GDPR: A Quick Intro
The General Data Protection Regulation, or GDPR, went into effect May 25, 2018. This new regulation creates consistent data protection rules across the European Union. But because there are no borders on the internet, it also applies to all organizations and companies that process personal data from individuals in the EU, regardless of where the organization company is based.
Much of this regulation actually builds on existing EU data protection rules, the Data Protection Directive. However, GDPR has more well-defined standards and substantial fines.
Failure to comply with the this new regulation can now result in fines: up to 4% of global annual revenue for certain violations.
This law is designed to accomplish two main things:
- Unify the current data protection privacy laws throughout the EU.
- Enhance the rights of citizens of the EU to protect their personal information.
The GDPR applies to any business that does one or both of the following:
- Offers products or services to citizens of the EU.
- Collects personal information from citizens of the EU.
This means that a U.S.-based business that process data from EU citizens will be required to comply with the GDPR.
What is Data Processing?
Processing is somewhat vaguely defined. It refers to anything related to users' personal data.
- Data Collecting: how is the data gathered?
- Data Storing: where is the data stored?
- Data Usage: how is the data used?
- Data Destroying: how is the data deleted when its no longer needed?
Under the GDPR, there are a number of approved reasons (legal bases) a company can lawfully process a person's data. A few of the most common are described below.
- The data processed must be necessary for the service that the business or organization provides.
User Provided Consent
- Requires a freely given, specific, informed and clearly-defined consent by clear affirmative action like an opt-in button.
- Users have a right to withdraw their consent. This must be brought to their attention.
- Must be from a person over the age of consent, otherwise given by or authorized by a parent / guardian.
- If a business or a third party, like an embedded service on the website, has interests that are not overridden by users’ rights.
- Processing must be paused if an individual objects to it
In short, only completely necessary should be collected on the website and the user MUST be given a clear explanation of how their data is used.
Businesses that want to be fully compliant are subject to a different set of guidelines on how user data can be stored, what kind of consent is needed to collect new leads, and what kind of consent is needed to contact users already in their contact lists, to name a few.
For example, how, why, and for how long their data is stored? This includes form entries, CRM accounts, etc. If they're using a form to collect leads and a CRM to manage active clients, they may need to adopt new practices of removing form entries on a regular basis to remove user info for dead leads, etc that did not get entered to the CRM.
Here are a few links that provide some good info about GDPR-compliance.
Sanity.io A Rough Guide to Running a GDPR Compliant SaaS Business
StartUp Resources' Quick & Dirty Guide to Getting Compliant for Startups and Small Businesses
Varonis' GDPR Requirements in Plain English
Each GDPR-compliant site should include:
- A privacy / data policy that uses clear, easy to understand language to tell site users how data is collected, why, and for what purpose. Learn More »
- Opt-in consent for processing any personal data. This means that each form collecting user data must have an opt-in checkbox allowing users to give consent for their data to be stored and used. Learn More »
- An option for data review / erasure. This means that users need a way to request to view and/or delete the personal data stored by the site. Learn More »
According to Article 12, you must tell users how you process personal data in a way that is:
- Easily accessible
- In clear language
- What personal information you collect
- How and why you collect it
- How you use it
- How you secure it
- Any third parties with access to it
- How users can request to have it deleted.
Consent fields to all forms where user data is processed
Each form will include easy-to-find links to the policy mentioned above. This allows users to see what data is collected, and why. We'll also add a clear opt-in option any time additional data processing happens, like sending a form entry to an email marketing platform or a CRM.
- Each form field should only exist if it is clearly necessary. If this is not the case, explain the necessity or remove unnecessary fields. Take a minimalist approach and collect only what is absolutely necessary.
- The user must be able to find out what happens to his or her data before submitting the form, including why, where and for how long the data is stored.
- Do not use any pre-selected checkboxes (especially for newsletter subscriptions, as explicit consent is required).
- Forms containing personal information may only be transmitted with an SSL encrypted form.
- The information collected by means of a form may only be used for the purpose agreed to by the user when filling in the form.
- You may not automatically use the e-mail address for e-mail marketing if it was included in an order form.
- If the user's info will be used for further marketing, etc, an opt-in option must be included.
- Alternatively, you can also completely remove the form and replace it with an e-mail link and/or a telephone number.
Cookie Consent Notice Banner
When users land on the site, they'll see a notice message stating that cookies are used, and how.
At this point, some businesses are still simply showing users a notice and allow them to accept, or suggest leaving the site and/or clearing browser data to avoid cookie-based tracking.
The fully-compliant option is to pause all data tracking until the user opts-in, and allow them to opt-out at any time. This makes all tracking / marketing like Tag Manager work on an opt-in basis.
Again, these decisions are up to the client. They should base their decision on how much of a presence in the EU they plan to have, how much tracking they plan to do using cookies, and how much user data they collect and store.
Here is a helpful resources for generating notice / consent banners.
- Can be configured for full GDPR compliance.
- Requires account set-up.
- Free. (one domain only / up to 100 pages)
- Can display in EU countries only.
- Scans the website for cookies, automatically assigns them to different cookie categories in the preference center.
- Fully customizable cookie notification banner.
- A Preference Center and the ability to opt-out/in to separate categories of cookies.
- Pushes consent data and events to the Data Layer. Also requires additional set-up in Google Tag Manager.
The Right to Erasure
The GDPR gives users the right to eraser, sometimes also referred to as the 'right to be forgotten.' This means that users who have submitted personal data to your site have the right to make a request to review it and / or have it deleted in a timely manor.
Here are a few of the applicable scenarios where a user can make a request:
- The data is no longer relevant to the reason it was collected; For example, the user's request was met and they need no further contact.
- The person withdraws their consent for their data to be used (and if the business or organization has no other legal basis for collecting it); For example, the user has been contacted but is no longer interested in your product or service.
- The person objects to their data being collected for marketing purposes or where their rights override legitimate interests in collecting data (for instance, where that is sensitive data concerning a child);
- The data was unlawfully processed;
- The data's erasure is necessary to comply with a legal obligation;
- The data belongs to a child, and was exchanged for "information society services".
A GDPR-compliant website should give users clear information on how they can contact the business or organization to make these requests. This can be via email, phone, or a dedicated form on the site. It's the responsibility of the site owner to fulfill them in a timely manor.
As long as one of the above conditions is met, the data must be permanently remove the data from the site, and any third-party the data was shared with: CRMs, email marketing platforms, etc.
For more information on users' right to erasure, check out the following links:
Here are some other helpful links