What is the GDPR? The European Union have always been fairly progressive and indeed quite tough on legislation surrounding how someone’s personal data is collected and used. But hold tight, because they are about to get tougher.
What are the fines if I don’t comply?
They are quite severe: 4% of revenue, or up to €20 million.
On May 25 The European Union will launch a set of laws on the world that will force every manager of a website to consider how they are treating their user’s personal data.
The GDPR (General Data Protection Regulation) is a set of laws created by the European Union that enforce a strict set of rules around how it’s citizens’ data is collected, stored and managed.
But I’m not in the EU so it won’t affect my website right?
Very broadly this will effect any website that:
1. directly markets to the EU
and/or
2. collects personal data from citizens of the EU
It is the second scenario above that should send a chill through website owners around the world, especially when one considers that the EU’s definition of personal data includes ip addresses and location data.
- Does your website have some sort of analytics tracking to help you to monitor web traffic?
- Do you collect newsletter subscribers?
- Do you have a blog where folks can comment?
- Do you have an enquiry form on your website?
These are pretty standard website features these days right?
Well If you said ‘yes' to any of the above seemingly benign functionality then you have a problem if an EU resident happens to come across your website.
To be clear you don’t have to be actively marketing to the EU, they just have to land on your site.
What if have membership systems and use dynamic tags to re-market to users via third parties?
Well then you are the target audience for these new laws and are going to have to consider your next moves very carefully.
Ok so how do I comply?
Well these laws are all about putting power back in the hands of the person visiting your website, so immediately upon arriving at your website and prior to any of your personal tracking code loading you will need to inform the user of all of the ways you are collecting and using their data and allow them to opt in or out of any aspects they object to.
Additional tasks include (but are not limited to):
- Having an easy to understand privacy policy that includes information on your cookie usage and how long you are retaining a user’s data in every instance that it is being collected
- Ensuring there is a simple process for a user to make a formal request for all of the data you have on them. They should also be able to ask for it to be changed, deleted or made available in a ‘common portable’ format. You will need to have a procedure in place to comply with these requests within 30 days.
One last thing..
These laws are retrospective. So any data that you have previously collected from EU residents is not allowed to be kept and used if it was attained in a way inconsistent with the GDPR.
You may be thinking that there is a bit to unpack here in terms of how it affects your business moving forward and you may be right.
We can help..
We know the web and we are fully across these new laws and how to minimise the impact that they could have on your business.
Contact us today to learn about the various options available to assist you with minimising risk and move towards achieving compliance with these new laws.
We have created a set of tools that we can quickly implement with a small amount of input from you. We have even created some self-service options if you would like to investigate on your own: