By now, most people have heard of GDPR, but many are still confused about who it applies to and its implications for businesses. For those of you who haven’t heard of GDPR, it stands for General Data Protection Regulation. GDPR is a set of rules passed by the EU to give users more control over personal data online and protect against the misuse and mishandling of data. However, even if you aren’t from the EU, keep reading — GDPR may still apply to you. AND it is now looked up to as the gold standard for data privacy laws, so some of the regulations in GDPR will likely be popping up elsewhere. In fact, the California Consumer Privacy Act (CCPA) is a fantastic example of how this has already happened.
Who Does GDPR Apply To?
In addition to all EU companies, GDPR applies to any company worldwide that interacts with companies or individuals in the EU. This means if you market to EU businesses or individuals, GDPR applies to you. If you sell products in the EU, GDPR applies to you. If you have a form on your website that collects data about individuals or companies in the EU, GDPR applies to you. GDPR is more encompassing than many people realize. If, based on the above criteria, you believe you’re subject to GDPR, then start making compliance a priority. Large companies such as Equifax, Facebook, and many others have already been fined hefty amounts for their misuse or mishandling of personal data.
What Type of Data Does GDPR Apply To?
GDPR applies to all personal data. This includes information that can be tied back to you directly, such as a social security number, full name, home address, etc. It also includes information that can only be tied back to you when it is paired with other information about you, such as an IP address, an employer, a job title, race, gender, etc. Note: the examples above are only meant to be a guide for what could be considered personal data; they do not serve as a complete list.
What Needs to Be Done to Ensure GDPR Compliance?
There is much more to GDPR compliance than what we can cover in this short post, but here are some of the most common concerns we deal with in our office day to day:
- Look Internally and Document the Flow of Your Data
Organizations have data flowing in from all angles. Mapping out exactly how data was collected, what data was collected, why the data is needed, how it’s stored, and how it will be disposed of — this is all crucial in determining if you are GDPR compliant. Through this process, you will find data that you are not using that can be properly disposed of. You will find data you didn’t even know you were collecting. Plus, doing these things will make it easier to identify potential processes that put you at risk of violating GDPR. Implementing an action plan to help resolve these vulnerabilities and documenting them will help you maintain GDPR compliance.
- Update Your Privacy Policy and Terms and Conditions
One of the most important things you can do is to update the privacy policy and terms and conditions that are listed on your site. These should describe exactly how data is being collected, used, and stored. They should also mention the steps that you are taking to be compliant with GDPR.
- Add a Cookie Consent Banner
The #1 concern clients raise about GDPR is in regard to adding a cookie consent banner. If your site uses cookies, you are required to let users know what information is being collected and how it will be used.
What About Google Analytics?
If you are tracking user behavior on your site with the most basic Google Analytics setup, then you do not need a cookie consent banner. However, if you enable features like demographic reports, use the remarketing features, add custom dimensions for user IDs, or utilize other more advanced functionalities within GA (which we definitely recommend you do), then you will need to add a cookie consent banner to your site if you operate in the EU or directly market to EU residents. If your company is not located within the EU and you don’t directly target EU residents, we recommend that you consult your legal team for guidance around implementing a cookie consent banner, as the regulations are still unclear for most American companies. The cookie consent banner that is added to the site needs to provide users with an easy way to opt out of any tracking.
- Storing Personal Data in Google Analytics
No personally identifiable information should ever be stored in Google Analytics. Not only will it put you at risk from a GDPR perspective, but it is also against Google Analytics’ privacy policy. Personal data often gets pulled into Google Analytics through URLs or page titles. On some sites, data that is captured in a form will be appended as URL parameters on the thank you page after the form is submitted. This results in URLs that look like the following:
www.example.com/thanks/?first=Bob&last=Smith&email=bsmith@gmail.com
These parameters need to be removed from the URL completely, not just filtered out in GA.
- Email Subscriptions
It is not uncommon for websites to have a pre-checked box on their forms next to a statement that reads something along the lines of “I wish to receive future promotions from [company name].” This puts companies at risk for GDPR violations. These boxes need to remain unchecked. Additionally, once a user has signed up to receive emails, they need to be presented with an option to unsubscribe from the email list at any time. The process to unsubscribe needs to be quick and easy for the user to initiate.
To Sum Everything Up…
GDPR has now been in effect for almost two years, and it is not going to fade away anytime soon. In fact, just the opposite is true. It is becoming the standard for other legislation around the world. Big-name companies have already been fined high dollar amounts due to non-compliance. GDPR is an issue companies need to address head-on to avoid the intense repercussions that come along with it. If you are concerned about how you are collecting, processing, storing, or using data, we highly recommend seeking professional guidance.
This blog is meant to provide a starting point for your journey to become GDPR compliant. It is not a complete guide to ensure GDPR compliance.
If you’re unsure about your level of GDPR compliance, reach out to us to discuss an audit.