The General Data Protection Regulation (GDPR) is a new law that regulates how the personal data of EU citizens can be collected, used, and processed by businesses. It takes effect on May 25, 2018, and while it’s being implemented by the European Union, it applies not only to organizations based in the EU but also to those that have customers and contacts in the EU. So it’s going to have an impact on businesses all around the world. There’s a great infographic breaking down the different components.
First thing to do about GDPR is clarifying what data you collect
On your website make it very clear what kind of data do you collect, and what happens with the data.
- Tell the user who you are, why you collect the data, for how long, and who receives it.
- Get a clear consent [when required] before collecting any data.
- Let users access their data, and take it with them.
- Let users delete their data.
- Let users know if data breaches occur.
Under the GDPR, your EU subscribers have expanded rights regarding the use of their personal data, and can request, for example, that their data be deleted, moved, or corrected at any time.
What kind of data do you collect?
These are the typical data on an average website:
- user registrations,
- contact form entries,
- sign up forms
- analytics and traffic log solutions.
Request explicit consent. The Right to Access states that before data collection takes place – before the user submits the form – they must be aware that that form is collecting personal data with the intent to store it and give an explicit consent to this.
You should carefully design each of these forms to make sure that language in the body and/or footer is clear, specific, and covers all possible reasons for using the information being solicited. Be very specific about the intended use of the information you are collecting.
The GDPR says that you must obtain explicit, opt-in consent, and be clear about how your subscribers’ data will be used when you obtain that consent.
You need to communicate it clearly how your customers’ information is being used — it’s more of a communication and process question, rather than something that can be solved with technology.
Under the GDPR, if you use Google Analytics, then Google is your Data Processor. Your organization is the Data Controller since you control which data is sent to Google Analytics.
With Google as your Data Processor, they have obligations to conform to the EU GDPR. According to Google’s own Privacy Compliance website, they are “working hard to prepare for the EU’s General Data Protection Regulation.” You can see more details on this site and it is almost certain that Google Analytics will be fully compliant by May 25, 2018. As part of being a Data Processor, Google must provide a data processing agreement that you’ll need to accept.