General Data Protection Regulation (GDPR): What You Need To Know

The evolving landscape around data security continues to be a concern for companies of all sizes. Recently, the European Union enacted the

The word "security" on a computer screen

The evolving landscape around data security continues to be a concern for companies of all sizes. Recently, the European Union enacted the General Data Protection Regulation (GDPR) to protect citizens’ personal data. This is an important issue for companies to understand, but it also includes a number of details and nuances that can be confusing to understand. Fortunately, our friends at Workshop Digital, a Richmond-based digital marketing and SEO agency, break down everything you need to know about GDPR in the below blog post, which originally ran on their blog.

***

Disclaimer: While Workshop Digital works with a number of clients across many different verticals, including legal, we are not lawyers. Our lawyers haven’t reviewed this information. We are not qualified or liable for ensuring internal client businesses processes are GDPR compliant. If you believe that your business may be impacted by GDPR, we recommend speaking to your legal team to ensure that your business is protected.

What is GDPR?

The General Data Protection Regulation (GDPR) is a new sweeping regulation enacted by the European Union that will go into effect on May 25th, 2018. This new regulation is designed to replace an older Data Protection Directive that was designed to protect the personal data of European Union citizens. GDPR is considerably farther reaching than the previous bit of legislation, but the end goal from this new regulation is to reduce the severity and frequency of security breaches, as well as the mishandling or misprocessing of Personal Data online. There are three main aspects that make GDPR a much more robust set of regulations than the previous Data Protection Directive. These are as follows:

  1. Territorial Scope:  GDPR has jurisdiction over all companies processing the Personal Data of EU residents living in the EU or abroad, regardless of whether the company is based in the EU or otherwise.
  2. Consent: Businesses collecting EU citizens’ data need to obtain consent in a clear and accessible way. Requesting consent via convoluted legalese or extremely fine print is not acceptable. Equally important, businesses seeking to use the data collected must make it as easy to withdraw consent as it is to grant it.
  3. Penalties: GDPR can pack a serious punch. While there are varying degrees of punishment, businesses that violate the most significant infringements (which include failure to acquire consent) can be fined up to four percent of their annual global turnover, or €20 million, whichever is greater.

Key Aspects of GDPR

  1. Businesses must require consent when gathering data from their users, as well as a way for users to opt out
  2. Businesses, when requested, must be able to delete a user’s information
  3. Business are obligated to inform users of a data breach within 72 hours of the breach

What Does This Really Mean?

Personal Data is a broader term than the definition of “Personally Identifiable Information,” which is frequently used when referring to data collected online. Personal Data can refer to data regarding your healthcare, your credit card, your video rentals, your DNA, your race, your religion, your lifestyle, criminal background, medical information, your dating profile, your IP Address, or anything else that may relate to a person who can be directly or indirectly identified by a reference to the identifier. The goal of GDPR is to protect all of this information in a secure manner.

Who Does It Apply To And Should My Business Be Worried?

Any website that receives traffic from any EU resident, regardless of where they are in the world, must take the proper steps to ensure they are GDPR compliant.

If your business does not collect, store, or process Personal Data then you do not need to worry.  However, any organization that does collect, store, or process Personal Data of an EU resident (no matter the physical location of that resident) without taking the appropriate steps can potentially be held accountable by GDPR. This applies even to businesses outside of the EU, so regardless of where your physical operations and employees are located, where you process your data, or whether or not financial transactions are involved, if your business is collecting, storing, or processing data from EU residents, you should take action.

Due to the severe consequences of GDPR, it’s well worth ensuring that your business has taken the proper steps to acquire consent for data collection, store it appropriately (data must not be stored for longer than necessary and can be deleted if requested), as well process data in a secure way. In the end, these steps aren’t just compliant with GDPR, they’re legitimate steps to take to ensure your site is protecting users.

