TLDR; GDPR

Written by Gabrielle Keller

What is it GDPR?

The General Data Protection Regulation, or the GDPR, is the new European Union data privacy law. It is meant to give the people more control over their personal data. It is a safety measure against companies who must now regulate the way they collect, process, and store data in a way that protects the customers. It is meant to replace the 1995 EU Data Protection Directive to improve the safety of online users data. Personal data can include but not limited to names, phone numbers, and IP addresses. If you’ve ever been on a website that mentioned its using cookies, that will be changed too.

In short, this is the regulation of the way cookies and online tracking are used. People will now have to give their consent to their personal data being stored and used.

Everything the GDPR protects:

  • Identity (Name, address, ID numbers)Web Data (location, IP, cookie data, RFID tags, etc.)
  • Health and generic data (Medical information)
  • Bank Details
  • Biometric data
  • Political opinions
  • Sexual orientation

When does it happen?

The new law comes into effect May 25th. Most companies have already prepared for the law and changed their privacy settings already.

Who does it affect?

The law will affect any organization or company that collects or actively uses data on peoples inside the EU. No matter where the organization is based, if someone in the EU can visit the website or make a purchase from a website than that organization will be affected. Even if a company supports a business that directly works with the EU, they will have to abide by the new rules when dealing with said company.

This all includes most Fortune 500 Companies who have estimated spending about 7.8 billion simply to prepare for the new laws. Regularly used websites that are accessed around the globe, such as Google, Facebook, and Twitter, also had to prepare. They have all changed their privacy settings in preparation of the law being passed. Businesses will have a lot more work to do in regards to security.

They will have to constantly check that they don’t have someones data for too long or for no acceptable reason. If the businesses fail to comply, they can be fined up to 4% of annual global sales, or 20 million dollars, whichever is greater. Customers will also be affected by the numerous emails they will most likely receive and having to go through privacy settings once again on their favorite websites.

Why does it matter?

The GDPR was implemented to protect online users. In this day and age of data leaks, cyber hacks, and identity theft, it’s very important that online users know they are safe when surfing the web.

What Do You Need to Do?

According to Adprofs.gov, the most important four things you can do are:

  1. You need to obtain informed consent from an individual before collecting, storing, or using their personal data.
  2. The individual from whom you are collecting data has the right to withdraw consent and to be forgotten.
  3. The data you collect must be minimized, accurate, and portable.
  4. You have specific obligations if the data you store is ever breached.

 

What are the Myths? 

Many companies have been freaking out in regards to the new laws due to confusion. They have been sending out emails asking their customers to give consent again and doing so in some cases may be illegal as it’s a breach of privacy. The GDPR is not telling companies they need to get consent again to collect data.

If a company has already gotten consent in a way that complies with the new rules of the GDPR then it does not need to get that consent again. Consent is only one of six legal grounds to collect personal data. The other five are contract, legal obligation, vital interests, public interest, and legitimate interests. As a company, you have to decide which legal ground you want to rely on to process personal data.

Even if your company does need to rely on consent, it doesn’t mean you have to ask again if the consent you received exists within the line of the GDPR requirements. The only catch is you need to make sure the consents are properly documented. In many cases of websites their consents are not documented, they just received consent (or didn’t) and put someone on an email list. Those are the people that are most likely in trouble with these new GDPR rules. You can’t confirm if you got consent the right way if you don’t have any record of it at all.

The illegality of it comes in when “In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offense to email someone to ask them for consent to send them marketing by email.” If you do end up having to send out emails asking if you can have someone’s consent, you also need to give them an easy option to take away their consent in the email.

Recently, Theguardian.com came out with an article stating that the National Health Service was worried they would no longer be able to send alerts or warnings to their patients and have been frantically trying to get their consent. Three days later, the Guardian came out with another article explaining that the NHS was wrong to believe they had to do this. Richard Stallman, President of Free Software Foundation, and Jon Baines, Data Protection Adviser, try to explain why in the article, but don’t really explain much of anything. (Source 1 | Source 2)

The real issue with the GDPR is their lack of communication and explaining effectively to companies working with or in the EU. Companies all over have been freaking out over this while it seems it’s quite simply a way to ensure people are protected from now on.

