Of course, we are all aware of the privacy issues now in the news about Facebook and other major networking sites. The European Union has been thinking about this much longer, and a new regulation goes into effect soon that will impact how we all do business online.
The GDPR (General Data Protection Regulation) is a European Union regulation on data protection for everyone within the EU. Its goal is to give back control of data to citizens. It goes live in May of 2018.
Just because it’s an EU regulation doesn’t mean you can ignore it here in the US. Any website, including social media sites that gather data from EU citizens, must comply with these rules. If your company processes large amounts of sensitive data, like Twitter for example, then they are required to create the role of “Data protection officer” whose sole responsibility is the protection of customer’s privacy.
The fines for violations range from 2-4% of the company’s global turnover.
Now, not many companies harvest as much data as Google, Facebook, Twitter, and others, but we should still take these new rules as good practice. They’re most likely the wave of the future anyway, so why not get in compliance now on your website and email lists?
What is personal data under GDPR?
Personal data is:
IP Address email or physical address, phone, health, financial or school records, demographics like racial, ethnic, or sexual identification. location information and age (GDPR sets the limit for a child to sign up for digital services at 13) are just a few. The list is quite long, as you may imagine. See the GDPR website for more information.
It’s not just about data collection either. Users may request their date be deleted altogether, and it is up to the website to keep records and remove data on request, including from forms filled in, cookies and email subscriptions and delete that data on request.
Why? Sites like Gmail, SaneBox, and Unroll, for example, scan your email for information that can be used to market to you. So does Google, Facebook, Twitter and so many others. Websites must now ask for consent to collect data. To be in compliance they will have to request we opt-in.
I’m sure by now you’ve seen one of these cookie banners on websites? Give it a moment and think before you accept.
What to do about GDPR Compliance?
I’m not a lawyer and I am not implying that this is the full range of options, but here are some of the things I am recommending to our clients. If you have any questions at all, you should visit the official GDPR website and make your own informed decision.
- Be sure to include information on how you will use subscribers’ data on your email list sign-up page.
- If you do any form of e-commerce, here’s a good post on this from Shopify.
- Subscribers must opt-in, so those pre-selected opt-in checkboxes are a no-no. Give them the option to opt out of giving you their data. Some scripts out there now allow a user to request their data be deleted from your system. Check with your web developer to see if you are compliant.
- Users may request that their data be changed, or deleted.
Keep records on the personal data that you collect from users and how you got their information. Buying a list or adding people randomly because you found their email address is NOT compliant.
See what others are doing.
Here are some great examples of GDPR compliance options from larger companies that also explores the nuances of these new rules.
Notice as you surf the web how often you’re seeing opt-in boxes and how they are used.