GDPR is spurring confusion and conversations around compliance, data collection, and privacy, especially among marketing and IT teams. Who needs to be compliant? How does an organization become compliant? Is this relevant to my organization?
The answer is likely yes, it’s relevant to your organization. Take a deep breath, relax, and get ready. One of the first areas to evaluate how to become compliant with these new regulations is your website.
What is GDPR?
For those who are new to the conversation, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It goes into effect on May 25, 2018 (that less than 4 months as of this blog post), and the price for noncompliance is hefty.
The fines for noncompliance depend on the organization. The regulation states that fines can be the greater of either 4% of a organization’s annual revenue or €20 million (almost $25 million). That is a lot, so the fear of noncompliance in some cases is warranted.
Typically, though, your organization may just require a few tweaks to the way you think about customer data and tools used to collect it on the internet. The basic concepts around these changes are designed to provide consistency and transparency to how individuals provide their information and what organizations are allowed to do with it.
Do American Companies Need to be GDPR Compliant?
For those thinking they’re not European companies or have yet to acquire European customers, this still affects you. These regulations not only apply to companies that reside in the EU, but to any organizations that does business with or simply interact with EU citizens. So, it essentially applies to any company that has somewhat of a global reach. With the internet, that means 99% of organizations, likely including yours.
So, as web and content marketing geeks, we’ve put together a checklist of some things you can do on your site today to help start the compliance process. This is a start and by no means an exhaustive list, and we recommend hiring a professional auditor to help guide your organization through the compliance process.
Here’s the first steps to compliance on your marketing sites.
- Opted-Out By Design: everything has to be opt-in by design, and no “opt in” boxes should be checked automatically. **UPDATE: A vigilant redditor has noted that Opt-In by design may be acceptable, as seen from the Information Commissioner's Office.
- Affirmative Cookies: Currently the standard text phrase that is included in Cookie notices is “by using this site, your accept cookies.” Under GDPR this is no longer going to be compliant, as it only suggests implied consent. You will now need granular levels of control with separate consents for tracking and analytics cookies, as well as mechanisms to also signal customer consent. They need to make an affirmative action.
- Data Limitations: You should limit data to what actually needs to be collected and should be tied to one of the lawful bases for processing:
- Consent: Has the individual given you clear consent for you to process their personal data for a specific purposes
- Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal Obligation: The processing is necessary for you to comply with the law (not including contractual obligations).
- Vital Interests: the processing is necessary to protect someone’s life.
- Public Task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
- Regular Purging: This data must also be purged periodically and can’t be kept indefinitely. Zesty.io does not use plugins, but if you use a system that does and remove any to comply do make sure data is purged from those at the same time as well.
- Due Diligence: For platforms, like Wordpress that use plugins (especially ones for forms, giveaways or other sign-ups), due diligence must be performed to understand compliance with GDPR and potentially changing or abandoning tools that are in use today.
SECURITY IN YOUR CMS
- Data Protection by Design: Design systems from the start to prevent data breaches. Some platforms, like we saw with the WordPress issue this week, may not be ideally suited for this. Privacy by design includes things like:
- Two-Factor Authentication
- Data Encryption
- Role-Based Access
- Intrusion Detection: alerts and protocols must be in place for any potential breach.
- Audit Trail: Logs detailing who accessed your system, at what time, and made what changes.
While your choice in CMS/WCMS can make it easier to quickly make changes and generally comply with these regulations (especially around security and data collection), ultimately the adherence to GDPR falls on your organization and the practices it implements to support the new policies.
Following this checklist is a great head start to becoming GDPR compliant, though we recommend hiring an expert to help streamline your organization and ensure compliance, as it goes much deeper than simply your website and CMS.