Signals

Understanding GDPR and implementing it on your website

Understanding GDPR and implementing it on your website

The new GDPR privacy regulations for European citizens will come into effect on the 25th of May 2018. This complex set of regulations aims to protect the privacy of European citizens by regulating how their personal data is collected processed and stored. The regulations apply to any company or entity in any location that collects and processes the personal data of European citizens.

While this is a positive move for our privacy in the digital age it does place a lot of responsibility and pressure on small businesses to ensure they are complying with the regulations which by their nature are complex from both a technical and legal standpoint.

https://ec.europa.eu/info/law/law-topic/data-protection_en

There’s no doubting the complexity of understanding and implementing the GDPR and already confusion abounds regarding permissions for data collection as evidenced by cases in the UK where the data commissioner has already fined two large companies for attempting to comply with the GDPR by requesting subscription confirmation to their mailing lists.

https://www.theregister.co.uk/2017/03/28/ico_fines_flybe_honda/

The devil is in the details here and the reason for the ruling these cases is that the companies actually contacted people that had previously unsubscribed and/or had not consented to being contacted in the first place. Using this example one could construe that then only safe way of being compliant would be to delete all of your list subscribers and then ask them to resubscribe via another method such as standard email and/or social media announcements.

Consent is the key component of all email campaigns so if there is any doubt about how consent was obtained for any email address on your list then you should endeavour to get explicit consent for each individual or remove them from the list. We’ve seen this in the last number of weeks as organisations prepare for the GDPR and send out notices asking existing subscribers for confirmation or their subscriptions will be deleted after the 25th of May.

Thankfully Mailchimp have now come up with a solution that, although a bit involved, does not require unsubscribing and resubscribing your entire list.

https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms

The following is a list of the key points towards gaining GDPR compliance, it does not attempt to cover every situation but provides a good starting point for many small business websites.

- Audit site for data collection, scripts, cookies and forms

- Devise GDPR compliant privacy statement outlining which data is being collected, for what purpose, how long it’s being stored, if it’s being shared with third parties and why.

- Create popup explaining new privacy policy, compliance with GDPR and consent for acceptance of cookies.

- Modify any contact forms on your site with an explicit consent agreement checkbox. Checkbox must not be be preselected Provide a link to your privacy policy.

- Require confirmation for all mailing lists.

- Consider deleting mailing lists and signup forms entirely if they are not being used.

- Provide a method for users to contact your company/organisation to request data or data deletion from your servers. This can be by form or direct email.

- Ensure the privacy policy clearly lists the legal name of the organisation with respect to data collection.

- Where possible remove any unnecessary cookies from your site.

- Use cookie-free sharing buttons.

- Switch off any unused features in your Google Analytics account such as remarketing, demographics etc.

- Provide links to resources that help people protect their privacy such as browser privacy settings, cookie information sites.

Please get in touch to arrange a site audit and we’ll be happy to assist in getting your organisation GDPR compliant cost-effectively and with minimum disruption to your business.

Please Note:This information is offered as a resource, but does not in any way constitute professional legal advice. You should contact your legal counsel to find out how the GDPR affects you and your organisation specifically.


Photo by Ash Edmonds on Unsplash