What Is GDPR?
The General Data Protection Regulation (GDPR) got enforced on 25 May 2018 and it supersedes and replaces the UK Data Protection Act 1998 (DPA) and the 1995 Data Protection Directive (95/46/EC).
The GDPR refers to ‘personal data’ and ‘sensitive personal data’.
‘Personal data’ is anything personal in nature, for example, names, ID number, location data, physical addresses, email addresses, online indentifier like cookies, IP addresses and much more.
That means that the information collected by your websites, email opt-in forms and contact forms will be considered personal data under GDPR. Any information that can be linked to any individual is personal data.
‘Sensitive personal data’ refers to a ‘special categories of personal data’, which include genetic data and biometric data like race, ethnic origin, religion, sexual orientation, trade union membership, politics and others.
GDPR applies to all EU businesses, charities or anyone who collects, stores or processes the personal data of individuals online or offline.
GDPR expands the rights of your online visitors; how their personal data is collected, processed, shared and deleted. Non-compliance with the new regulations comes with severe penalties.
You can read more about the regulation on the ICO website – Link here – GDPR
How Does GDPR Affect My Website and Email Marketing?
If you are an active participant in the digital world, it’s time to get the right knowledge and handle online data collection correctly, to protect yourself, your website visitors and your subscribers.
The new data protection law applies to both online and offline data collection and it sets a very high standard for privacy rights and compliance in the EU.
I’m not a lawyer or legally trained, so I’m not about to give you all the legal implications of the GDPR, as it is far-reaching in scope. I’ll give you my interpretation of it, regarding your websites, email subscribers and online marketing.
I encourage you to get legal advice on how GDPR might precisely impact your organisation and websites.
GDPR and Websites
All websites collect information about their visitors in many ways. A privacy policy under the GDPR requires that your website states the exact information you collect on your website and how it’s used.
Your website must show explicit transparency and display privacy notices in the collection of names, email addresses or other information, and how the personal data is going to be processed.
The regulation states that the privacy information must be ‘concise, transparent, intelligible, easily accessible, and it must use clear and plain language.’ That means no ‘small print’.
If individuals decide to exercise the right of access to their data and how it’s being used, then you must verify the identity of the person making the request and provide a copy of the information ‘free of charge’, ‘without delay’ and ‘within one month’.
If there are any website security breaches that leads to unauthorised access to personal data, you must report the breach to a relevant supervisory authority within 72 hours.
You must inform your customers without undue delay, if the breach affects their individual rights or freedoms.
The GDPR provides rights for the individuals and you can read more about them here – Link here – GDPR Rights
GDPR and Email Subscribers
If you want people to sign up to your email list for direct marketing, you can create a separate un-ticked opt-in checkbox prominently displayed near the data entry form. Website visitors need to tick the box to register their consent, as a legal basis for you to process their personal data. This consent must be verifiable. Individuals must ‘positively opt-in’ on your website.
Individuals must physically confirm that they want to be contacted for digital marketing. They must say yes to email marketing. You’d need to keep records of what they consented to, when they consented and how they did it.
If you use an Email Service Provider, for digital marketing, the service should provide tools to make it easy for you to handle your subscribers’ data appropriately.
For example, with MailChimp, your subscribers can contact MailChimp directly to have their personal data updated or erased from your email list.
The image below shows what MailChimp’s GDPR-compliant form looks like.
If a request is made for erasure, it’s your responsibility to make sure the individual’s data is deleted from ALL your lists.
If you have an email list of previous subscribers and you can prove that you obtained their personal data under the same guidelines as the GDPR, then you can keep the list. Proof includes a double-opt-in, with transparent information about the use of their personal data for online marketing and that you can give them access to the information kept and all the other rights that exists under GDPR. Then you shouldn’t worry.
If, however, you didn’t get consent or inform individuals that you’ll use their personal data for marketing purposes, I’d strongly advise that you delete the list and start again. The proper way, this time.
Some companies, including Honda and Flybe, have been penalised for asking previous email subscribers to subscribe into another list for digital marketing. So be warned!
GDPR and Online Marketing
Individuals may object to any inclusion in direct marketing or research purposes. You must stop processing personal data for direct marketing purposes as soon as you receive an objection. There are no exemptions or grounds to refuse.
If you get a request to delete an individual’s personal data, you MUST. You’ll need to have processes in place to ensure that you delete their data without delay and within one month of the request.
The right to data portability allows individuals to obtain personal data that a website owner holds on them in a machine-readable form like CSV and reuse that data for their own purposes with other organisations.
GDPR and Business Benefits
With GDPR, your website visitors get more information about how their personal data is being used. Your website visitors’ rights are strengthened and makes it easier for them to enforce their rights. Especially rights to rectification, rights to erasure also known as ‘the right to be forgotten’, rights to restrict processing and rights to object.
A GDPR-compliant website, for a small business owner, will demonstrate that the owner respects the personal data of their visitors and customers, and it can add value to the business by building trust. Collecting personal data under GDPR will create opportunities to market to people who are engaged with your brand. Other benefits for the business will include protection from legal issues.
GDPR is a positive thing and should give your website visitors a positive experience.
As a small business owner, it’s good practice to work with services that are GDPR compliant.