GDPR for your website
Ten Things You Need To Know
Unless you’ve been living under a rock, you will have seen the acronym GDPR in articles you have been reading and posts you have seen across platforms like LinkedIn.
GDPR, which stands for General Data Protection Regulation, will affect anyone who has customers in the EU. It is a refresh of the Data Protection Act (DPA) that reflects key technological, digital and social changes that have happened since the original Act came into being in the 1990s.
In a nutshell, it means that you have to ensure your data-subjects (customers) give clear and unequivocal consent to having their personal data captured, stored and used, and are informed as to what the purposes for this are. This applies to the gathering of new personal data and must also be applied retroactively to past customers whose data you still hold.
As well as changing data gathering processes, GDPR has redefined what is officially known as “personal data”; i.e. information that could be used to identify someone, and this has been expanded to include things that help build up a picture of who your customers are.
Here are ten really important points to note about GDPR.
1. Email marketers need to vet their data and data suppliers
If you buy email data from a third party supplier, you will need to make sure it has been gathered via GDPR-friendly methods. If you have gathered your email data yourself, you will need to evaluate the methods by which you collected it, and re-obtain permission from data subjects if their data has been collected without a double opt-in or with their consent assumed/pre-selected.
2. Retargeting campaigns will be affected
It is possible that consent to retarget users could now require consent under GDPR.
According to Campaign Live, brands are going to have to get creative with their online offering or invest in a more “in the moment” approach to marketing. Brands are excited about “moment marketing”; a way of targeting the customer based on what is happening around them at the time, without knowing who they are.
They say that brands will need to: “Ask permission of the user to do this (retargeting). It is likely that many users will refuse permission to have ads follow them around the internet. What was previously referred to as “the right side of creepy”, may become marginalised”.
3. The definition of personal data has changed
GDPR has expanded personal data to include any unique identifiers like: IP addresses, location data and information on the device used to access the website. Consent needs to be obtained in order store and process this data.
Data that has been encrypted by hashing or other means is also considered personal data and covered under GDPR. Having said that, if you pseudonymised your data, you “will benefit from relaxations of certain provisions of the GDPR, in particular with respect to data breach notification requirements (because loss of pseudonymised data is unlikely to create risk of harm)”.
Pseudonymising data takes “the most identifying fields within a database and replaces them with artificial identifiers, or pseudonyms; for example, a name is replaced with a unique number. The purpose is to render the data record less identifying and therefore reduce concerns with data sharing and data retention”
Be careful though, because this process doesn’t anonymise data completely. Treat it like you would any other form of personal data. You can find out more about making pseudonymised data GDPR friendly here.
4. The definition of consent to use data has changed
Consent to collect, store and use data can no longer be assumed or implied. Data subjects must indicate that they are happy for this to happen. This involves making sure they do something that is clearly affirmative.
A key example of this is forms that would have a consent to contact box pre-ticked. Theoretically, someone filling in the form in a rush would not see that box and consent by default.
Under GDPR, users will have to tick that box themselves and then opt in again; having been fully informed as to what their data will be used for. This could mean they get a confirmation email that has an “opt in” button the user has to click before their data is stored.
5. Consent must be documented and proven
You will need to prove that a user has consented to have their data stored. This could mean adding an event to your cookies acceptance.
Get a timestamp for this and keep a log.
Keeping this data in a CSV is advisable, as it is then easily accessed and shown to a Data Protection Officer, if needed.
6. You’ll need to tidy up your Google Analytics accounts
First of all, review who has access to your clients’ accounts. Remove anyone who isn’t essential to the account immediately.
If clients have left the agency, remove their Google Analytics account from any shared accounts and advise them that you have done so. If you can’t do this, advise the company that you still have access so that they can remove you.
Personally identifiable information can be collected via Analytics tracking and the potential for this happening must be evaluated as soon as possible. If GA is collecting IP addresses and phone numbers via event tracking, stop this straight away.
Some websites have URLs that can identify a user’s personal data; one key example of this is the humble password retrieval form. It’s common for this form to generate a custom URL that includes the user’s email address. Ensure this does not happen. Google will come down very heavily on anything that contravenes GDPR as their reputation is at risk.
Capture cookie acceptance as an event so that it can be logged that users are doing this. According to Cookie Law, “consent for cookies will need to become much more clearly opt-in, or at the very least soft opt-in”. Soft opt-in is where cookies are blocked when a user enters the site until they have given consent for them to be activated.
Cookies for different purposes must each obtain active assent from the data-subject.
7. Reconfirmation of consent is required if you have existing data
If you have existing customer data via past email campaigns, for example, you will need to evaluate how you obtained it and whether it was via a method acceptable under GDPR. If obtained data via an automatically ticked box or via an “inactivity is consent” method, then you will need to get new permission to use this data.
You can re-establish consent by sending an email out to customers and asking them if they are happy to opt in to data collection. Customers would presumably need to reply “YES” so that consent is not assumed and assent is recorded.
You will need to be able to prove that all existing data was gained according to the regulations of GDPR. As well as emailing, which may have a low response rate, you can send a mailing or do a phone call that is recorded. Just make sure the customer is aware that calls are recorded.
8. You must audit your data and existing procedures
Brands and digital agencies must audit their data to ensure it has been collected via active, informed consent.
Work on the opt-in statement and get this right – This will tell potential data subjects what their data will be used for and provide them with a chance to decline or revoke their permission.
Recording data collection acceptance so that it can be proven will be a big thing leading up to the implementation of GDPR, do this from now and you will have proof that you are trying to work within GDPR best practices.
Make sure data is stored securely, what’s your server looking like in terms of security? Are you hosting websites that are not secure? Does your website have an up-to-date SSL certificate?
9. Data storage rules are changing
This article fully explains what must happen to the data being stored in your servers.
10. There are big penalties for breaches of GDPR
Any breach must be reported within 72 hours of the business being aware of the issue.
Failure to report could result in a fine of 20 million Euros or 4% of turnover, whichever is greater.
Now you’ve read and assimilated that list, here is a checklist we have put together for you to follow. Can you honestly say that you are compliant with each of the eleven points?
- When entering any personal information, do users have to tick a box to confirm that they are happy with the details to be stored, processed and/or contacted?
- Are all permission-based checkboxes deselected by default?
- Do you obtain data from anyone under the age of 16 and, therefore, require parental permission to process the data? If so, do you have these safeguards in place?
- Do all newsletter opt-ins have a double opt-in? This can be in the form of a confirmation email that goes out and requires the click of a button to confirm acceptance.
- Do all users that have access to customer data have individual logins? Have you removed access from anyone who no longer needs or is no longer entitled to access that data?
- Is a timestamp taken of when permission/opt-in was obtained?
- Was all existing data obtained with the above in mind? You will need to get permission from these data subjects if not.
- Are cookies used for the tracking and profiling of customers? If so, has the website user confirmed they are happy with the use of these?
- Where is data from the website stored and processed (which systems)? Is it stored securely?
- Have you documented all systems that store data from the website and how they can be exported or deleted on an individual basis?
If you are worried about the effects of GDPR on your business, let us know and we can do an audit for you. This audit will pinpoint weak areas and give you recommendations for how to strengthen these.
Need help with GDPR?