If you are doing business or have website visitors from the EU then this is something you need to know as it greatly affects your business. GDPR is a "far reaching" legislation that doesn't just affect the European Union (EU). It affects virtually every country in the world that does digital business and marketing where an EU citizen can become a customer, user, or provide their personal information to you.
BEFORE WE START
The information below IS NOT legal advice and the information below only offers suggestions and recommendations.
Recently you may have noticed that you are receiving a lot of emails from various service providers (for example Google, Microsoft, Apple, Facebook, Twitter, etc) announcing updates to their privacy policies. These updates are largely a result of the GDPR regulations.
If you are not compliant with the General Data Protection Regulation (GDPR) legislation, it could mean fines of up to 20 million EURO, or 4% of annual sales, whichever is greater. So it's vital for website owners and marketers to understand the new GDPR requirements. This new legislation applies to everything from contact us forms, newsletter signups, mobile event apps, online surveys to social media. It even includes manually collecting business cards at conferences.
You can read the complete GDPR at the following link. //www.eugdpr.org/the-regulation.html
In Article 4 (1) GDPR defines personal data as follows:
"Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Essentially, if data can be used to identify a person, then it is classed as personal data under the laws of the GDPR. That includes information you are likely to collect from your event attendees such as names, addresses, birth dates and email addresses.
I do not live in the EU, so who do these regulations apply to?
The short answer is, ALL organizations that are collecting and handling personal data of European Union (EU) citizens (or residents) have to comply with GDPR.
A very important part of the GDPR has do with the geographic scope of this new law. To quickly summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.
Two points of clarification.
First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply. Good luck trying to figure out and accurately track if they were in the EU when they provide their information
What are the GDPR Requirements?
GDPR requires website and web store owners to inform visitors of the following things:
- What personal data is being collected.
- What the data is being used for.
- Who is handling the data.
- How the data is collected and obtained.
- How and where the data is stored.
Here are some examples:
- An e-mail address field on a contact form or checkout page.
- People can register and log in to your website. Even if it's just in the back-end so all sites with a CMS like WordPress and Joomla have to comply.
- Database with order information.
- Event registrations.
- Mailing list sign-ups.
How Does GDPR Impact My Company?
Event Registrations: Registrations are a key way to collect attendee data that can be useful in designing an effective campaign for your event. A perfect event registration form can help you create a comprehensive and exhaustive database of all your event attendees.
Consent: A main concern in this case is user consent when it comes to the collection of data. With the new regulations in picture, a simple check-box won't do. Companies must actively seek consent before collecting information. Users must declare that they consent to their data being utilized by the company within the regulations. A difficult statement stating conditions and terms would no longer be an option. They must be specifically agreed to by the registrants. The agreement should be easily accessible and comprehensive to the attendees.
Data sharing: Companies must make known plainly to the attendees regarding the handling of their data. Attendees should be mindful with regards to where their information is being shared and regarding just what intent is it being used . At the time of asking, it is the organizer's responsibility to provide those records in a digital format.
Data-breach notification: No company is a stranger to cyber attacks. You must have seen or heard cases of breaches in terms of data which in turn mistreated at the hand of cyberpunks.
Opting out: The user data that is being collected and used for marketing campaigns have the right to opt out at any time. They have the authority get their records totally removed from each and every database in which it is held at any given point .
The organizations must honor this specific request and remove all records of the attendees that choose to opt out. Users, therefore, hold the 'Right to be Forgotten' by means of GDPR.
My business only takes customers from my country, why should I care??
The GDPR is all about protecting EU Citizens' data, so as a Business in Australia for example, if you get someone filling out your form who also lives in Australia, but they are an EU citizen, you are now managing data from an EU citizen. Therefore you need to comply to the new GDPR laws.
What should I do to my website to make it complaint?
As pointed out previously, GDPR is retroactive. Getting the following things updated will keep you GDPR compliant for marketing to past, present, and future customers.
- Email Marketing Lists: If you have an email marketing list and it does not comply with any of the legal premises for handling mentioned above, sending emails to that list will be in breach of GDPR as of May 25th, 2018. You may want to seek updated consent from data subjects ahead of the deadline if this is the case.
Following these simple steps will greatly increase your GDPR compliance with regards to your efforts.
The GDPR portal is the main source of information and can be found here > https://www.eugdpr.org
You can get a Terms and Conditions or Privacy Policies created here https://termsfeed.com. But please remember, these documents are Legal Information, and are not Legal Advice.