While it has become incredibly easy to become a website owner in recent years, making sure that you’re always playing by the rules of website ownership is not quite so straightforward.
The internet has made it easy to put up a website and begin receiving traffic from all over the world. Of course, the problem with this is that different countries have different rules regarding things like privacy and the ways in which you’re allowed to collect and use the data of the people who visit your website.
One of the most recent compliance issues which many website owners now face is Europe’s GDPR. In this article, we’ll explain this new regulatory procedure and help you to learn how you can make sure that your website is compliant.
What is GDPR?
GDPR stands for General Data Protection Regulation. It’s a rule which was passed by the European Union in 2016, and while technically only those operating within the European Union should be impacted, thanks to the reach of the internet, every site should be sure that they are GDPR compliant.
So, what exactly does the GDPR require? For the most part, it simply seeks to make data collection by business websites and social networks more transparent.
You are still allowed to collect and use your visitors’ data for marketing efforts, but you will need to explicitly ask their permission before doing so.
For users who have agreed to let you collect and use their data, they will also require a way to revoke that access. This is not so different from the laws surrounding email marketing which require providing a way for your subscribers to remove themselves from your email lists.
Companies who experience a data breach will also be forced to report this breach to the data protection authority for the protection of consumers.
Is my website required to be GDPR compliant?
The wording of the GDPR targets two specific groups. If any of the below statements apply to your business, then you are required to comply with the GDPR.
● Firms located in the EU
● Firms not located in the EU who offer paid or free goods or services to EU citizens
● Firms located outside the EU who monitor or track the behaviour of EU citizens
What counts as a collection of personal data?
Almost every website collects personal data in some way. Personal data is defined as:
“covers any information that relates to an identifiable, living individual.”
If you sell products or services, then you would most certainly collect names, postal addresses, email addresses and credit card numbers at the very least. Possibly even social security numbers if you operate in the financial sector.
However, many websites also offer personalized recommendations for things like showing advertisements or recommending personalized product recommendations. Software like this also collects a user's personal data by following them around the internet and storing cookies.
Even your analytics software counts as personal data collection because it actually tracks and reveals the user’s physical location! Any online identifiers are now protected by GDPR.
Penalties for non-compliance of GDPR
If you’re thinking about trying to get around the GDPR law, then you should know that the penalties if you’re caught are pretty steep. While the regulatory body behind the law is vague about the exact penalties, they have set a maximum fine of €20,000,000.
A fine of that amount would, of course, be reserved for the biggest offenders of data infractions, the Googles and Facebooks of the world. However, you shouldn’t assume that you can’t receive a fine just because you’re not as big as they are.
While that is the maximum fine, the penalty is actually set at 4% of a company’s yearly income! Imagine what losing that would look like for you, and then keep reading to learn how you can make sure that your website is GDPR compliant.
How to make sure your website is GDPR compliant
In order to become fully compliant with GDPR you’ll need to adjust your cookie policy, and how you collect user data. We’ll use the email list example again since most people are more familiar with those rules.
When you add a person to your email list, they must willingly give their email address to you. They enter it into the sign-up box and are giving their explicit permission for your company to send mail to them.
You must now take that same approach with all consumer data in order to become GDPR compliant. In many cases, websites have taken an “all data usage approach” to this by providing a “consent” form when the user lands on the page.
Step 1: Make sure that you’re requesting consent
Requesting consent can be as simple as using a pop-up to inform users that your website uses their data for specific purposes. Just remember that users must give explicit consent. This means that you can’t just assume that they consent to data collection, and you can’t use pre-ticked boxes to trick them into giving their consent.
Your best bet is to have your message briefly describe how you will be using their personal data, and then make it so they must click a button to signify consent. Putting a message that says something akin to “by visiting this website you’re consenting to data collection” will not cut it.
Step 2: Make sure that consent can be revoked by the user
Getting consent is not enough to be GDPR compliant. You must also make sure that users can revoke that consent should they decide that they no longer want you tracking their activity. Most websites accomplish this by allowing an editable setting, and you can even allow people to specifically choose what information they let you use if you’d like.
Step3: Have a data breach plan in place
In addition to asking for consent, you also now have a responsibility to report data breaches to the data protection authority. You have 72 hours to do this, and your company should have a plan in place so you know what to do when it happens.