obtained for each processing activity you perform on it. This means you’ll need to be clear about all the different purposes you’ll be using the data for when you first gain consent. If you later start using your gathered data for a new purpose, you’ll need to get new consent for it.
So what do you need to do?
While each organisation uses their data in different ways and so will need their own plan for GDPR, there are some common actions that will apply to most of us:
- Update your contact forms with a consent checkbox (set to unchecked by default).
- Write a ‘How We Use Your Data’ page outlining the way you store personal information and all of the different uses of it. Identify third-party services and their uses. Link to this page from your contact forms.
- Use a ‘double opt-in’ for your email lists if possible, and link back to your ‘How We Use Your Data’ page to give people a record of what they’ve consented to.
- Check with all of the third party services you use (cloud storage, analytics, form integrations, CRM, marketing automation etc.) and get updated contracts from them outlining how they comply with the GDPR. If the service is based outside the EU, make sure they meet an equivalent standard such as the Privacy Shield if they haven’t provided GDPR-specific contracts.
- On your website and in emails, give your users a way to contact you if they want to view, delete, amend or transfer the data you hold on them. You can put these contact details on your ‘How We Us Your Data’ page and link to that. You could also consider setting up a specific email address (firstname.lastname@example.org) to make it clear.
- You will need to gain new consent from everyone you hold personal data on UNLESS you already have consent that meets the requirements of the GDPR.
Will this change after Brexit?
Not really, no. Not only does the GDPR still affect any companies outside the EU that deal with the data of EU citizens, the UK is planning an almost identical Data Protection Bill to replace it.
Change ahead for everyone
While there are a lot of vital changes ahead for almost every organisation, remember that these protections are good for your website users and that transparently doing business with other companies that value and protect their customers’ privacy is only going to be beneficial to your organisation’s image.
The privacy issue is only going to get more important, so get out ahead of it.
Want to talk through what you might need to change on your website?