Disclaimer: This post is not legal advice. We strongly advise that you seek independent legal advice on all matters relating to the incoming GDPR.
WHAT IS GDPR AND WHY IS IT IMPORTANT?
You may have heard of the Data Protection Act 1988 – well think of the GDPR as the biggest update to the current rules (and no you can’t click ‘remind me to update later’).
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union, which is coming into force on May 25th, 2018. Any companies or organizations that collect and/or process the personal data of EU individuals are affected, and it’s important that you’re able to demonstrate compliance with the rules.
Note: GDPR will also apply to organizations located outside of the EU if they process or collect data of individuals within the EU.
‘Personal data’ is defined as “any information relating to an identified or identifiable natural person”. Examples include a person’s name, home address and email address. Even storing an IP address in your web server logs constitutes to the processing of personal data of a user (you heard right WordPress users).
As a digital publisher and site owner, it is your responsibility to ensure that your site (and every plugin) complies with the GDPR rules. Once the GDPR comes into force, individuals will have enhanced rights to access their information, stop direct marketing, prevent data sharing and request that you delete everything about them as a user. To assist you, we’ve created a 6 tip guide to help you get GDPR ready – so let’s get started!
TIP 1: GET CLUED UP
The first step is to read up on the upcoming changes and make sure you are aware of how they will affect you. Depending on the nature of your blog, you may have steps to undertake to ensure that you are compliant. Many businesses will need to register with the ICO to show their commitment to data privacy, however, you may be exempt. Get clued up on your position and take this quiz.
If you use email marketing tools such as MailChimp, you will most likely be acting as a controller of data. MailChimp has issued guidance on steps you can undertake to stay compliant – you can check these out on page 7 and onwards here.
And let’s not forget about Google Analytics. The web traffic analysis tool enables site owners to get a real insight into how their site is being used and by whom. Google’s recently updated EU User Consent Policy reflects the legal requirements of the GDPR and sets out a list of website owner responsibilities – so site owners need to stay alert here.
Google Analytics has implemented tools enabling compliance for the GDPR, for example, you can turn on the IP anonymization feature within your account. You may also consider making use of the pseudonymous identifiers in your Google Analytics. With this feature, you can control and ensure that User ID’s are alphanumeric rather than written in text such as personal emails. Have a read of Google’s helpsheet here for further guidance and to establish how you can stay compliant when using the application. For more comprehensive guidance in ensuring your use of Google Analytics is compliant, we recommend reading Cookiebot’s latest post.
TIP 2: CONDUCT A DATA ANALYSIS REVIEW
Okay, this process is not as long as it sounds, as long as you think about it. A Data Analysis Review simply involves you reviewing the data you currently have. How did you get it? Have you shared it with anyone? What do you use it for? Has the owner of the personal data provided you with specific consent to do all of those things? Start a paper trail so you can see the journey clearly, that way, you are able to track when, where, and if you obtained consent from the data subject.
TIP 3: KNOW THE DEAL WITH CONSENT
If you are collecting and processing data, you will need to identify a legal basis for doing so. There are a few ways you will be able to do this. If you are relying on consent – get it right. Consent must be active. When users sign up to receive any marketing or blog updates, ensure that there is a clear box for them to tick which states in plain language what you will do with their email address or the relevant data provided.
Consent requests must be separate from other terms and use clear and precise language to inform the user what they are consenting to. Finally, tell users that they have the right to withdraw their consent at any time, and how to do this. It is advisable to have simple and effective withdrawal mechanisms in place.
TIP 4: BE TRANSPARENT WITH YOUR USERS
TIP 5: GET PROCESSES IN PLACE
One of the key requirements of the GDPR is ensuring any personal data you collect, store or process is done so securely. The GDPR sets out clear instructions regarding the steps to undertake in the event of a breach including notifying the Data Protection Authority within 72 hours.
So it’s time to get those processes in place! Check that your computer has appropriate security software installed. Ensure any data that you hold consensually is secured and protected by using encryption and/or monitoring and controlling who has access. If, for example, you have a team, limiting who has access to the data you hold may mitigate the risk of any accidental breach. Finally, consider moving your blog to HTTPS. You can use our preferred partner Fantasktic.
Now, we are all about positive thinking here at CD but when it comes to business, disaster plans are a major key. Finding a solution before a problem occurs is the best way to sleep better at night! In the context of data, simply sending an email to the wrong person could amount to a data breach if it contains sensitive information on a data subject. So make sure you stay secure.
TIP 6: DO. NOT. PANIC
There is zero need to panic. Breathe and follow these steps:
- Get clued up – know what constitutes as processing and collecting data
- Take some time to look into all the ways in which you’re collecting user data
- Put a process in place to ensure that users can control their data
- Ditch collecting any data that you do not need/is not necessary to collect
- Check your plugins are compliant
- If you are relying on consent to process any personal data, ensure that you get valid consent from your data subject
Have you completed our Annual Blog Survey yet? Click here to be a part of shaping your industry!