DISCLAIMER: I am not a lawyer. Nothing in this article shall be construed as legal advice. Make your own decisions, and engage an attorney to review your plan.
May 25, 2018 is rapidly approaching, and that means that the EU’s General Data Protection Regulation (GDPR) is about to go into effect. If your company has offices, employees, or users in Europe—which is pretty much everyone—you must comply with this new European law. If you don’t, you are subject to fines of “up to four percent of worldwide turnover or €20 million, whichever is higher.”
In speaking with business owners, I’ve found most people fall into one of three categories:
A. We spent a ton of time and/or money and are going to be ready.
B. We know we have to do something but still haven’t quite figured it out yet.
C. What is GDPR?
Which category do you fall into? If you answered B or C, then this post is for you.
In my own research on GDPR, I grew frustrated because I couldn’t get a straight answer from any one source. I’ve seen several presentations from lawyers, read blogs from digital “gurus,” and reviewed part of the regulation itself. But thus far, there is no one-stop-shop manual for all things GDPR-related.
The purpose of this article is to give you some specific guidance to get you compliant according to my reading on this topic. Again, this is not legal advice—it’s just my opinion on what you need to do to comply based on the information I’ve reviewed. You must make your own decisions and involve an attorney if you are unsure.
Remember: While the regulation is messy and confusing, the important thing is to make an effort toward compliance.
What Is GDPR?
GDPR aims to provide users with greater privacy and protection from data breaches. The key components of the law allow users more control over and better visibility into how their data is being processed and used. The changes that will come into effect under the law are broadly summarized below.
l. Websites must now ask for clear consent when gathering data. It is no longer acceptable to tuck a blanket waiver of consent away in a lengthy Terms of Service document; consent forms must be clear, easy to read, and separate from all other communications.
2. All users will now be able to request access to the information that is being collected about them. They will be able to see what information is being collected and how it’s being used.
3. Users will also be able to request that information about them be erased, if they wish. They can erase data that has already been collected and revoke the right to collect more data in the future.
4. If you experience a breach, and a user’s information is leaked to outside sources, you are required to inform users of the breach within 72 hours.
5. Each company must appoint an internal Data Protection Officer, who works within the company to keep senior management abreast of any issues and ensures compliance with GDPR.
Steps You Can Take to Move Toward Compliance
If this is the first you’re hearing of GDPR, the law may sound overwhelming. But you should prepare your company now by taking these concrete steps before the law goes into effect on May 25.
Audit Your Data Collection Methods
Your first step should be to look at how you’re currently collecting data about your users. You’re likely using tools or services like Google Analytics or Google Doubleclick for Publishers and are tracking pixels for Facebook or AdWord campaigns.
Outside of tracking and advertising, you probably have an email marketing platform (like MailChimp), an e-commerce engine (like Shopify), and a payment processor (like PayPal). Don’t forget about sites like Dropbox, which may not be collecting data but may be a place where you’ve stored spreadsheets with user information.
Clarify What You’re Doing With the Data
Once you’ve made the list of data collection mechanisms, go through and write out in plain English the exact information you’re collecting through each tool and what you’re doing with this data. This might include objectives like:
- Collecting standard internet log information and details of visitor behavior patterns.
- Telling users about information they’ve asked us to tell them about.
- Contacting users if we need to obtain or provide additional information.
- Sending users goods.
- Occasionally checking in and ensuring user satisfaction.
- Selling or trading customer data. NB: If you fall into this category, you must be very clear about what exactly you’re doing with this information and where exactly it’s ending up.
Additionally, since you’re entrusting your customer’s data to any outside platforms you use, you’ll want to link to their individual privacy policies.
Draft Your Privacy Statement
Congratulations! You now have all of the information that you need to draft your new Privacy Statement. Start things off with an introductory paragraph in which you highlight your company’s commitment to privacy. Then share the list of how you’re collecting and using customer’s data.
Be sure also to share how long you’ll keep the information. Finally, include contact information so that users can reach your organization to view, amend, or delete their personal information. Shared this privacy policy on your website and send it to subscribers on your mailing list.
If you’re more comfortable handing this task over to the pros and would like a legalese version, you can generate a privacy statement here for a small fee.
Don’t Forget About Cookie Consent
You must now inform all visitors from the EU when you’re collecting information about them. This means that you need to add a “cookie consent” pop-up or bar for visitors to your site. This is something you can ask your web developer to create, or if you use a platform like WordPress, there may already be a plugin (you can find one for WordPress here).
Develop a Process to Address Requests
Now that you’ve shared data collection information with customers, you’ll need to create a means for dealing with requests from users who want to view, update, or delete their information. Include your Data Protection Officer in the process, and make sure that the steps for addressing requests are clear, actionable, and written down somewhere.
These processes don’t need to be complicated—it might be as simple as giving your user a print-out of their MailChimp or Shopify account pages or deleting their accounts upon request. Whatever the plan, prepare it in advance so that you can act quickly when you get this letter.
All user requests require responses within 30 days, even if you haven’t collected any data on that particular user. If you do have user information, you need to provide it in a format that is easily readable.
Other Items of Note
The law is lengthy and cumbersome, but there are a few more things you should note about the requirements:
- You cannot collect any more data from EU users until they give consent, starting on May 25.
- Those under the age of 16 cannot give consent to data collection. You must block them from using your site until a parent/guardian signs off.
- Certain types of data are never okay to collect, unless required by another law. This includes information about race, politics, religion, criminal history, or health.
For a comprehensive overview of all the ins-and-outs, check out this blog.
I hope you found this article a practical way to get compliant with GDPR. There are a lot of complicating factors, and (for the third time) I don’t pretend to be a lawyer—please make your own decisions. But now, at least, you have some practical steps to get started. Happy GDPR Day!
About the Author
Rob Ristagno, Founder and CEO of Sterling Woods, previously served as a senior executive at several digital media and e-commerce businesses, including as COO of America’s Test Kitchen. He started his career as a consultant at McKinsey. Ristagno holds degrees from the Harvard Business School and Dartmouth College and has taught at both Harvard and Boston College.
Rob is the author of A Member is Worth a Thousand Visitors: A Proven Method for Making More Money Online. He regularly speaks at key media conferences, including at Niche Media events, Specialized Information Publishers Association meetings, and the Business Information and Media Summit.
