If you live in the U.K., you’ll have noticed the slew of emails flooding into our inboxes during the past month informing us of the need to opt into email marketing and newsletters. This is all thanks to the GDPR (General Data Protection Regulation).
GDPR, What the Heck!?
The new regulations tighten up laws surrounding how companies and websites store and use your personal data. Data here is defined as anything which identifies you. This can be something as simple as your name or date of birth to email addresses or cookies tracing your net use.
For anyone running a website, the GDPR raises a few issues. If your site is operating in the U.K., you must be compliant. The ICO (Information Commissioner’s Office) have a range of penalties they can issue on GDPR infringement ranging from warnings and temporary bans on data processing to fining. Fines can be up to $20 million or four percent of a company or site’s average turnover — whichever is higher. For cammers in the UK running their own sites, this could hit them hard.
Some Compliance Tips
GDPR compliance sounds scary but it doesn’t have to be. We have known this was in the pipeline for a little while, and there are plenty of tools out there to assist you to bring your site up to code.
So, what should we know?
Cookie policies are mentioned in the GDPR
Cookies identify users to your site and collect information for traffic analytics and advertising purposes. Because they can identify a user by their device, this is considered personal data.
To be compliant, sites will need to show express consent has been given to use cookies. It can’t be assumed this is okay. A pop-up widget warning users that cookies are in use and asking them for permission to do this can help make sure express consent is established. Once a box has been ticked, the user has given consent. The time frame for this is usually set on the widget, and once that has lapsed the user will be asked for consent again.
Email marketing
If your site is using email marketing, you need to make sure users are opted in and that you can prove they have consented to receiving your messages. This means no more pre-ticked boxes on email contact. If you can’t prove consent but know your subscribers opted in, tighten up your record keeping procedures in the future. Make sure you include an unsubscribe link on the bottom of all emails so it’s easy to opt out.
Privacy disclosure
Your site needs to have a privacy policy outlining how data is collected, stored and used. This must be easily accessible and should list any third parties who can access your site’s collected data (e.g. Google, jetpack, etc).
Be sure to check any third parties’ data protection policies. There are guides and tools to assist you to build a privacy policy online.
Contact forms
Contact forms are one common way sites collect data from users. Good GDPR-relevant ideas include justifying why you are asking for the information on the contact form and adding a consent box to your contact form so users can show they agree to you collecting this information and contacting you. Don’t keep contact forms longer than is necessary.
Other issues
Of the six reasons to process personal data, the two reasons you’re most likely to use are “Consent” and “Contract.” The “right to be forgotten” applies under consent, so make sure you can delete something if requested. Make sure you outline all of this in your privacy policy and provide a way to contact you with any relevant request.
Also, to emphasize the security of customers’ data, site owners need to have an encrypted storage environment. Adding an HTTPS protocol to your site helps encrypt and protect customers’ data.
What does an expert say?
Records Management Consultant Emily Overton had this to say about the GDPR:
“In terms of being GDPR compliant, knowing what you process and why and making sure it’s legal is a huge key. Once you know, be honest and transparent in the privacy policy with affirmative wording such as will/won’t. If money is being received for a service, then the legal basis for some of your processing is probably under contract, but you need to assess each process of where to collect data to ensure you’re doing it correctly. A great example of a privacy policy is here.”
Dang!
Data protection is everybody’s responsibility. Though someone overwhelming and onerous, in building a good reputation and maintaining users’ confidence, the GDPR stands to benefit us all.
Editor’s note: GDPR regulations are complex. This post is not intended to be the last word in GDPR dealings. Do your due diligence to ensure you are compliant and effective in your dealings.
—
Katy Seymour is a super-sex-positive writer in the U.K. who believes kink is life. Email her at katy@ynotcam.com.
Image via Pawe Sobocinski.
