Should you make your website GDPR compliant?
With Facebook recently under the microscope by the US government, privacy is now in the front seat of conversation among business and government alike. It all stems from the question of who actually owns the data that all relates specifically to you as an individual. Even more complication is added when questions are asked about the marketing data and tracking that surrounds your daily internet life as well.
The European Union decided to make some ground rules and that gave birth to the “GDPR”, otherwise known as the General Data Protection Regulation Act.
In their words:
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site.
Why is the EU doing this?
The EU wanted a set of principles developed that would provide the basis for their citizens to be treated in terms of individual privacy.
One of the biggest concerns is data breaches with regard to security and this law is designed to make all businesses accountable to the people … which is a good thing.
How does this affect my website over here in North America?
Well it turns out people in the EU visit a lot of North American websites and the EU expects all these businesses to respect and comply with their laws as well. Bit a head scratcher when you think about that as they don’t technically control the internet but they are kind of acting like it (another debate for another day).
If you are interested in complying with GDPR, it is fairly straightforward thankfully and these are the main points to consider:
- Digital forms require an “Active Opt-In” option to ensure users have the option to be subscribed or not be subscribed to future marketing emails.
- The user needs to consent to full terms and conditions of anything they are opting into in regards to an “Unbundled Opt-In” method.
- Users require “Granular Opt-In” options for each type of marketing communication whether it is separate email and phone communications.
- It needs to be easy for users to “Withdraw Permission or Opt-Out” of anything you have collected their communication data for (this includes frequency of communication as well).
- You must clearly name parties you are collecting the data from (ie. First Name and Last Name of user).
- If you collect online payments, you need to modify your web processes to remove any personal information from your database after a reasonable amount of time.
- A user needs to be told about any 3rd party tracking you use whether it is Salesforce or Google Analytics in a statement on your homepage (usually a banner they can dismiss).
What the GDPR Means To Us
The GDPR is here to stay and if you have customers or users from the EU, they have to be factored into the equation. At a minimum, Floating-Point recommends all Privacy Policies be updated to clearly state intentions with all user data and to promote transparency with your users.
This approach to us is a good thing and shows all users your commitment to their privacy which we all can appreciate in this day and age.
Gabe Boisvert | Project Lead | Floating-Point