Blog

11th March 2019

Year to data

“It’s important to understand that GDPR compliance didn’t end in May last year - it is an ongoing journey.”

One year on, Jamal Dayes analyses the impact of GDPR on website data retention and collection.

It is nearly a year since businesses across Europe were gearing up towards GDPR deadline day on 25 May. Hurried updates to websites, rejigged CRMs, privacy policies and hosting solutions were required to get businesses compliant ahead of the deadline. The ensuing panic was perhaps slightly less apocalyptic than the Y2K Millennium Bug in 1999, but comparisons were drawn.

Wait, what is GDPR again?
The 240-page document on the new General Data Protection Regulation (GDPR) wasn’t exactly a light read so a quick reminder of relevant parts might be in order here. The regulation states that if your website collects or stores data related to any EU citizen – even if you are not an EU entity, you must comply with the following:

  • Communication: Tell users who you are, the purpose of collecting the data and how long it will be stored for;
  • Consent: Ensure that consent is given before collecting any data. If being used for marketing purposes, users should have the ability to opt-out;
  • Access: Provide users with access to view/amend or delete their data, or transfer it to another provider;
  • Warnings: Inform users if there has been a data breach.

But why is this important?
GDPR is ultimately a force for good in that it improves the protection of our data and our rights as well as clarifying what companies must do to safeguard these rights. It also raises the stakes for compliance by imposing greater fines for a breach. The maximum fine for non-compliance now stands at a whopping €20 mn or 4% of global revenue, whichever is the highest.

Google has already been hit with a €50 mn financial penalty and Facebook grabbed the headlines in 2018 for privacy and data breaches. It is likely other big players will be in line for hefty fines in 2019.

How can we ensure we’re GDPR compliant?
It’s important to understand that GDPR compliance didn’t end in May last year – it is an ongoing journey: regularly assessing how your website is collecting, processing and storing data and that your policy is communicated effectively with your visitors.

Key points:

  • Privacy policy: Take responsibility for ongoing review of your privacy policy in line with GDPR guidelines. You should clearly define the data you are collecting, how it is processed, and how your customers can get access to view/edit/request removal of their personal data. The privacy policy should be clearly linked on all pages of the website and ideally within a notification banner for first time visitors.
  • Third-party services: Review third-party services for information about their compliance (e.g. Mailchimp, Salesforce, Google Analytics, etc). Information on these services and how they store/process data will need to be included within your privacy policy – especially if those businesses reside/operate outside of the EEA.
  • Opt-in/unsubscribes: If your website collects e-mail addresses for marketing/newsletter content, it is important that you include an opt-in checkbox to ensure consent has been given with a clear affirmative action. Any future communications will also need to include links to allow your audience to view/edit or unsubscribe for future communications. Using services like Mailchimp, Dotmailer, Communigator will take the pain out of managing these as these features are often built in. But it is vital that you follow the digital trail to make sure that customer data is only stored in a manner that follows GDPR rules on compliance.
  • Security: If you haven’t already done so, purchase and install an SSL certificate on your website to allow it to run over http rather than https. Not only does this allow for data to be sent securely, it reaffirms to your users that you take security seriously. For added good measure, Google now includes SSL in the mix when deciding on how to rank websites, so ticking this box could also boost your SEO.
  • Stay up to date: Nominate someone within the business (no matter what size) to take responsibility for your firm’s GDPR responsibilities. Keep up to date with the Information Commissioner’s Office and review website best practice in relation to data management to ensure that you don’t get caught out.

If you’d like to speak to Bladonmore about reviewing your website or making recommendations to get in line with GDPR compliance, please do get in touch. hello@bladonmore.com

“It’s important to understand that GDPR compliance didn’t end in May last year - it is an ongoing journey.”