Disclaimer: We are not lawyers and are certainly not experts on the GDPR. The information below represents our interpretation of the information available online and should not be taken as legal advice. Performance Foundry assumes no responsibility in relation to the use of the information in the blog post.

The GDPR has been big news recently — the change in regulations affects businesses worldwide, and you’ve probably already received dozens of emails and notifications about companies making changes to their privacy policy.

As a website owner, what does this regulation change mean for you? Let’s have a look at some of the big questions that are being asked at the moment.

1. What is the GDPR?

The EU’s General Data Protection Regulation (GDPR) is a new regulation that will come into effect on 25 May 2018.

Its main aim is to protect the data and privacy of all individuals within the European Economic Area, and extends the scope of the current EU data protection law to all companies that process personal data related to people located within the EU.

As we understand it, they don’t need to be subscribers or customers, or to be EU residents. The limitation is a person located within the European Economic Area (EU plus Iceland, Lichtenstein and Norway) that accesses your site (article 14).

So if you have a website with visitors from the EU/EEA, this means the GDPR affects you, and you need to take action as a result of this.

According to the 261-page document, the GDPR defines “personal data” and “processing” as:

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; (Article 4)

So, if you collect or hold in any way information like names, IP addresses, or email addresses, you are affected by this.

2. How is the GDPR different from the old regulations?

There are a lot of differences, because the way we store, share and process data has changed a lot in the last decade or so, and the regulation aims to deal with that. Plus, the new regulation doesn’t just apply to EU companies — it also affects any company that holds information web users located in the EU/EEA. (i.e. you.)

3. What are some of the things I need to know about the GDPR?

Some of the main points of the GDPR are:

Consent

People must give consent to you having their information. You must make it very clear what they are agreeing to, and it must be easy to withdraw consent.

Right to access/data portability

People should have access to the data you have on them, on request. This data should be provided in a format that allows them to transmit it to another controller if they want to.

Right to be forgotten

Data subjects can request that you delete their data under certain conditions. (You can’t erase data if it’s against the law in your country to do so, for example.)

Privacy by design

You should only collect the data you really need (data minimisation), and should limit access to personal data to those people who need it to do their job.

Data Protection Officers

Certain organisations must appoint DPOs to monitor internal compliance with this Regulation. If you turn over less than $5,000,000 a year, you probably don’t.

Documentation

You need to document the data you collect and maintain records of what you do with it. Supervisory authorities have the right to ask to see those records. However, article 13 notes that there is “a derogation for organisations with fewer than 250 employees with regard to record-keeping.”

Breach notification

Companies must notify both the supervisory authority (within 72h) and customers (“without undue delay”) after first becoming aware of any data breach. Finding your supervisory authority could be a challenge.

If you’re in the EU, it’s the supervisory authority of your country. If you’re not, it’s a little unclear. IAPP suggests that Ireland could be a good choice for English-language speakers.

Penalties

You can be fined quite heavily for non-compliance. However, you can only be fined by a supervisory authority within the EU. Since best practice is yet to be established, a good-faith attempt to meet regulations is likely to stand you in good stead. Also, there is a provision for a warning for a first offence, and if you take action as a result of the warning, harsh penalties seem unlikely, especially for blogs and other small businesses.

4. Why does this affect me?

If you have a website, chances are some of your visitors are from the EU/EEA. If you collect any kind of data on your site visitors (through plugins or email signups) the law affects you.

5. What should I do now?

  • Review the data you collect and consider why you do this. Write a simple report and store it somewhere you can access it easily if you’re asked for it. (If you have less than 250 employees, this is not necessary, but it’s a good thought exercise.)
  • Think about how you can send the data you hold on people to those people if they ask for it, how they can remove their consent to you having that data, and how you can erase that data.
  • Update your terms of use/privacy policy.
  • Work through this helpful guide.  This includes a 12-item “things to do now” pdf, and a data protection self assessment toolkit, designed for small to medium-sized organisations. Working through that could be a very helpful process. (Thanks to Performance Foundry client Jo Fitzsimmons, who found this and passed it on.)

6. What technical changes do I need to make to my site?

In the strictest interpretation of the rules, nobody in the EEA would be able to access any website without explicitly clicking a button to give consent to opening the page. This is unfeasible and probably not the intention of the regulation.

We’re looking into simple technical changes that can be made for Performance Foundry clients, and will be in touch with suggestions.

7. What about Google’s changes?

As a result of the GDPR coming into action, you’re likely to receive a lot of emails from companies who have updated their privacy policies or terms of use, or have made other changes to the way their system works.

Google also sent out one of these emails, which caused quite a lot of confusion and dismay in the Performance Foundry community, because while the email included an “action required” rider, it was very difficult to work out exactly what action to take.

Among the many issues touched on in the email was an announcement that Google Analytics was introducing granular controls, to be able to choose how long user data is retained in Google Analytics. The idea is that after the period of time you choose, the data is deleted automatically.

You can choose from the following options:

  • 14 months
  • 26 months
  • 38 months
  • 50 months
  • Do not automatically expire

See Google’s help documentation for more information.  for more information)

Google has set the default to 26 months, so if you do nothing, then data that is slightly over two years old will be deleted on a rolling basis each month. If you’d like to keep the data for longer than this, you’ll need to log in to Google Analytics and change the settings. This default setting was not made clear in the email, so it’s something to be aware of.

Another part of the email mentioned that before May 25, Google will also introduce a new user deletion tool. This is great, because if an individual user asks you to delete all data you have on them, you’ll be able to do a lot of that right in Google Analytics.

Ads

If you use Google’s advertising products, it seems that you have a couple of options:

  • Install a popup that makes users acknowledge that you use cookies.
  • Change your settings so users in the European Economic Area don’t see ads.

According to Google’s help documentation:

For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area.

You must obtain end users’ legally valid consent to:

  • the use of cookies or other local storage where legally required; and
  • the collection, sharing, and use of personal data for personalization of ads or other services.

When seeking consent you must:

  • retain records of consent given by end users; and
  • provide end users with clear instructions for revocation of consent.

You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.

GDPR – action is required

So yes, it’s difficult and complicated. Action is definitely required, but our feeling is that if you take action now to show that you’re trying to comply, that will go a long way.