GDPR 2018:  What do I need to know?

The General Data Protection Regulation (GDPR) comes into effect on May 25th 2018 and will affect the way you are able to collect, store and use the data of your customers.

In a nutshell, it will become a requirement that your data collection and use of data is far more transparent than it ever used to be, giving the users an easy way to opt out or view information that you hold about them.

GDPR has a clearly defined goal: to put the user in control of their own personal data and to ensure that data is secure and kept safe.

While it’s a confusing initiative to many, the following points are the most notable differences from the old data protection/collection laws, and things to look out for.

1. Website Forms: User Sanctioned Opt-In

Forms on your website that have a subscription option, must now default to an unchecked state. This means the user will need to tick confirmation boxes manually to sign up, rather than just the typical “sneaky” method of old, where you often need to uncheck the boxes to avoid joining a mailing list.

2. Separate and Granular Opt In

Your opt in options on forms should now be separate from the main form data for clarity. This may mean having a separate section on any forms with opt in data, which also needs to be set out in a more granular and transparent fashion.

For example, there should be separate options for Email, SMS, Phone, or Mail, should they be the methods the website owner wishes to use to contact you in the future.

3. Frequency of Correspondence

Another area that needs to be made transparent is the frequency of your contact with the client. If you’re going to email them once a week, this must be clearly stated before they sign up.

4. Simple Opt Out

On most websites it’s very easy to opt in to a service, but the same can’t be said for opting out. From May, users must be able to opt out simply and quickly without the need to sign up to a service to do so.

Again, this should be clear to the user, and granular so they can select some or all of the contact methods you service.

5. First and Third Parties

If your website collects data that is then passed on to another organisation, these must also be clearly defined and granular. For example, a tick box might say:

[ ] I’d prefer not to receive emails from ABC Company
[ ] I’d prefer not to receive SMS messages from ABC Company

This applies to every type of correspondence that may occur.

6. Privacy Policy and Terms and Conditions

You will likely need to update your Terms and Conditions on your website to reflect the new GDPR regulations.

This information should include what data is collected, all third parties that you may pass the information to, and how long you AND the third parties will retain this data.

You will also need to inform the user why you are collecting data, and how you intend to use it in the future.

Your privacy policy must also include information on how you store the data (data systems such as applications, or an encrypted database), and what additional steps you take to protect their data if it’s stored on your website.

7. e-Commerce and GDPR Payments

If you maintain an e-commerce solution, you will likely be utilising a payment gateway to process your online transactions.

Your website will collect data prior to passing it to the payment provider, and this information must be transparent to the user and most importantly secure.

Furthermore, the data collected while you process the transaction should be deleted after a “reasonable period”. This “reasonable period” hasn’t been clearly defined, but most organisations suggest 30-60 days.

This deletion only applies to the transaction details, i.e. credit card data or even a PayPal email address.

If your website sends data to a third party processor, it’s now going to be necessary to have a valid SSL certificate on your site, meaning all websites will need to be changed to https://

8. Data Breaches

Should your website be compromised in any way, and an unauthorised party gain access to data stored, you have 72 hours to notify all customers affected by this action.

Affected parties also have the right to bring up individual legal claims against your company concerning the data breach.

9. Third Party Tracking Software

From time to time your website may use plugins or services that are operated by a third party. This is a huge pond full of grey areas, but to summarise, all of the third party plugins you use must be GDPR compliant.

This includes things like Google Analytics, Google Adwords, and Google Tag Manager. Fortunately, companies such as Google are leading the way with GDPR, but further information on their data protection policies can be found here

10. External or Offline Content

Quite often you will store information away from your website, perhaps in a spreadsheet or external database. These also fall under GDPR scrutiny and you must be transparent as to what information you collect and store, and detail how you protect this.

11. What if I don’t comply?

If you are found to be in breach of the new GDPR guidelines, the maximum fine you may receive can be up to 4% of your turnover, or 20 million Euros, whichever is larger.

Naturally this is a substantial fine, and could cause your business financial difficulties, so it’s important to understand the implications of the new laws.