By 80 DAYS | March 2nd, 2018
The General Data Protection Regulation (GDPR) is a new EU regulation that will come into effect on the 25th of May 2018. The regulation is designed to give people more control over how their personal data is used, and any business operating in the EU is required to be compliant with GDPR’s rules.
What action is needed to bring your website & online marketing up to spec?
80 DAYS has undertaken some investigation of the new regulations and how this may impact our customers’ websites. The following notes & recommendations are based on our best understanding of GDPR. However, we feel it important to add a caveat that we are not authorities in Privacy Law and we would recommend you seek further legal advice if you are concerned about how your organisation handles personal data.
1. Identify your Data Controllers and Data Processors
A “data controller” is any organisation that holds personal data about EU citizens (e.g. your customers’ names, etc.). A “data processor” is an organisation involved in processing & storing that information on the controller’s behalf. Under GDPR, both controllers and processors can be held liable if there is a data breach and so both need to adhere by the regulation.
2. Explicit & Active Opt-Ins
Under GDPR, customers must explicitly opt-in to having their details stored and understand what they are being used for.
Under the new regulations, consent is now also defined to require an obvious and positive action to opt-in. For example, enquiry forms with a checkbox to receive a newsletter should be unticked by default, assuming that unless the user selects this they do not wish to opt in.
There are some exceptions though – if it is necessary a customer supplies details in order to complete an action, then their consent is implicit (for example, it’s a given that you’d need to store a hotel guest’s details from their booking so that you have it when they check-in).
The GDPR regulations do not make much mention of cookies, and there is already EU legislation in respect to cookies that was introduced in 2011. In brief, if a cookie can be used to identify an individual then they should have provided explicit consent for it to be used. For Digital Marketeers the good news is that most of the tools at our disposal use anonymized data and are therefore unaffected by GDPR.
Similarly, for advertising via Google AdWords, most data is anonymised and so no changes are needed to be GDPR-compliant. The slight exception to this is Customer Match advertising (i.e. where ads are targeted toward a defined list of email or mailing addresses); if you are to run this form of advertising, then customers would have to have given explicit consent for their personal data to be used in this way.
For businesses that are already treating their customer’s personal data responsibly, GDPR should require just small changes in current practice. Ensuring that the personal data you hold is only being used in ways which the individual is aware of, has approved and that it is being stored securely, should help prevent you falling foul of the new regulations.
If 80 DAYS can be of further assistance in updating your website/marketing activities accordingly, please contact your Account Manager or email@example.com.