May 25, 2018 – One data protection regulation to rule them all… Noticing all of the re-opt-in emails in your inbox today and privacy policy notices all across the web? You can thank GDPR.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new European Union (EU) privacy and human rights law that replaces their 1995 Data Protection Directive (DPD). This regulation (99 articles over 200 pages) aims to provide EU citizens and residents with more control over their personal data along with simplifying and unifying regulation within the EU. The updated regulation contains new requirements of how personally identifiable information (PII) of data subjects within the EU is processed, regardless of location. Simply put, the regulation restricts what companies can do with your data, gives you more control, and requires companies to be straightforward in simple language with their privacy policies.
Why was GDPR Introduced?
Old regulations were written before smartphones began collecting massive amounts of sensitive user information by companies like Google and Facebook.
GDPR gives organizations restrictions on what they can and cannot do with personal data. It gives users more clarity on what data is collected and how companies use it.
What is PPI under GDPR?
GDPR considers Personally Identifiable Information (PII) as any data that can identify a person – name, phone number, username, IP address, or location data. Even information such as sexual orientation, health data, and political opinions are considered sensitive information under GDPR.
When is GDPR Effective?
May 25, 2018.
Who does GDPR effect?
You will need to opt-in to allow an organization to use your data. With some of these guidelines, you may notice websites with fewer contact form checkboxes that are preselected and organizations will be directed to use clearer language in their notices and privacy policies.
Even though this is an EU regulation, it has a huge effect on businesses outside the EU, including the United States. Many businesses collect or use EU resident’s data and also use companies based in the EU for services and processing data.
Anyone who collects user information from any person in the EU must obtain consent to obtain and process user information. Any information such as website analytics for website traffic that does not display the country of origin for the visitor will need to treat that user as if they were from the EU.
What can people do about their data?
People can request to have a copy of their data from a website and/or have that data removed. The organization will then go through a process to verify the user’s information by their email address and have to comply with the user’s request within one month and at no fee to the user.
What if I don’t comply with GDPR?
The penalty could be up to $20m euros or up to 4% of global revenue, whichever is greater.
How to Make My Website GDPR Compliant?
Organizations will need to assess their own data collection and data storage practices while seeking legal advice to ensure that their business practices will be GDPR compliant.
Areas to consider will be:
- What personal data do we collect/store?
- Have we obtained data fairly? (through opt-in consent of the user and for a specific purpose for how the data needs to be used, along with the right to withdraw consent at anytime)
- Identify data retention needs? (how long do you need to keep data for necessary business processes and limit it to the minimum required. Data, even if archived will need to be maintained and up-to-date).
- How is data being protected? (What security measures are in place to appropriately protect risk of a data breach? Would data encryption or pseudonymization be needed to protect stored data? Is access to data limited to authorized personnel for necessary business processes only?)
- Is sensitive information such as sexual orientation, political affiliation, etc. being collected, processed and stored?
- Are 3rd parties processing information on our behalf? Is any data processed outside of the EU?
Once these and other considerations from GDPR guidelines are identified and adequate processes are in place to be GDPR compliance, the following should be configured on your website:
- A privacy policy page will need to be placed on your website detailing many of the bullet points from above and more.
- Any email communications such as newsletters will need to have subscribers re-opt in for their consent to receive these communications.
- Forms can no longer have automatically checked boxes for opt-in communications. If filling out an offer form, the user is to only receive that specific offer and no further communications unless they specifically opted in for ongoing communications. These boxes need to default to “no” or be blank. Be sure to check all of your forms on your website to ensure this is fixed.
- Unbundled Opt-In – If asking for a user’s contact consent, it needs to be separate from terms and conditions.
- Granular Opt-In – Users should be able to provide separate consent for different types of data processing.
- Withdraw Permission or Opt-Out – It must be just as easy to remove consent as it was to provide it in the first place. User’s need to know they always have a right to withdraw their content.
- Named Parties – You need to provide individual opt-ins for users to provide their consent to receive communications from each party if opting in for communications from multiple parties.
- Online Payments – Personal information needs to be removed from payment processing when information is stored.
Is this hurting or helping?
For a consumer, this is great. You have so much more control over your data and how companies collect and process your data.
For organizations, it’s a huge headache legally to go through the process to become GDPR compliant and hire resources for continued compliance thereafter. Big companies have a large target on them currently such as Google and Facebook with $8.8B in lawsuits as of today. Many smaller companies and those in-between that are not fully compliant are actually blocking traffic from the EU until they can become compliant due to the expense and new rules being too much to handle. Blocking traffic from countries tends to have a negative effect on a company’s search engine ranking but if there is a huge risk of facing fines and or lawsuits, it seems like for some companies it is worth it temporarily until they can get a handle on everything.
What’s Next?
Currently, it is estimated that 60-80% of companies are not fully compliant. GDPR is not a destination, rather an ongoing journey of protecting user data and privacy. We’ll be hearing much more industry news on how this is affecting businesses around the world. If you have spare time – lol… you can read the full GDPR regulation: https://gdpr-info.eu
Disclaimer: We are not lawyers or a law firm. Information in this article is not guaranteed to be correct. We do not offer legal advice. We recommend that you consult a qualified attorney to help you become GDPR compliant.