As a digital web agency looking after numerous websites for various brands and businesses, we’re more conscious than most about GDPR. On the whole, we think it’s a good thing – it means more transparency for users, better data protection and security, clearer privacy notices and a great chance for businesses to refresh their internal procedures.
But with so much confusion around who is responsible for what, we’ve put together some advice for our existing clients to help ensure they’re compliant and figure out how we can help.
How to become GDPR-compliant
What is it?
The General Data Protection Regulation – or GDPR for short – is a new EU regulation which has been designed to update the existing Data Protection Directive.
When does it apply?
In the UK, the GDPR will apply between May 25th and Brexit, and most likely post-Brexit too. The UK is implementing a new Data Protection Act which includes some changes and exceptions to the GDPR.
Will it affect my business?
Yes, any company that does business with EU residents will be subject to the new regulations. Even if you are offering a free service, such as a website that people in the EU access, you may be subject to GDPR if you collect IP addresses or track cookies.
Am I collecting IP addresses or tracking cookies?
The vast majority of websites use ‘tracking cookies’ that use your IP address. This sends a log of your online activities to a remote database for analysis. Many tracking cookies are benign and want only to use your information for marketing analysis.
Will I be fined?
Elizabeth Denham, the UK’s information commissioner, who is in charge of data protection enforcement, said that speculation that her office will try to make examples of companies by issuing large business-crippling fines isn’t correct. “We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways,” she says. “But we’ve always preferred the carrot to the stick.”
Denham says the ICO (Information Commissioner’s Office) prefers to work with organisations to improve their practices and sometimes a “stern letter” can be enough for this to happen.
“Having larger fines is useful but I think fundamentally what I’m saying is it’s scaremongering to suggest that we’re going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm. “We will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven’t made any effort.”
What do I need to do?
Obtaining consent for Personally Identifiable Information (PII)
You may have heard that you now need to add an opt-in checkbox wherever you’re asking for user data – this is not true, although a checkbox might be part of the solution you choose. The requirement for ‘clear and plain language when explaining consent’ is now strongly emphasised. We can provide you with an audit, recommendations and code updates to ensure you’re doing your best to be compliant.
It’s also important to make it clear how users can opt out of consent to hold and use their data. The ‘Unsubscribe’ button is almost omnipresent amongst marketing emails processed through software such as Campaign Monitor or MailChimp because it’s a required option, but it’s not always obvious, often sitting at the bottom of emails, blending into a closing paragraph. Making this more noticeable is one of the key intentions of GDPR and we can help you with this.
Privacy notices & consent
You may have noticed multiple websites adding a privacy notice when you first visit.
For example, on Nike.com
We have a method ready to implement to handle simple cookie opt-in and out. Should you wish for something a bit more bespoke, the Nike example above illustrates what is possible. Initially, you’re asked whether you accept the recommended settings, but then you’re offered further options by clicking ‘Cookie settings’ in the footer. Similar to NIKE’s solution, you’re offered the option to opt out of analytical data tracking or social data tracking.
Please get in touch if you have any further questions or would like assistance complying with GDPR.