The General Data Protection Regulation (GDPR) was announced by the European Union (EU) to protect customer data. GDPR will go into effect on May 25th and will provide citizens of the EU more control over their personal data while also providing more security for this data. This data includes any information related to a person’s name, photos, email addresses, updates on social media, financial or medical information or even an IP address. To be more specific, the GDPR gives individuals 8 important rights:
- The right to request access to their data and to also ask how exactly their data is being used.
- The right to be forgotten if the individual wishes to no longer be customers then they have the right to have their data deleted.
- The right to data portability which means the ability to transfer data from one service provider to another.
- The right to be informed before any data is gathered by a company and then given the opportunity to opt into their data being collected.
- The right to have information corrected in the event their data is out of date, incomplete, or incorrect.
- The right to restrict processing of their data so their record can remain in place.
- The right to object to their data being processed for marketing purposes if requested by the individual.
- The right to be notified in the event of a data breach which can potentially compromise the individual’s personal data.
How could this affect a business website?
GDPR currently applies for any business that does business with the European Union, and to become compliant with the GDPR you must take steps to prevent a potential penalty. A number of popular CMS platforms are also working on some compliance tools they anticipate releasing in coming months. Here are a few important aspects to look at for websites:
Form Submissions. Forms are under scrutiny by the GDPR and will have many rules regarding protecting the consumer’s data and experience while opting in or out. To comply companies may need to stop certain tactics to collect user data, such as:
- Default opt-in for newsletters, emails, or updates. Users must check or select to opt-in for these items.
- Making difficult withdraw or opt-out features.
- Not identifying each party being consented to by the consumer.
- Bundling together opt-ins. For example: emails, telephone, text messages, automated calls.
Analytics. Google Analytics collects data anonymously, so no personal data is collected by default. There doesn’t seem to be a clear impact on its usage yet in light of GDPR. But since GDPR definitions are a bit broader on what’s personal data, Google Analytics is taking some steps to allow for more flexibility in how data is stored or able to be modified. Most companies will need to select a time limit for data storage and apply the change in a new setting. In the end, Google places the onus of regulatory responsibility in the hands of businesses. With the changes, companies can have more control to make changes within Google’s tools to meet compliance needs. What’s key here is to check what kind of data is being processed via the use of tracking tools.
Online Payments. For e-commerce business, companies may be collecting and storing personal data before it has been passed along to process. To be compliant with GDPR, companies must set a process in place to delete that data after a reasonable period of time.
What should be done to apply GDPR best practices?
Companies in the U.S. may be unaffected by this regulation right now due to it being an EU policy; however, protecting customer data is a growing trend and may soon find its way to the U.S. Creating a data regulation will make it easier to comply to any future regulation plans. If companies are affected by this new regulation, they need to continue to research GDPR policies, and create a plan.