In less than 3 months time, on 25th May 2018 the UK's data protection laws will be updated and the GDPR will take effect. If you collect personal information through your website, these changes apply to you.
Here's exactly what you need to know to ensure your website is playing ball.
The General Data Protection Regulation (GDPR) is an EU regulation that will supersede the Data Protection Directive (aka Data Protection Act) in regulating how personal data can be obtained, stored and used.
Its purpose is to strengthen the position of the public in protecting their privacy online. It does so by ensuring information is secure, and only used for purposes agreed to.
It clamps down on questionable marketing practices and puts control back in the hands of the data owners.
Anyone (worldwide) who collects personal data from EU citizens and residents is a 'Data Controller' and must comply.
It also applies to anyone who processes data on behalf of a data controller ('Data Processors') e.g. Software providers like MailChimp, SalesForce, Xero and in some cases your website designers.
As a UK business it's mandatory (Brexit doesn't excuse you), and although this article focuses on just website compliance, GDPR extends to other areas of your business too. Any personal data you collect, irrelevant of how you collect it, needs to be handled in compliance with the GDPR.
From comments in a blog post, to names and contact details from a restaurant feedback card, the Data Controller shall be accountable for obtaining, securing and using it appropriately.
We're just covering compliance of your website, but the full documentation for the GDPR, provides information on the wider policy landscape.
It's simple. Clearly explain why you're collecting personal information and what you will do with it.Detail why it's necessary or beneficial in a way that's easy to understand, and there is more chance people will agree to it.
Ambiguity (deliberate or accidental) is bad for business. It will turn people away and it could land you in the mix with the 'GDPR rozzers'. Be open, be honest and be relevant.
If your audience is young, you'll need the consent of a parent or guardian.
And you have to make it simple for people to revoke their consent. It's got to be just as easy as giving it.
There may be circumstances where it's just not possible to obtain consent but the data you hold is essential to your business.
Maybe your website uses personal data to deliver a personalised experience to customers.
Maybe it relies on using data in a way that is expected.
If so, you can claim to have a 'Legitimate Interest pursued by a controller'.
There's such huge scope for interpretation, it isn't something we can cover now. We simply advise seeking legal advice if you think 'legitimate interest' fits your type of usage.
Applying an SSL certificate to encrypt your website traffic is a first step to protecting the data you collect. If you don't have one already, you should get one. It's already best practice and they are readily available, so speak to your web developer about it.
If you collect and hold personal information in volume, or for any length of time, it's also worth considering 'pseudonymisation'.
In simple terms, it's a process of splitting the data to make it less meaningful. Instead of storing everything in one location, you store the contact names separately from the rest.
It adds a layer of protection where, in the event of a security breech, the data obtained would no longer be personalised.
It's important to remember that as a Data Controller, you never own the data you hold. You're a custodian trusted to use it properly and keep it safe.
In the event of an investigation, GDPR will require proof of consent. That means proving something that is particularly hard to prove.
Like it or not, your business procedures need to change to protect yourself, and to service the requests of your data subjects when they exercise their GDPR rights. They can ask to:
And you get just one month to comply.
I'll try to summarise in broad terms what the GDPR changes will mean to marketers:
'Opt-Out' clauses can sometimes lead to consent being granted accidentally, or without any meaningful or informed action taking place.
So requesting people 'opt-out' of marketing will be illegal under the GDPR - plain and simple.
According to GDPR Conditions of Consent (Art.7), using an 'opt-in' tick box is the only compliant option for obtaining consent. It states;
'the [data] controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data',
and 'Recital 32 - Conditions for Consent', which states;
'Silence, pre-ticked boxes or inactivity should not therefore constitute consent'.
The message is pretty clear. Compliance means switching from opt-out to opt-in, for all applicable web forms.
GDPR infringements carry a penalty of up to 20 million EUROs or 4% of total worldwide annual turnover (from the previous years trading) whichever is larger.
Public authorities and large organisational bodies must appoint a Data Protection Officer (DPO) to oversee all aspects of data protection and act as a contact point for the authorities.
It's an independent position which cannot be influenced by the data controller or data processor.
For smaller organisations, we think it's wise to appoint someone with GDPR knowledge to ensure you always remain compliant in the future.
The GDPR gives 'data subjects' the right to manage their data in various ways.
They can request corrections, a breakdown of their data profile and
its use, a copy of their data in a transferrable file format (like a
.CSV file) and exercise their 'right to be forgotten' which means data controllers must erase EVERYTHING, in full, without question, as if they never existed.
That's the outreach and extent of changes. Now here's what you can do about it.
Becoming compliant depends entirely on what your website does, because that in turn will influence the data you collect. The more you collect or the more ways you want/need to use personal data, the more explaining you'll need to do.
Auditing your website can give you a detailed picture of the data you manage. It's something you can do yourself, or there are resources available that can help you.
In all cases, the key to it is transparency and a 'personal data audit' will give you a baseline position to work from.
The audit should detail:
Check that the information is accurate and complete. Then you can analyse where there are weaknesses in GDPR terms, that need addressing. We suggest the following:
Remember: The data you collect is still YOUR liability, so it’s essential your 3rd parties are fully compliant.
If they have no intention of doing so (as ridiculous as that sounds), you'll need to:
If your audit uncovers old data that you no longer use or need, get rid of it permanently.
Any data you still want to use should be included in a GDPR compliant 'consent request' campaign, to be run before the deadline.
We suggest setting up a mailbox or email forwarder specifically for GDPR enquiries. Something like 'GDPR@yourcompany.com' that your Data Protection Officer can manage.
If your website enables customers to manage their own preferences for marketing contact, ensure the interface adheres to GDPR regulations for obtaining consent via web forms, and that applicable privacy statements are clear and obvious.
The ICO's downloadable document 'GDPR Consent Guidance' details 5 rules that compliant webforms must adhere to. They are:
There's also one more form related no-no.
In larger websites, the GDPR can affect many areas of your website in different ways. If that applies to you, we suggest that each data collection point (web form) also contains an excerpt from your audit that relates directly to it.
Placing the relevant information 'front-and-centre' sends a clear statement that you take GDPR compliance seriously and that you're trustworthy.
Every business is different and there may be extra considerations applicable to yours, that go deeper than the points covered here. Even if this covers your needs entirely, I still recommend getting your audit and GDPR-ready website reviewed by a GDPR specialist.
While the GDPR is an EU regulation, it's also a major contributor to online safety and security on a global scale. It enforces a positive change for the good of the entire online landscape. The benefits to you and I as individuals are clear.
Even despite the upheaval involved in preparing and implementing it, over time GDPR stands to benefit businesses too.
How will the pain ever be worth the gain?
It may be away in the distance, but when the law changes many businesses will be forced into adopting a more ethical approach to personal data.
Many will see their marketing database shrink significantly as people exercise their right to withhold consent in the lead up to May 25th, and must be permanently deleted.
But this is really just an enforced spring clean!
Clearing out dead wood to make room for new prospects of a higher value will, over time, see the asset value of your marketing database increase, and so will the level of trust your customers place in you.
The opt-in approach to consent will mean you only gain genuine prospects from now on. Anyone who might otherwise have consented mistakenly will be gone. Your marketing campaigns can be better targeted and you can expect your email open rates and click-thrus' to improve, as you deliver more relevant material to a genuinely interested audience.
Your marketing database may grow more slowly, but filling it up with wastrels was never benefiting you anyway, so while there's no gain without pain, once it's done you'll end up better for it.