Digital marketers are mere days away from a new reality. The EU’s General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, stands to fundamentally change the way organizations assess and address issues of data security and privacy. Furthermore, GDPR is likely only the first of what will be a wave of new consumer protections enacted worldwide as governments scramble to address a host of growing problems in the industry.
The years of “self-regulation” on the web fostered explosive growth—but also all-too-public revelations regarding misuse, abuse, and unintended exposure of consumers’ personal and financial data.
“Even US-based organizations must carefully consider the obligations and impact stemming from the EU’s new regulation.”
In this article, I dissect GDPR and its potential implications for your organization’s digital presence. As you’ll see, even US-based organizations must carefully consider the obligations and impact stemming from the EU’s new regulation.
What is GDPR all about?
At its core, the GDPR is a set of broad guidelines that aim to greatly improve the privacy, collection, and handling of personal data of European Union (EU) citizens.
The maximum penalties of noncompliance are attention-getting: To the tune of 20,000,000 Euros—roughly $21 million U.S.—or up to 4 percent of annual worldwide revenue, whichever is greater.
Some of the major tenets of the regulation include:
- Data protection by design and by default.
- Seeking explicit user consent to tracking and data collection.
- Tracking of all data collection, processing, and transmission activities for audit purposes.
- Users’ right to request, access, and update the personal data you have collected.
- Users’ right to modify their data preferences.
- Right to be forgotten, i.e., the user’s right to demand deletion of their personal data.
- Immediate reporting of breaches to the EU.
- Organizational requirements including accountability, contracts, processes, and documentation of data management and processing activities.
But wait, does GDPR really apply to me?
That’s a tricky question. GDPR language is such that any organization with online campaigns or websites that target, engage, or collect data from EU citizens may potentially be subject to its requirements.
It is important to note that GDPR must be assessed in context of each organization and situation. Seek legal counsel to determine whether—and to what extent—GDPR applies to you.
To help you begin this assessment, we have identified several general situations with varied applicability of GDPR:
As if to fuel ongoing speculation and uncertainty, GDPR didn’t come written with hard-and-fast rules or prescriptive, one-size-fits-all solutions. Your best starting points are to be informed, elevate awareness and discussion within your organization, and seek expert legal advice. All of these will help usher your online presence into this new regulatory environment.
What has to change in my website to comply with GDPR?
A number of steps may be needed to bring your website into compliance with GRPR. In a strict reading of the regulation, compliance could require any or all of the following:
1. Seek explicit consent via soft opt-in in order to:
- Track visitors via cookies.
- Submit forms containing personally identifiable information, including email addresses.
2. Succinctly—and in lay language—disclose your purpose for collecting, storing, processing, and/or sharing the data you collect from visitors. Links to long, dense and technical privacy policies will not suffice.
3. Provide users with the ability to exercise their rights to:
- Upgrade or downgrade their privacy settings at any time.
- Update the data you have collected from them.
- Download a copy of their personal data from your website.
- Erase their data from your website.
4. Collect only the minimum data necessary and retain it only as long as you need to.
What about the supporting technology (such as our CMS or E-commerce platform)?
GDPR also lays out a number of important requirements for compliance regarding your web platforms and how they protect, process and communicate personal data.
Personal data must be encrypted—both when at rest (stored) and in transit (transmitted or exchanged). Beyond that, personal data must be stored in a “pseudonymized” fashion. In simplified terms, that means the pieces of information are tokenized and separated such that, even unencrypted, they are made reasonably difficult to reassemble and assign to a specific individual.
Popular and widely-used CMS platforms such as Sitecore, Episerver and Kentico all now boast GDPR-compliance. The caveat here is that this has been achieved only in their most recent major versions. Organizations should therefore assess the GDPR compliance—and versions—they’re using, and in the context of their desired compliance. In many cases, updates and upgrades, along with careful regression testing, will be in order.
Where do we go from here?
Contact Hanson Dodge to learn more about how you can take action now to improve your compliance with GDPR.