The General Data Protection Regulation (GDPR) is the European Union’s new data protection legislation. The UK is currently following the Data Protection Act of 1998, which replaced the 1995 EU Data Protection Directive. As there have been unforeseen changes in the way that we have used digital information over the past decades, the laws that are in place at the present time no longer fit many objectives and will be superseded by the new legislation.
Highlights of the GDPR
- The GDPR will automatically apply in all EU member states effective 25 May 2018. It is already in force since 24 May 2016, but businesses and organisations have until 25 May 2018 to ensure compliance before the law fully applies.
- It will introduce changes on how businesses and public sector organizations control or process personal and sensitive data of customers, such as their name, address, IP address, religious and political views, sexual orientation, and more.
- The new data protection laws will also give more people control over what companies can do with their data, such as more rights to access or request deletion of information companies hold on them.
- It will enforce a clear responsibility for organizations to obtain the consent of people they collect information about.
- It will introduce more rigid enforcement measures and bring in tougher fines for noncompliance and breaches in order to improve customer trust in the emerging digital economy.
- The GDPR will also standardize data protection laws throughout Europe, giving businesses throughout the 28 EU member countries a simpler, clearer legal environment in which to operate.
Steps You Can Take Now to Get Your Website Ready for the General Data Protection Regulation (GDPR)
If you are a company that deals with personal data belonging to EU residents then you need to ensure that you are ready for the GDPR. Here are some areas to review and update on your website:
Make sure to clean up your email databases
If you have a database of subscribers that were not collected according to GDPR standards, then you need to do some cleaning up by sending them a re-permission email so that they can choose to re-opt in and stay on your newsletter list. Choosing to re-opt-in will provide proof of consent of subscribers and will make your business GDPR-compliant.
Ask people to actively opt in
GDPR compliance will now require that you use contact forms that do not have pre-ticked boxes, opt-out boxes or default settings. This ‘positive-opt in’ or ‘affirmative action’ will now be required to ensure that people have a genuine and free choice and control, and take some positive action in order to have valid consent.
If you want people’s consent for various different purposes, the Information Commissioner’s Office (ICO) advises that you provide a separate opt-in for each purpose. This is so that, “People should not be forced to agree to all or nothing – they may want to consent to some things but not to others.”
To further ensure that your opt-ins are compliant to GDPR regulations, you must also take note of these additional points:
- Make sure that people can easily exercise their right to withdraw consent.
- You must use clear and and plain language when explaining consent.
Change your website Cookie and Privacy Policies
Under the GDPR, the standard text phrase that is included in Cookie notices, “by using this site, you accept cookies,” only suggests implied consent and, as a result, is no longer going to be compliant. Websites that use different types of cookies with different processing purposes will need different mechanisms to obtain valid consent for each purpose, e.g. granular levels of control with separate consents for tracking and analytics cookies and mechanisms to also signal customer consent and for them to make an ‘affirmative action.’
There’s not much time before the EU GDPR is officially in effect. It’s best to start your planning process, and begin implementing the changes your organization will need to make now, especially companies that have multiple websites.
If you wish to consult with Ezone about getting your website ready for GDPR, please do not hesitate to contact us.
Helpful resources from the ICO:
Getting ready for the GDPR
12 steps to take now
Accountability and governance