In this article we explain GDPR and how to adjust the company website to be compliant with this law and avoid a fine.
As of May 25 2018, the General Data Protection Regulation (GDPR), came into force in the European Union (EU). The purpose of the law is to better protect consumers’ personal information. Those who fail to do so risk a hefty fine.?
To whom does GDPR apply?
Companies and organisations that are active in the EU and store personal data have to comply with GDPR law.
Every company or organisation handles personal data of customers or stakeholders. And most websites use cookies to store data too.
It is not limited to customer data. GDPR concerns all personal data processed in the company. Any name, e-mail address or IP address that you process, you need to make it GDPR compliant.
Consider, for example, subscribing to newsletters or blog updates.
Only data for personal use, such as the birthday calendar on the wall, is not covered by the GDPR.
Under GDPR, when can you use what data?
The core of the GDPR is that you may only collect personal data that is necessary for a specific purpose. You may only use it for that purpose.
GDPR supervisory authorities pay particular attention to the following aspects:
- Consent
- Clarity
- Privacy
Consent
Has the user given explicit consent to use the data for that specific purpose?
For example, it is not allowed to tick the box by default when subscribing to a newsletter.
The subscriber himself must check the box (opt-in) to give permission to use his personal data.
It must also be clear what the consent entails and for what your company will use his data.
Also, it must be possible for the subscriber to withdraw his consent at any time.
Clarity
It has to be clear why and how the company processes personal data. Anybody must be able to find this at any time.
He must be able to request a copy of all the stored data. And request removal of all personal data too.
As a company, you have to make sure that you can provide this.
Clarity not only means opt-in messages or requesting a copy of stored data. Also use understandable language in the privacy statement on your company’s website.
Privacy
Collection, security and retention period of storing the data has to align with the purpose of use. We call this “privacy by design”.
This also applies to your website, marketing campaigns and CRM tools.
Also, you may only collect and store data that is necessary for the purpose for which you collect it. We call this “privacy by default”.
If your company collects data via a form on your website, make sure to encrypt it by using https.
How to be GDPR compliant, step by step
What does the GDPR mean for your company? What steps should you take?
Below we provide a list of the basic steps your company has to follow.
After that, we will go deeper into the detail of collecting data for analysis and advertising.
Privacy declaration
Your website must have a privacy statement in plain language.
This should be easy to find on your website, especially on the pages on which you collect data.
What to include exactly is best coordinated with a specialised lawyer.
SSL certificate and updates
If you collect data via your website, use an SSL certificate.
You can hire a web developer to install an SSL certificate.
Don’t forget to coordinate this with your search engine optimization (SEO) specialists. It can have a big impact on your search engine rankings if not done with care.
Adjust cookie notification
You may only place cookies if visitors give their explicit consent for this.
Provide a cookie notification. And make clear what you are using cookies for. Describe each cookie in detail in a separate cookie statement.
Include third party cookies in the notification, for example a Facebook Pixel or YouTube video use them too.
We recommend installing a special cookie banner. This way visitors can consent to using cookies.
Check website and e-mails for clarity and opt-in / opt-out
On all pages where you collect data, check if the purpose of processing the data is clear.
Check whether the action of the person providing their data is a deliberate action (opt-in).
Do not forget to refer to the privacy statement when requesting an opt-in.
Also check whether it is clear how to unsubscribe (opt-out), request their data or removal data.
Registration opt-ins
You must record all opt-in emails. This registration is to prove that you have received explicit permission.
If you have old contacts without this opt-in, email them again and ask if they still want to receive email (opt-in).
Obligation to report data leaks
Always report data leaks and unauthorized access to personal data.
For example when a server is hacked. Keep a record of these data leaks. Use this to prove to data protection authorities what your company has done to protect the data.
Processor Agreements
You must draw up processor agreements with all parties who have access to the personal data you collect.
Think of parties such as your hosting provider, Google Analytics, Facebook, website builder, etc. As processor you are responsible for the data.
Some of these parties already have such agreements. On the internet you will also find model agreements that you can use for parties who do not have this.
Adjustments to cookies for analysis and marketing
In addition to the name and address data, the IP address also falls under personal data in the new law, because it can be traced back to one person.
This rule affects the collection of data for analysis.
If you want to place a cookie for Google Analytics without asking the user for permission, you can no longer store IP addresses.
Google Analytics
In Google Analytics it is possible to anonymize IP addresses and to no longer share data with Google for advertising purposes.
This makes Google Analytics privacy-friendly, but then you also miss certain data that you can use for remarketing, advertisements and excluding your own IP address (and that of colleagues) from the analyzes.
If you do not want to miss that data, you are obliged to only place a cookie when the user explicitly gives permission, either for use for all purposes or only for specific purposes.
Remarketing, Display and SEA
If you collect data for advertising, such as demographic data and interests, this is personal data according to GDPR.
The same applies to data for remarketing and conversion measurement.
That is why you must inform your users for the purpose for which you place cookies and have them explicitly consent to this.
Only after permission has been given for the use of data for these purposes can you use it for that specific purpose.
Once the consent has been given, you may continue in the future with the purpose for which the consent was given.
You must also state in your privacy statement that you are collecting this data. In it you clearly describe which data you collect and why.
Also state the legal basis, for example building up interest profiles (purpose) for advertising purposes (legal basis).
You also mention that you share data with third parties such as Google (Analytics and AdWords) or Bing.
Note that your current remarketing lists probably do not comply with the new legislation!
After all, this data was not collected according to the new guidelines. Therefore, ask for explicit permission again and build new lists.
Need help installing a cookie banner?
We help some organisations install a custom cookie notice to ask the user for permission to collect data for certain purposes.
These special cookie banners allow users to choose from different functions for which cookies are placed.
This is not the same as the old cookie banners that automatically assume that you agree if you continue to use the website.
The cookie banner must allow you to register opt-ins in a log and you must be able to change these at any time as a user.
We use a special SaaS tool for this and make various adjustments in Google Tag Manager and the website.
Do you want such a specialised cookie banner that matches your website and marketing purposes and complies with GDPR legislation?
Contact us today, you will find our contact details on the About us page.