If you follow any type of news or business outlets, you’ve likely heard about the General Data Protection Regulation, or GDPR. This landmark piece of legislation regarding data privacy rights of anyone in the European Union was passed back in April of 2016 but officially takes effect on 25 May 2018.
The primary purpose of the GDPR is to give those in the EU more control over their personal data and how it’s used. One thing that makes it so uniquely different than prior laws is the scope: the GDPR applies to anyone processing the personal data of those in the EU. So even though your business may not be in the EU, the law can still apply to you if those in the EU can interact with you.
Here are a few things you should know and a few steps every website owner should take in preparation for the GDPR. (Please note that I’m not a lawyer, and my advice or tips are not a substitute for professional, legal counsel on this matter. To ensure compliance, please work with a GDPR compliance specialist.)
Know Your Role
Certain criteria in the GDPR and your responsibilities vary depending on if you’re a ‘controller’ or ‘processor’. Learn more about the definitions of controller and processor as it applies to the GDPR to help determine what’s needed, and ensure that any third party partners you’re working with are ready to help you meet requirements.
The GDPR is meant to help protect personal data. This obviously applies to things like names, addresses, phone numbers email addresses, credit card information, etc., but it can also apply to online identifiers such as IP addresses and cookie strings. If you have any forms or fields on your site that collect data, or if you utilize any cookie-based functionality on your site (including things like Google Analytics), you may need to make changes to your site. (No financial transaction or purchase must occur in order for this to affect you.)
The GDPR also outlines the importance of consent when providing information. Specifically, it requires consent to be ‘freely given, specific, informed, and unambiguous’. What does this mean for marketers? It means that forms should not have pre-checked boxes (people must intentionally opt-in). It also means each specific opt-in for various communication formats should be separate and not grouped under a single opt-in. It also means any terms and conditions must be simple and easy to understand (no complicated legalese). The GDPR also says that people in the EU should be able to revoke that consent at any time (and to do so must be simple). Evaluate how you collect consent any time you collect data on your website, how you track this and ensure people can opt out or remove themselves easily.
Cookies are also mentioned specifically in the GDPR, as they may be used to identify individual devices and therefore potentially an individual. If you’re using cookies on your site, you will likely need to add some type of cookie opt-in process. Google has created a website devoted to this issue. There are a variety of tools or apps that can be used to inform visitors about cookies and allow them to accept or decline their use.