Unless you’ve been living under a rock the past few years then you will have heard about GDPR. You will of heard of how these changes to the law could potentially affect your business. You may be wondering how your business in particular can stay on the right side of the law. Especially if you make use of mailing lists and collect personal information from your customers and website users.
To understand the risks associated with GDPR it’s important to know a bit more about what the law is Essentially. It was brought in to protect users from having their data misused. Thus it places a high emphasis on the importance of consent and proper data management.
The GDPR is designed to be a robust version of the Data Protection Act which grants more protection to consumers. The aim is to ensure that businesses have effective and compliant ways of collecting and storing users’ information. To prevent other companies from getting their hands on individuals’ data without their expressed consent.
The main differences between the original Data Protection Act and GDPR are as follows:
- The definition of ‘personal data’ has been expanded to include information which was previously unprotected.
- Companies must seek specific and explicit consent in order to collect and store personally identifiable information such as email addresses.
- Further to the above point, users also have a right to be ‘forgotten’ and have their personally identifiable data removed from databases after a certain amount of time even if express consent is given.
- Users must actively opt in to mailing lists and other data processing rather than using ‘soft’ opt ins.
- Some businesses are required to appoint data protection officers who will be responsible for making sure data collection within the company is compliant.
- New legislation extends to companies outside the EU which deal with data from EU sources.
- Companies are now operating with a duty to report any data breaches to the Information Commissioner within a predetermined time frame.
- More extensive penalties have been introduced for those found to be non-compliant including fines of €20 million or more.
These points represent big changes in the way businesses handle their customers’ and site users’ data. To assess your site for GDPR compliance you can use the following list as a starting point:
- A privacy notice must be listed on your site which details how and why data is collected.
- When collecting new user information you must make sure your process takes users’ new extended rights into consideration
- Express consent must be given for any data collected, and if this data comes from children then age verification and express parental consent must be sought.
It’s a good idea to carry out an audit of all the data you currently store to make sure it is compliant. Previous ‘soft’ opt-ins may no longer be permitted under the new guidelines. You should also bear in mind that data which has been on file for a while may be infringing on users’ rights to be ‘forgotten’ after a certain time frame.
This is especially important if your business utilises email marketing to engage with customers and users. So be sure to ensure all of your databases are compliant and in line with the new law. If you are new to email marketing, then it’s good practise to make sure your venture is compliant before you start collecting information.
We’d always recommend getting assistance from a professional who specialises in GDPR and data protection if you’re unsure of anything.
When it comes to building a newsletter opt in form and making sure your privacy notice is up and running correctly. Then it’s highly recommended that you consult with a specialist. Luckily, this is something we carry out regularly and are more than happy to help with.