The General Data Protection Regulation (GDPR) comes into effect on 25th May. What is it and why does it matter to you, your website and online marketing? A detailed discussion and resource links follow, but first a quick guide to what you need to do.
NB this information is intended to be helpful but does not constitute legal advice.
Put simply, GDPR is new European legislation which puts the onus on you to acquire, transfer, store and use customer information of any kind (even just a name, IP address or email) safely and with consent. This is a step up from earlier guidelines, and comes with big teeth – fines of 4% of your turnover up to €20 million for ‘infringements’.
While GDPR’s main focus in on what data you store and how (see the hubspot checklist here), it also sets standards for clear and safe methods of data collection and use. If you use your website to collect information about your visitors, collect payments or use stored customer information for your online marketing, then you should have the following.
- SSL Certificate on your website
- Cookie consent form on your website
- Secure encrypted contact forms
- Clear request for consent where you are asking for customer details
- Double opt-in consent when creating mailing lists, and clear unsubscribe options when mailing
- Online payments systems that are encrypted and go directly to a safe and secure processor
- Display a policy on customer data safety, respect for privacy and deletion on request
- A mechanism to delete customer information as soon as it is no longer needed
- A regular check on the GDPR policies and compliance recommendations of all the relevant software suppliers that you use- large and small
What is GDPR?
European legislation to tighten up regulations about how personal data is collected, stored and used. The Irish Data Protection Commissioner (gdprandyou.ie) tells us that “GDPR significantly changes data protection law in Europe, strengthening the rights of individuals and increasing the obligations on organisations.” UK information commissioner Elizabeth Denham says that the biggest difference refers to accountability. “The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box-ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organization.”
What is Covered?
Like most legislation, GDPR sets out guidelines which, though complex, will become clearer when tested and refined by subsequent case law. However, this is no reason to wait and see. The penalty for failing to comply can be as high as 4% of your annual turnover, or up to 20 million Euro.
What Data Are We Talking About?
It’s very broad. The legislation calls it “any information relating to an identified or identifiable natural person”. This includes name and contact information (email, phone no, address etc) and also bank details and IP address. But it can obviously extend to marketing and customer profiles such as purchase or service history, preferences, habits and payment histories.
An essential difference is that previously customers were required to opt out if they didn’t want their data to be stored. The GDPR rules state that customers must now opt in to data storage. This means that obtaining consent is now an essential part of collecting and keeping customer information.
What is an Infringement and what are the Penalties?
Infringements are listed more fully at https://www.gdpr.associates/data-breach-penalties/.
A summary of the parts relevant to this article are:
The lower level of fine, up to €10 million or 2% of the company’s global annual turnover, will be considered for infringements listed in Article 83(4) of the General Data Protection Regulation.
This includes infringements relating to:
- Integrating data protection ‘by design and by default’
- Security of processing data
- Notification of a personal data breach to the supervisory authority
- Communication of a personal data breach to the data subject
The higher level of fine, up to €20 million or 4% of the company’s global annual turnover, will be considered for infringements listed in Article 83(5) of the General Data Protection Regulation.
This includes infringements relating to:
- The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
- Rights of the data subject
- Transfer of personal data to a recipient in a third country or an international organisation
How Does this Affect Online Marketing?
The key is to aim for security and consent in all matters relating to customer data, and that the data you keep is deleted when no longer needed. Taking reasonable steps in these areas is essential so that in the event of a data breach you are not seen to have been negligent. Your customers should at all times feel that data about them is only kept with their consent, is kept safely and will be deleted if they request it. This obviously relates to all CRM and customer files, but in the context of online marketing it relates specifically to your website, online payment, online marketing and billing systems.
What You Need
Here is a list of reasonable steps you should take to comply.
Website: Cookie Consent
If your website is being used to collect information about visitors using cookies for Google Analytics, re-marketing or some kind of audience monitoring like the Facebook pixel, then you should let visitors know. This means adding a cookie warning and consent notice to your website that makes accepting cookies an active choice and does not (as many cookie notices do) assume consent if no action is taken. IT Governance.eu .org has definitive advice.
To become compliant, organisations will need to either stop collecting the offending cookies or find a lawful ground to collect and process that data. Most organisations rely on consent (either implied or opt-out), but the GDPR’s strengthened requirements mean it will be much harder to obtain legal consent. The consequences of this were discussed during the 2016 Data Protection Compliance Conference and its findings described by Cookie Law:
- ‘By using this site, you accept cookies’ messages are also not sufficientfor the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means:
- It must be as easy to withdraw consent as it is to give it. If organisations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first.
- Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
- Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent.
Website: SSL Certificate
It is essential now to have an SSL cert if you collect contact information or take payments on your website. The SSL cert confirms that the domain name is registered and authentic, and that secure socket layer technology is used to transfer all data. This means that transferred data is encrypted on its journey from website to destination, and therefore resistant to hacking. An SSL certificate will demonstrate that you have taken reasonable steps to safeguard the safe transfer of customer information or payment details.
Website: Secure Online Forms
If you collect customer names, contact info and or email addresses on a website contact or sign up form, that form itself should be secure and use SSL. The safest course is to use a bespoke form from a company such as Wufoo who are GDPR compliant and can update and advise on compliance as the legislation beds in.
As with the cookie consent, if you collect information on a contact form you need to give customers the same options: to know that their personal information is being collected, transferred and stored, that it is being done safely and securely, the purpose that it will be used for, that it will not be passed to others without specific consent, and that the individual has the right at any time to withdraw their consent to the date being stored or used, or to ask for it to be deleted, and to be informed of any breaches.
WordPress is the most used website construction tool, and additional functions come via third party developed plugins.. If you are using plugins to collect customer data or payments then it is your responsibility to ensure that each plugin you use is safe and compliant. An article on this is available at the link below. This is particularly relevant if you use Woo Commerce plug-ins to sell, or plug-ins for contact forms, forums or re-marketing.
Online Payment Systems
Whether you take payments for tickets, rooms, goods or services, the advice is the same. Ensure that you are using safe and compliant software. If in doubt use software from a reputable GDPR compliant company. eg Stripe, Ecwid, Eventbrite, Ticket Tailor, PayPal, Wufoo or Freetobook. These companies will also expect the website in which their software is embedded to be compliant. Follow the guidelines that they have issued.
If you set up a system of your own, then ensure that it is secure. If you collect and store personal or credit card data, then security breaches are your responsibility.
Marketing that involves you using customer information to sell or promote your services or goods means the same rules of transparency, safety and consent apply. As with online payments , if you work with software provided by large organisation such as Mailchimp, Facebook, Twitter or Google then make sure that you check out their advice and policies on GDPR and how to comply with them. If you follow that advice you are likely to be seen to have taken reasonable steps to comply with GDPR. With Facebook and Google the cookie consent is essential if you collect visitor information on your website to aid your marketing or re-marketing.
If you use email marketing to promote your business then you need clear policies and procedures on how your customer database is collected, stored and used. With e-marketing resources such as Mailchimp a record of consent and double opt-in sign-up are now needed to build a mailing list. A pre-checked consent button is not enough. If you do not have a record of consent for everyone on your existing mailing lists, you will probably need to go back to your customers/members/mailing list to ask for that consent.
As with the current guidelines, all mailshots must offer recipients the chance to unsubscribe from your list. In addition you must also make a clear offer to delete a customers details on request.
If you use software from companies such as Mailchimp you can check out their latest advice on GDPR compliance to keep the right side of the new legislation. This is an ongoing process, not least because Mailchimp works across jurisdictions outside of Europe. Their current statement is a work in progress:
“Here at MailChimp, we’ve been reviewing and updating our internal data processes and systems to make sure we’re ready by May. And soon, we’ll be releasing an updated version of our Data Processing Agreement to allow our customers to continue to lawfully transfer EU personal data to MailChimp when the GDPR goes into effect.
Our preparation efforts are ongoing and will continue into next year. But we’ve already made a lot of progress. We’re committed to achieving compliance with the GDPR, and we want to help our customers do the same”.
So watch this space. Helpfully they also have a GDPR guide for Mailchimp users available here
Useful Links and Information
- What personal data do we collect/store?
- Have we obtained it fairly? Do we have the necessary consents required and were the data subjects informed of the specific purpose for which we’ll use their data? Were we clear and unambiguous about that purpose and were they informed of their right to withdraw consent at any time?
- Are we ensuring we aren’t holding it for any longer than is necessary and keeping it up-to-date?
- Are we keeping it safe and secure using a level of security appropriate to the risk? For example, will encryption or pseudonymisation be required to protect the personal data we hold? Are we limiting access to ensure it is only being used for its intended purpose?
- Are we collecting or processing any special categories of personal data, such as ‘Sensitive Personal Data’, children’s data, biometric or genetic data etc. and if so, are we meeting the standards to collect, process and store it?
- Do we have a defined policy on retention periods for all items of personal data, from customer, prospect and vendor data to employee data? Is it compliant with the GDPR?
- Are our internal procedures adequately documented?