There is a new EU law which will be coming into effect later this year called GDPR, and the EU law has the potential to shift privacy online and simplify some of the messy and complex privacy laws.
GDPR stands for General Data Protection Regulation, and will be rolled out in May of 2018. Fortunately, if an organization’s marketing and IT follow good industry practices, the changes aren’t that severe or difficult.
Note – I am not a lawyer, so please discuss GDPR with the appropriate counsel and executive members at your organization, and how GDPR will affect or change your processes.
I’m Not In The EU, Does This Still Apply?
The situation is more complex than not having European clients or blocking Europe from a website. For example, if a EU citizen visits the US and signs up for a service, then the EU law still applies. The new law is specific in that it applies to any website that collects information about any EU citizen, no matter the location of the website or citizen. If a website could be visited by an EU citizen (or even a citizen with dual-citizenship), then the law applies.
If you have a website with very few or no official customers in the EU, then it’s likely that the GDPR enforcement team is probably only going to reach out if they get a complaint against you.
On the other hand, if you have a large website, or you have a large amount of customers in the EU, then you should take the GDPR law very seriously.
Regardless of whether you are likely to be affected or not, there are some measures you should take to ensure compliance and streamline privacy in case of any future complaints.
What Are The High Points Of GDPR?
Use Plain Language, Not Legalese
This is pretty clear cut, but having complex legal language is a no-no.
Consent Must Be Explicitly Given
If an organization collects personally identifiable information, there must be explicit consent. This means that a checkbox for “I accept” or “sign me up for the newsletter” must be UN-checked by default. Also, opt-in must be unbundled, meaning a user can’t be added to a mailing list by agreeing to a Terms & Conditions area.
Notification Of Data Breaches
This is pretty self explanatory, but if a data breach occurs, users must be notified within 72 hours of becoming aware.
Right To Access User Data
Upon request, and at no charge, users must be provided a copy of the personal data stored on the user. Also, a user must be provided what data was processed, and by whom, and for what purpose.
Right To Be Forgotten
Users have a right to have their information removed. For example, if a user creates an account and later decides to close said account, they have the right to ask the account to remove all collected data, both for the account purposes and also for marketing purposes. The only exemption is data necessary to maintain certain records like banking and tax records.
Data Protection Officer
If you maintain a lot of personal data, you may want to appoint a person to oversee this process. Ideally, this person has access and reports to the top tier company executives.
Steps To Take For GDPR – May 2018
Ensure that all forms have no automatic opt-in, and all checkboxes are left unchecked by default.
Determine 3rd Party Compliance
If you work with a third-party for things such as newsletters, payment processors, accounting software, CRM, marketing automation, and even web hosting and development, you should obtain information on their compliance or details to become compliant. The EU says that the ultimately party responsible is the organization, not developers, web hosting, or third party service.
Have A Plan For A Data Breach
Having a formal plan accelerates deployment during the critical 72 hour window.
Have A Plan For Someone Requesting Data Or Deletion
If someone contacts your organization about their information, or deletion of information, having an appointed Data Officer can speed this process up and become a single point of contact for both the user and any complaints.