What you need to know about GDPR for your website
While the General Data Protection Regulation (GDPR) was ratified in May 2016, it will only be enforced from May 2018 and brings greater responsibilities for ecommerce businesses, irrespective of size, that hold data about EU citizens and visitors.
Personal data is anything that can identify a “natural person” and can include information such as a name, a photo, a physical or email address, shoe size, billing histories and online identifiers such as IP addresses, cookie strings or mobile device IDs. The GDPR will impact any online retail store that collects data sourced from their websites, apps, emails or any other means that results in data being retained in an internal database.
GDPR will have a huge impact on website design, which will have a knock on effect on how your website merges with your other digital activity like email marketing, social media, and e-commerce activities.
The strand that ties together all of these rule is that under the GDPR, the concept of consent being given freely, specific and informed is being strengthened, with new rules.
Opt-In is in, Opt-out is out
To meet the GDPR regulations, consent must be ‘freely given, specific, informed and unambiguous’ and therefore should be:
- separate from the terms and conditions, with separate consent for each marketing activity;
- identifiably opt-in so consent boxes cannot be pre-ticked;
- named in that any / all 3rd parties must be specifically mentioned.
It requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand. The GDPR includes many references to “clear and plain language.”
Businesses must adopt measures to provide appropriate protection to the personal data they hold. For example, personal data should be encrypted and not stored as plain text. Businesses are also required to adopt measures relating to the resilience of their systems and services and how data is restored in the event of a breach. Businesses are also required to test the effectiveness of their security measures on a regular basis.
Notification of data breaches
Businesses have to notify the data protection authority if there is a security incident that affects the integrity, confidentiality or security of the personal data that they hold. Businesses will also have to notify data subjects if it is likely to result in economic or social disadvantages unless the business had implemented appropriate security measures prior to the breach.
Companies doing business with ‘data subjects’ in the EU need to comply with the GDPR. ‘Data subjects’, in this instance, covers both EU citizens as well as temporary residents, even those on holiday. Furthermore, the “territorial scope” of European data protection law has been extended to include companies outside the EU. The “territorial scope” clause does not mean that every web based business accessible from the EU is within the scope of the GDPR. Businesses that are actively targeting people in the EU through regional domain names, currencies, languages (not native to country of origin) or localised content are subject to the regulations.
What are the penalties?
The GDPR wants to be taken seriously so has given data protection authorities more powers to tackle non-compliance including revenue based fines of up to 4% of annual worldwide turnover or up to €20m (whichever is greater), for the most serious infringements.
The GDPR also makes it considerably easier for individuals to bring private claims against data controllers when their data privacy has been infringed, and allows data subjects who have suffered non-material damage as a result of an infringement to sue for compensation.
Please note that this post and the guide are for informational purposes only, and should not be considered legal advice.
Extra resources and references