European General Data Protection Regulation (GDPR) will come into force on May 25, 2018 GDPR is EU-wide data protection legislation. The UK will follow GDPR despite being in the process of leaving the EU. This is something that every business needs to implement right now as the penalties are severe. When it comes to websites, here is what you need to know.
The aim is to prevent companies from mis-using data. i.e. using data for purposes other than it was collected for. An example: when you buy something from a company they cannot email you offers every week after that. It should cut down on icky Spam and unwanted emails.
And it’s really all about consent. If you are going to keep and use someone's personal information, you need their consent first and tell them how you are going to use it.
What will change?
Any personal data collected must be done so with consent for a specific purpose and used only for that purpose.
You must clearly state in any data collection form why you need the data and offer opt-in (tick box with text that says ‘yes I can store X information for X purpose’) for any method of contact.
This means if you have a contact form on your website, and you store the email/phone number, etc. information in any way for future use, you need a consent for each bit saying how you will use it and an opt in tick box for permission. There must be separate opt ins for contact to call, text, emails. That means no auto-selected checkboxes hidden away that could be easily missed and no bulk contact me/don’t contact me options.
Sidenote: Some companies have been clever about their ‘opt in’ messaging in the past. You will see multiple tick boxes in a row with lots of small print that if you don’t read, it may say something like ‘if you do not wish to get receive emails from us tick this box’, thus opting you in without you ticking a thing. With GDPR you will NOT be able to get away with this anymore, it must be ‘tick to receive’ and very straight forward.
You also need to operate transparently and with the ability to remove consent. Anyone can request to see which personal data of theirs is being held and request for that data to be deleted.
Penalties for non compliance.
Penalties are steep. If you fail to comply you can be fined 20m euros or 4% of your global turnover, whichever is higher (note: turnover not profit!) - and this is per violation.
GDPR is not something to ignore and think that it won’t impact you. As far as your website is concerned the changes are relatively straightforward and simple. It’s better to be safe than (cough) 20 million euros (cough) sorry. If you need your web design in Oxford being compliant with GDPR, then get in contact, we can help.