 

Third parties You May Be Using & How They Are Affected

Google Analytics: Google Analytics is Google’s popularly used traffic analytics tool. It gives insight to its customers on how their websites are doing and it gives insight into who goes on the website, how much they go on the website, and how the site is being used. With this, they can also tell you which parts of your website attract a certain demographic. This can be based on age, location, gender, and more.

The google analytics team has been pretty compliant with GDPR and they expect to be fully compliant by May 25th. They have released a Google’s EU User Consent Policy. However, it is up to the website owners to change their websites to comply with the GDPR. If you use Google Analytics are your user data processing tool, you should check out these five steps to becoming more compliant with the GDPR and Google Analytics here.

 Facebook

Facebook has already updated it’s privacy settings, but people aren’t particularly happy with how they show their terms and conditions. They are complying with the law, but are trying to turn you off from taking away any of your personal data. Firstly, if you don’t accept, they send you automatically to the delete your account page.

They also make it so things like sexual preference, religious views, political pages, and personal info can either be on your page and used for data and ads, or can be removed. You are not able to keep it on there and not allow them to use it. In regards to the terms and conditions page, there’s a huge accept button, and no not accept button. The only way to say no is to click a tiny button that says see your options, and that’s when you are only able to delete your facebook account.

More information on how that can affect you and your facebook business can be found here.

Woocomerce

Woocommerce is WordPress’s most popular Ecommerce app, and something we’re all to familiar here at the greatest advertising agency of all time. And the WooThemes crew have been compliant and transparent since the news of the GDPR. In December, their website released a post about the GDPR and what you need to do as a WooCommerce Shop owner. They state that if you “sell any products to customers based in the Eu, or have EU visitors to your site, you need to make sure your site complies with GDPR.” Some may already be depending on how they were set up, but some may not.

They list several websites to help: “Code in WordPress has put together their Complete WordPress GDPR Guide.
Willow Consulting in Ireland has put together a fantastic post on compliance. Additional resources we put together:

Delete Me plugin allows users to delete their accounts.
GDPR For WordPress is a project setting up a GDPR validation framework for WordPress plugins.
Mailjet’s GDPR Journal: On The GDPR Track, Our Compliance Roadmap and FAQ.
WP Tavern is regularly sharing information about GDPR. “

Shopify

Shopify has also changed their privacy policy to comply with the GDPR and released a page discussing what the GDPR is, how it affects Shopify, and details what they’ve done in accordance to the GDPRs rules. They are giving customers the tool to request all of their information be deleted, a tool to request all of their information they currently have on said costumer, transparent process when merchants install apps, more descriptive listings of apps a customer already has, and an informative installation process that tells a customer what personal data will be extracted.

Our agency has a number of custom Shopify apps out including Louis Sherry’s wholesale portal, E-Alternative Solutions impressive multi-store vapor shop and a custom subscription ordering app for Shopify’s backend.

 

WordPress.org

WordPress has become fully compliant with the GDPR rules & regulations. As of the 4.9.6 update, their core software is compliant. If you have a website using wordpress, you also need to become compliant too. With this new update, there are plenty of opportunities for online users to control their data. In the comments section, there is a button allowing the website to save their name and email.

There is also a new Data Export and Erase Feature for WordPress site owners to be able to comply with any users who wish to have a copy of their data or to have their data erased entirely. There is also a brand new Privacy Policy Generator. With this, site owners become more transparent with how their data is being used. These are the basic things WordPress has added that will make a simple website GDPR compliant.

However, depending on your own particular website, there may be other things you have to do. Many WordPress Plugins have already become more GDPR compliant, but not all of them, so you need to check carefully on your plugins. Our Jacksonville advertising agency has launched thousands of wordpress sites, with support from our sister company Dark Horse Labs. We know first hand what it’s like to manage plugins and themes, and keeping them up-to-date for complaince should be its own blog entry.

Hubspot

Hubspot as well has changed their platform to be GDPR compliant. They listed out everything they have in full detail in regards to the rules set by the GDPR. Those topics would be “Lawful Basis of Processing, Consent, Withdrawal of Consent, Cookies, Deletion, Access/Portability, Modification, and Security Measures.” Below is the link that includes all their information on these topics.

 

Sources:

GDPR Image Source

Cookie Image Source

Compliance Image Source

Cost of Compliance Image Source

Mark drinking water via GIPHY

Ninja via GIPHY