However, we want to reinforce that we’re experts at digital marketing—we are not lawyers, and our interpretations of GDPR and the consequences businesses may face by not complying with this legislation are not the end-all-be-all. If you believe your business may be impacted by GDPR, please consult your legal team.

WHAT IS WORKSHOP DIGITAL DOING TO COMPLY WITH GDPR?

According to GDPR, Workshop Digital’s role in the data ecosystem is that of a Data Controller. This means that our 3rd party partners and tools, such as Google & Unbounce, assume the roles of Data Processors. Our role is also to verify that the tools we use are GDPR compliant, and periodically audit the data stored by our tools to ensure that no personally identifiable information of any kind is being collected and stored longer than necessary or in an insecure way.

As your digital marketing partner, we also have an obligation to keep you informed as the GDPR rolls out. We proactively communicate with our clients and will continue to provide updates on our blog.

WHAT SHOULD MY BUSINESS DO TO COMPLY WITH GDPR?

The most important aspect of complying with GDPR is obtaining clear consent from your users prior to collecting their data, while the second most important aspect is to ensure that the data is then securely stored and can be easily deleted if requested.

In the past, websites have used simple messages to get consent from users that essentially state “if you continue using this site you are agreeing to our terms of service”. GDPR very specifically indicates that this is not actually obtaining consent at all. Clear consent from your users in GDPR is more than just showing a pre-ticked box, or linking to a Terms and Conditions page. To have clear consent, you must explicitly ask for permission to use their data, as well as explain how you intend on using their data. You must also obtain consent any time you intend to collect sensitive information from your users. We also recommend updating your business’s privacy policy to ensure it is in line with GDPR. To get this right, it is best to consult with your legal team, but here are examples of some of the information to provide:

  • Who is collecting the data
  • What data is being collected
  • The legal basis for processing the data
  • If the data be shared with any third parties
  • How the information will be used
  • How long the data will be stored
  • What rights the data subject has
  • How the data subject can raise a complaint

ONE THING WE KEEP HEARING…

Internally and otherwise we’ve heard the suggestion that a business can become GDPR compliant if they just block all EU traffic. While this maybe a good choice for some small businesses, it definitely does not ensure compliance. Blocking all EU traffic just means that people in Europe will not be able to see your site — which can be a huge pain for Americans traveling abroad. More importantly, GDPR essentially protects any EU Resident’s information — no matter where in the world they are. In other words, an EU resident may be living in Brazil, but are seeking services from an American website. By not ensuring compliance with GDPR, the American website can potentially be held accountable. So please, do not attempt to block your EU traffic. Not only does it not make your business compliant, but it also may lead to a negative impact in your organic search engine rankings.

STILL HAVE QUESTIONS?

If there are specific questions that were not addressed by this blog post, please feel free to reach out to us. Alternatively, we also highly recommend speaking to your legal team about specific circumstances, or even just in general. GDPR is a big deal, and it comes into play very soon.

Additional Resources

GDPR – The law itself

Seer Interactive – GDPR Simplified

Search Engine Pipeline – All About the GDPR

Search Engine Land – To comply with GDPR, Google asks publishers to manage user-data consent for ad targeting in EU

Forbes – U.S. Businesses can’t hide from GDPR

Business Know How – Why U.S. and Other Non-European Companies Need to Comply with GDPR

Password Protected – U.S. Companies; Are You Ready for GDPR?

IS Partners – U.S. Companies Need to Gear Up for GDPR Compliance: 5 Ways To Prepare

Facebook – What is the General Data Protection Regulation?

Martech – Misconceptions about GDPR

Search Engine Watch – Is Google Analytics compliant with GDPR?

Portent – The GDPR: 29 Things ALL Marketers Must Know

Hive Digital – Does GDPR affect SEO?

Jeffalytics – How to Prepare Your Google Analytics Account for GDPR

Marie Haynes – GDPR and Google Analytics. Here is what I am telling my clients

Unbounce – New Privacy Law Alert: GDPR + Unbounce (+You)