What Is GDPR… And Is My Website Compliant?by Ascedia
January 24, 2018 3 minute read
Europe’s General Data Protection Regulation (GDPR) is designed to protect personal data of its citizens by aligning European Union (EU) data privacy laws. By giving European citizens full control over how and where their personal data is collected, used, and stored by organizations, GDPR will have a major impact on any organization that holds or processes this data.
Effective May 25, 2018, this regulation impacts any institution anywhere in the world - regardless of where it is located - that offers goods and services to any European citizen or tracks their online behavior. GDPR affects all areas of your business, but your website plays a big role in compliance. Here are some highlights of the regulation and how you can work toward compliance:
Does GDPR Apply to My Company?
This regulation applies to:
- Companies that are based in the European Union (EU)
- Companies who use an email service provider (ESP) that is located in the EU
- Companies that process personally identifiable information of EU residents
Is My Email List Compliant?
GDPR requires companies to have explicit consent from “implied-consent” subscribers (also known as leads, prospects, clients, and customers). This means that everyone on your mailing list, whether they are currently engaged or not, need to opt in to your marketing communications using a compliant opt-in form.
If you’re currently sending marketing messages to current customers or legacy subscribers who haven’t opted out of communications, you’ll have to proactively request that they subscribe. (It is also important to note that business email addresses are considered personal data, so the type of email address being used won’t get you off the hook.)
What Other Digital Marketing Is Affected?
It is important to not only review your data collection methods but to also take a look at whether your technology and agency partners are compliant. Your third-party vendors, including the developer of your content management system (CMS), should also be compliant. Part of GDPR’s extensive guidelines includes having documentation of the tools you use and what type of data you’re collecting.
Review the tracking that is taking place on your sites to determine what data you, your vendors, and their partners are collecting and the purpose of saving that information. You should analyze the data that is being saved to your site database when forms are submitted, for example, and evaluate the sensitivity of that information. GDPR requires you to prove that you have a “legal basis” to collect personal data like IP address or a device identifier.
Are Users Able To Easily Give Consent?
When a user visits your website, a clear request for consent should be made (but users must still be able to access the site if they haven’t yet given consent for data collection). The request should be written in clear language and should explain how and why your organization wants to collect their personal data.
What Are The Penalties?
After the effective date of May 25, 2018, companies that are marketing to people who haven’t given explicit consent will face a fine of up to 20 million euro or 4% of global annual revenue, whichever is greater.
How Do I Get Started?
This post just scratches the surface of the GDPR and its impact on your business. Depending on the amount of international business your company conducts, there could be far-reaching implications for compliance. Reviewing your digital marketing strategy and tools is a great start, and some content management systems (such as Kentico 11) already include features that support GDPR compliance.
If you’d like to discuss the impact of GDPR on your company -- and your website -- contact Ascedia today.
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Ascedia makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.