GDPR is a comprehensive law which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for EU residents.
“This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”
The new EU data protection laws extends the scope of the EU data protection law to all companies even outside the EU when they process data of EU residents. The goal of the new GDPR regulations is to protect the personal data of European citizens and give them more control over how this data is used online.
Appoint a Data Protection Officer
Part of compliance, no matter the size of the company, is hiring a data protection officer to explain the regulations and apply them to the business. As each organization is unique, the road to GDPR compliance will be different as well. Correct guidance from leaders within the business needs to be adapted to this.
Conduct Data Protection Impact Assessments on new processing activities
Before collecting user's personal data, the Data Processing Officer must take into account the nature, scope, context and purposes of the processing and address the risk to the users' data.
Keep records of all processing of personal information
Once businesses have a clearer idea of their readiness to meet the regulatory requirements, they need to keep a record of the process. This should be done through the keeping of a Data Register – essentially a GDPR diary. Each country has a Data Protection Association (DPA), who will be responsible for enforcing GDPR. It is this organisation that will judge whether a business has been compliant when determining any potential penalties for being breached. Should a breach occur during the early stage of implementation, the business should be able to show the DPA its progress towards compliance through its Data Register.
Take responsibility for the security and processing activities of third-party vendors
These third-party vendors include us here at Madwire, and any other entity that processes this data on behalf of the client: CRMs, email marking systems like MailChimp, etc.
The data processing agreement will be incorporated by reference for all new clients. If you have an existing client who has European customers we can send them this agreement to sign so that they are covered from GDPR purposes. Brian Kelly uploaded a template in RightSignature that can be forwarded to any relevant customers. This is Client’s obligation, but Clients with EU citizens in the CRM should sign this agreement.
Notify data protection agencies and consumers of data breaches
In the case of a data breach within our system, we will reach out to the client to inform them of what data was compromised. It will be their responsibility to reach out to their users.
Be able to demonstrate compliance on demand
Each business / organization should be able to show the actions they’ve taken and the methods they’re using to be compliant. These pertain to specific articles of the GDPR.
Again, these are some of the main take-away points. Clients should seek legal advice for questions specific to their business practices.
Along with updates to business practices, there are new requirements specific to websites. These updates are related to the information thats collected for each user, Necessary updates are outlined below.
This is not something we should provide. Instead, encourage the client to seek legal help in determining what should be included based on their data use.
Get appropriate consent for most personal data collection and provide notifications of personal data processing activities
This is an important piece of the GDPR puzzle. Each piece of personally identifiable information must have explicit consent from the user. This includes information tracked by tools like Google Tag Manager, Facebook Pixel, as well as information submitted by users in places like form submissions. Examples of this data include:
- name / last name
- home address
- email address such as email@example.com
- identification card number
- location data (for example the location data function on a mobile phone)*
- Internet Protocol (IP) address
- a cookie ID
- the advertising identifier of your phone
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
Users must be told what cookies are being collected, what they're used for, and have the option to opt-in to each.
UXi sites will have two options here, both of which will require creative time to implement.
- Add custom scripts that will only enable things like Google Analytics, Tag Manager, Facebook Pixels, etc when a user is located outside the EU. This means no tracking or marketing for EU site visitors.
- Add custom scripts that allow all users the option to toggle this type of tracking / marketing on or off at any time.
- Google has put together a great list of tools to help businesses get consent for the information they collect. Visit cookiechoices.org to view tools to help. Madwire will not be licensing any of these. Though we can put creative time toward implementing them to UXi sites.
Because they require in-depth custom coding, to-do's for these tasks will be assigned to X Factor.
A great first step in updating these forms is to remove any unnecessary fields. It's a great step towards compliance AND it'll help conversion rates! For example, If the business only responds out to users via email or phone, do not ask for the user's address. If the form asks for the address, it must also tell the user how it'll be used.
On any form, remember the following three objectives:
- Clearly explain the data being collected and what it's going to be used for.
- Ask for consent for each use.
- Do NOT make the form submission contingent on consent.
Take for example a Contact Us form with Name, E-mail, and Question or Comment fields that adds each user who makes a submission to a CRM, where they're added to an automated email campaign.
This form must clearly state that the information submitted will be used to contact the user for marketing purposes and ask for consent. The user must have the option to submit the form without agreeing to this stipulation so they can submit their question or comment without being added to the email campaign.
Compliant sites need to compile and either produce or delete all information about a customer on demand
A big part of being GDPR-compliant is related to a user's 'right to be forgotten.' Any user has the right to contact the site and request that their data be compiled and either sent to the user and/or removed from the site.
UXi websites have a streamlined process allowing users to request their data be deleted permanently from the site and / or exported and sent to the user. Find out more about UXi's tools to process these requests here.
Use SSL certificate, encrypt data, and limit access to this information
Using SSL certificates / HTTPS domains is our go-to practice for UXi sites. If a site needs updated, reach out to Danny Fockler on X Factor to have an SSL site applied.
For example, Do not create website users that can access users info unless needed. Do not include unnecessary recipients on email notifications.