The General Data Protection Regulation (GDPR) comes into effect on 25th May 2018 and it should matter to you if you are a website owner. To remain on the right side of the law, there are certain changes that you have to make to your website while also keeping customers happy.
One EU law for collecting personal data online
Earlier, each EU country had their individual privacy laws that are now being replaced by the singular GDPR. With the new GDPR replacing the Data Protection Act (DPA) of 1998, it will provide all EU citizens a higher control over all personal data that are collected from them online.
GDPR is all set to be the global standard for all data protection being applicable to everyone in Europe and also organizations and businesses situated outside Europe providing services or selling anything to people in Europe.
Even with UK leaving the EU within the next few months, businesses that are connected to EU residents directly come under the purview of the law.
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The penalties involved
In case, your website is not compliant to the new GDPR and it ends up floating it,
At first, you are given a warning and a certain time period to abide by the law
The second time you are given a reprimand
The third time you may have to suspend all data concerning EU citizens depending on the diplomatic relationship your country has with EU.
Finally, you will get slapped with a fine that can be up to 4% of your total global turnover or up to €20 million.
The elements concerned:
Data Subject, that is an EU citizen whose personal data your website collects.
Personal Data like name, address, the online id, information about demography, health or anything that is personal and unique to a person’s identity.
Data Collector that could be an individual business or an organization with a website.
Data Processor or 3rd Party Processor to whom the data collected through the website is passed on. This 3rd party maybe a virtual assistant, web developer, a web host, digital marketing company, email newsletter, plugins or any other services connected to your website.
Transfer of such Personal Data outside the EU is not permitted except to the authorized few countries. Canada is among the authorized countries and a Canadian SEO company can use the data but it can be passed out to the company’s offshore site in India as India is not among the authorized countries.
Even if your website lies outside the EU, it could be visited by any EU citizen. Also, a lot of people now hold dual citizenships which means that even if they do not live in EU and are accessing your website from a non-EU IP address, the law applies.
Immediate remedial measures for your websites
You will have to ask for the explicit consent of the users to collect their personal details such as name, email ids, phone numbers and other information.
If your website had pre-ticks on the opt-in box that made it necessary for users to actively opt-out, it has to be changed. Instead, the forms should give users an active opt-in choice.
In case you are asking your users to accept terms and conditions, a separate form asking for their explicit consent should be in place.
Each process that the website carries out should ask for separate explicit consent from the user and should not have any pre-ticks.
The forms that take in consent should be easy to use. The user should be able to give and take away consent with a simple click.
Each party for whom the consent is being taken should be clearly mentioned. If your company has sister concerns for which you would want to take the personal details, the fact should be clearly mentioned in the form.
Your website terms and conditions has to be updated saying for how long you wish to use the personal data received through your website.
In case people want their data to be moved to another provider, you will have to comply with it within four weeks and the data should be still clearly read.
For e-commerce websites or any website that has a payment gateway, it is normal that the customer information is first collected by your site and then passed on to the payment gateway. Your website process has to be modified so that all personal customer data is removed after a certain time period. Though GDPR does not mention the time period, it is up to the reasonable discretion that you can defend as necessary.
If your website makes use of any third-party marketing and tracking software, the issue lies in the grey area. These automatons receive personal data in ways for which users have not given consent. But again the suppliers of the applications assure that they are completely GDPR compliant.
In the case of a data breach, you are obliged to inform the authorities and the people affected by the breach within 72 hours of the breach intimation. Failure to do so will attract a penalty of up to 2% of worldwide annual revenue earned or €10 million, whichever is higher.
It’s your website that has to be GDPR compliant to stay away from being penalized in any way.
Be future ready on all fronts
In case you have plenty of personal data in different business places, get a documented record of them coming with explicit consent. Even when you have the consented data, it is your responsibility to keep them secure from all human and technological glitches. WordPress website users can make use of GDPR plugins to make your website GDPR complaint.
Sure GDPR will have an immense impact on the way that websites are designed and also on the digital marketing activities including social media. But, in the days to come, it is set to be the way that online personal data will be governed and you have just about the time to set it all right concerning your website to be on the right side of the international law.