The General Data Protection Regulation (GDPR) was a new law passed by the European Union in April 2016, affecting all businesses large and small. The GDPR law will come into effect on May 25th, 2018. Summary of the new legislation states that all companies that collect data on citizens of the European Union will need to comply with the new rules which set strict standards for collection of consumer data.
Ocreative has been doing extensive research on GDPR and what impact it will have on our clients. We have found there is no “one size fits all” solution to GDPR and that the GDPR leaves a lot of things to interpretation – the language is quite broad as it is currently written. It states, “companies must provide a reasonable level of protection for personal data” but does not directly define what it considers “reasonable.” However, it does make a few things very clear and we are expanding on these key points in this article.
Personal Data is in Control of the User
The first thing you must understand about GDPR is what the law considers “personal identifiable information.” Any information that is being collected by a company on a user that can identify that user’s person is deemed to be “personal identifiable information.” Evaluate your own business and what information you hold and where that data is housed. There are a couple of obvious examples such as user name, email, address, etc. However, this could include other data such as IP Address, phone number, company, or anything that could ultimately lead to the user’s identification through the information you collect. Ultimately, because GDPR does not specify the exact information you can and cannot collect; you may want to consider treating all collected information as “personal identifiable information.”
User Consent
The second thing the GDPR makes clear is the use of consent. A user must give permission before you can lawfully store or collect information on that user.
The first step in getting consent is the creation of a privacy policy. A GDPR compatible privacy policy must spell out exactly why you are collecting data, what data is collected, who that data is shared with, and where that information is stored. This information must be as specific as possible to meet GDPR requirements.
The second step in gaining consent is asking the user to accept the terms of your privacy policy before submitting any forms or sending information to your company. All web forms (such as a simple contact form or newsletter signup) that could be filled out by a citizen of the European Union must have an agreement box where the user can deny or accept the collection of information. The agreement box must have a clear link to your privacy policy and be a required field that the user must agree to and check so that they can complete the submission of the form. Keeping the checkbox as a positive opt-in (do not rely on pre-checked boxes or default options) is a way of asking for a very clear, specific statement of consent to your privacy policy.
Deletion of Data Upon Request
Lastly, the GDPR makes it clear that a citizen of the European Union must be able to request a report of data you are storing on them and they must have the ability to request a deletion of said data. That portion indicates that all “personal identifiable information” must be stored in a way that it can be quickly deleted or retrieved for the user. Including an email address in your privacy policy is one way provide that information to the user so that they can use it to request the deletion of their stored personal data. In case of a data breach, the legislation indicates that you must inform all EU citizens affected by the breach and provide those users a list of information that was released.
Best Practices for US Businesses
GDPR is not a law that applies to everyone right now, however, it is best practice to implement these standards. While you’re a good portion of your visitors may be from the United States, you never know who may visit your site. Do not leave your company open to potential GDPR-related fines from the European Union (or even US citizens visiting Europe and accessing your site abroad).
In addition, the State of California is currently trying to pass laws that are similar in scope to the GDPR. The California legislation may pass as early as November 2018, which will undoubtedly apply to U.S. citizens, forcing additional future action.
Evaluate your business’ data systems to see if you require any changes to your privacy policy. If so, create, document, and put the right data breach procedures in place to detect, report, notify, and investigate.
Ask your suppliers and contractors if they are GDPR-compliant to reduce your risk of being impacted by a data breach and any consequent fines and claims.
If your products or services require the age of a user, consider where you need to obtain parent or guardian consent for the services with your company. Start putting systems in place to verify the data now.
GDPR Compliance Helpful Links and Resources
For more information about GDPR, visit the EU Regulation site to read about the full legislation.
The May 25, 2018 deadline is coming quickly. If you have any questions or need help with your GDPR implementation on your website, feel free to contact Ocreative and we will do our best to help your company enter the new age of data collection.
Disclaimer: The information in this blog article (“article”) is provided for general informational purposes only and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from Ocreative nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this Article should act or refrain from acting on the basis of any information included in, or accessible through, this Article without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.
About Ocreative
Ocreative is a Milwaukee marketing agency, with expertise and broad experience in developing digital marketing strategies, and growing their online presence, for their clients. The company’s core values include offering the highest level of customer service, award-worthy quality, and performance that surpasses client expectations. Ocreative is located just outside Milwaukee, and works with clients locally, nationally, and globally. Their clients have access to some of the most fun and knowledgeable professionals around – ones who inspire, educate, and problem solve. The agency provides marketing and brand strategy, advertising and design, website design and social media, and video expertise to their clients, fulfilling their desire for business growth, and their aspiration to make a mark on their industry.
At Ocreative, we value your privacy and want you to understand the choices and control you have over your information that we collect. We have updated our Privacy Policy to provide increased clarity and comply with the new European Union General Data Protection Regulation (GDPR).