This article outlines the important changes to EU legislation called the General Data Protection Regulation (GDPR) which can negatively impact your business.
It is paramount that you are prepared for these changes as you can incur a whopping financial penalty for non-compliance. These fines can be as high as 4% of your annual global income which is enough to cripple some companies.
So, take heed, and get compliant before the deadline!
THIS IS AN OUTLINE OF THE GDPR, AND IS BY NO MEANS LEGAL ADVICE.
What is the GDPR:
The GDPR outlines new and important changes in personal data legislation which are coming into effect on 25th May 2018. The GDPR has been put in place to protect EU citizens globally so even companies which aren’t within the EU but deal with EU members’ personal data, must comply with this new legislation or face serious consequences.
The 8 new rights for users are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
So, what constitutes Personal Data?
This means any information which you hold that can identify someone. Whether it’s an IP address, name, home address, email address, etc. If the data which you collect can’t identify an individual, then you don’t need to worry about these changes.
If you handle data, under the GDPR you now come under two categories – either you’re a “Data Controller” or a “Data Processor”.
- A Data Controller is a person who (either alone, jointly or in common with other persons) determines the purposes for and the manner in which any personal data are, or are to be, processed.
- A Data Processor is someone who processes data that belongs to someone else. E.g. Authentic Style processing data that a customer enters into a contact form.
The changes in May affect both the Data Controller AND the Data Processor. This means that agencies, external CRM systems, servers, email platforms, etc. which house personal data are all responsible for its safekeeping.
From May onwards, users will have to actively opt in for you to use their personal information. Gone are the days of companies adding your data automatically with a pre-ticked box. Consent must be actively and positively given.
Companies also cannot assume that if they have a user’s consent for one form of marketing, that they will be allowed to contact them through other marketing avenues. Clients / customers must provide consent on various forms of communication separately in order to receive them. E.g. If a user has opted in to receive newsletter emails, this doesn’t mean that they’ve opted in to receive telemarketing calls too. They would have to specifically opt in to receive these too.
It’s also not enough to specifically ask your users if they want to receive offers – you need to remind them of their rights and that it is their decision to opt in. These rights to your users privacy must be fully visible when they have the option to forfeit their personal data to you. It’s also important to update your Privacy Policies to reflect the changes which the GDPR has rendered.
We’re afraid it’s not just from May onwards that companies must look at how their user’s personal data was obtained either. This is the case for retrospective data that you may have obtained since your business began so you might have to ask all of your current marketing lists to opt in again to received your marketing material.
If you’re unsure of how personal data was obtained – whether it was assumed or consent was given to use it, you will have to ask your list(s) for their consent again to ensure that they’ve actively opted in.
Third Party Consent:
It may be that your business buys marketing lists to generate leads by sending offers and promotions to them. The new GDPR legislation will also affect this personal data too.
You can continue to market this way, but as before, you must have a clear consent agreement directly with the company you obtained the list from that shows the users on the list you purchased actively opted in to receive marketing communication.
Frustratingly, there are no defined limits as to when consent expires, but it should be assumed that it doesn’t last forever. Companies must have an arguable case as to why they have kept their user’s personal data.
Here are a couple of examples:
- You can no longer assume that a user who opts in to receive news about a product launch should also receive your company newsletter. This would need a separate form of consent which outlines them explicitly opting in to receive your newsletter.
- If a customer opts in to three different kinds of marketing from your business, but then opts out the fourth time, it is the last decision that sticks and they’ll need to be removed.
- If you offer a subscription service and a user cancels, they should no longer receive any communication from your company – not even offers to come back at a special rate.
As a Data Controller (those that own the personal data), you are obliged to keep strict and detailed accounts of when, how/where a user gave their consent and explicitly what they gave their consent to. A user has a right to ask for this information and all the personal data you have on them through a Subject Access Request.
A Breach in Data:
Any breaches in data you experience MUST be reported to your users with 72 hours. Any later and you won’t be compliant with the new GDPR legislation. It’s important to have a breach procedure in place so that you can contact all of your users within the allocated time to safeguard personal data as much as possible.
Just something to be made aware of; if any lost data is encrypted, than it won’t be classified as a breach in data which needs to be reported to regulators or your users.
Tips for making your WordPress site GDPR compliant:
If your site runs on WordPress here are some common ways in which you might collect users’ personal data:
- Contact form submissions
- Analytics and traffic logging solutions (Google Analytics)
- Security tools and plugins
- Comments on news posts
- Newsletter sign ups
- Product purchases (on an ecommerce site)
Next, you need to be able to provide users with a copy of their data should they request it. This is perhaps the most difficult part of the process and something which you’ll need to create documentation for within your business.
You’ll also need to make it possible for users to delete all their personal information you’ve gained if they so wish. This is what’s called “the right to erasure” or “the right to be forgotten” in the GDPR policy.
If you need some more advice on making your WordPress site compliant, just get in touch.
GDPR Changes Summary:
- GDPR will be enforced on 25th May 2018.
- Both Data Controllers AND Data Processors are now responsible for safeguarding personal data.
- Users must actively opt in for you to market to them.
- You cannot assume that personal data gained can be used for all marketing material, only that which the user has opted in for.
- During the opting in process, users must be made fully aware of their rights under the new GDPR legislation and how their data will be used.
- The new rules of GDPR on personal data consent mean that you must review all of your current marketing lists and ensure consent was given for you to use that data.
- All the new rules work retrospectively, so it’s not from this point onwards that you must look at how your user’s personal data was obtained. You need to look at all the personal data you’ve collected – even if that was obtained 10 years ago!
- If you’ve purchased data from a 3rd party (e.g. you bought a mailing list), then this will also be affected by this new legislation and consent must be given by each user for you to use their personal data. If you rely on such lists for marketing, you’ll need to ensure that the company you purchase it from is GDPR compliant too.
- Although there is no fixed time limit where consent expires, context is important and it should be assumed that it does not remain valid forever.
- Data Controllers must keep records of how personal information was obtained, when it was obtained and for what use it was specified for.
- A breach in data must be reported to regulators (the ICO if you’re a business based in the UK) and your users within 72 hours. You must have a data breach procedure in place and contact your users within the time frame above. If not you could face a fine.
Further reading & resources
- ICO’s Guide to GDPR Compliance
- The Complete WordPress GDPR Guide
- The 8 Rights Of Individuals
- DeleteMe – WordPress plugin to allow users to delete their account on your site
- 14 Things You Were Too Afraid To Ask About GDPR
Would you like to be notified each time we post new digital media?