GDPR - what does it mean?

On May 25th 2018 the GDPR (General Data Protection Regulation) will go in effect in Europe.

The GDPR are a set of regulations that give people more control over their information.

People need to give explicit permission for anyone to use their information.

It also mean that if you do business with customers in Europe you have to comply with the GDPR.

Now over de last couple of weeks, we have seen a lot of information passing by on the internet and people start to worry. We believe there is also a lot of misinformation about this GDPR.

We will go over some basic issues with this new regulation.

Does the GDPR affect my business?

The GDPR will affect you as a business when you collect information from European citizens. This can be information online through a web shop or information that you receive by mail.

What if I do not comply?

This is the scary part for everyone. If you do not comply with the GDPR you can get a fine. The fine can be 4% of your annual global turnover and up to € 20 million euros ($ 24.5 million dollars). These are some pretty high fines, but the fines are based on the seriousness of the infringement.  Severe cases will get higher fines.  But if you comply with the GDPR but for instance do not have your records in order the fine could be 2% of your annual global turnover.

What does the GDPR exactly mean?

Basically in short you can only collect the minimum amount of information from a person that’s necessary to complete a transaction.

Example:

We have a contact form on our website. Now what information do I need when the customer wants to contact me through a contact form? Well we would need a name, email address, phone number and a message. When a person contacts us through a form and we need to contact that person we would need to know their name. If we collect their email address we can send them an email message, but in case the email address is wrong we can contact them by phone. And a message so that we know what the customer is contacting us about. We can have a checkbox for a newsletter, but this cannot be set to checked. It has to be unchecked.

What information is being collected through a website?

Most websites will collect information from visitors to that website. We do have to make a clear distinction in types of information that’s being collected.

Scripts
First we have scripts running on our website for Google Analytics or Facebook Pixel.

These scripts collect information about the visitor that’s on your website. This information does not have any personal information about the person. It will collect an IP-Address and other information, but it cannot even tell me if the person was male of female (unless they are logged in to a Google account).

Now Facebook pixel has more information that it collects when people go from Facebook to your website through a link that you shared on your Facebook. But it is Facebook collecting this information.  Not your website.

Cookies
This is my favorite because not to many understand how cookies work and what they are.

Cookies are small text files that are being stored on your computer or mobile device.

A cookie can be placed when you have a pop-up on your website that will show every 6 hours. A cookie will be placed on your computer at the time the pop-up is activated.  The only information that cookie has is a timestamp.

Then when you return to the website again, the website checks this cookie and sees what the timestamp is. If the timestamp is more than 6 hours ago it will show the pop-up. This cookie does not contain any personal identifiable information. Most cookies don’t

Most cookies are for functional purposes to make it easier to use the website.

In Europe you have to have a cookie message that shows on your website, if your website uses cookies.

In the beginning you saw these messages and you could accept or decline the use of cookies.

The reality is that whether you accept or decline the cookies are still being used and the scripts are still loaded.  Just no one pays attention to this.

What do I need to do?

We will focus on information being collected through your website only.

Step #1
First thing we recommend doing is setting up a procedure document in regards to the information that you will collect through your website. This does not have to be a huge document. You can start with the basics and add on to it later.

Here are some things you can put in your document:

  1. What information do you collect through your website. This can be through a contact form or web shop. What is the bare minimum of information you need from a person to either answer their question or complete an online order.
  2. Who do your share this information with and which information do your share with a 3rd party. For instance if you do drop shipping, the order information is being send to the drop shipper so that they can send that order out. Another person you can share the information with is for instance an accountant, when you give them the invoices.
  3. How do you protect the information that is being collected? Do you make backups? Is someone else making backups. Is the information secure on your website? What do you do to secure that information online?
  4. The time you save this information. To give you an example: If you have a web shop, you have order information, invoices etc. Now by law you have to keep this information for 7 years for the tax department. So the term would be 7 years. Even if a person request that you remove this information before the 7 years, you can keep it for 7 years.

Now depending on your website you might add some more information to this document.

Step #2
Create an agreement document for each 3rd party you share this information with.

Again can be a simple document. Clearly state what information is being shared with that person and how they can use that information.

For instance:
An agreement for an accountant can be: <your company name> will share order and contact information with <accountants name> for the purpose of maintaining the books. If the information will be used in the future for any other purpose a new agreement will be set up.

Put the names  underneath the text, add the date and let each party sign the document.

Step #3
Write a privacy policy for your website.

Clearly state in the privacy policy what information will be collected and how this information will be used. And I know no  one is going to like this one, but also add to the privacy policy what you will do when a data breach happens.

Step #4
The last step is to make sure you have the so called cookie message on your website. The cookie message should refer to you privacy policy.

Right now I do not think the cookie message is working on most of the websites, but I haven’t seen anything about that they are looking to do anything about this.

There are 2 choices for the cookie message.

  1. Show the message and have a close button. This means the scripts and cookies are being used.
  2. If you website technically can do this, you can have the cookie message with an accept & decline button. I would only use this option if the decline button really removes the scripts and the cookies.

When you use option 2, make sure that if certain scripts or cookies are not loaded, that your website still works.

Additional information

Besides the information above, make sure that if you collect email addresses for your newsletter you have explicit consent from the user. I would recommend using a double opt-in.

Also you will have to keep a register of how you got that information. This could be done in a simple document made in excel or word.

There are some new components available that will allow you keep track of users on your website and the permission they give you. This information can also be exported, which means you don’t have to keep a register.

Conclusion:

The above information is a guideline for you to get started. There is a lot of information available, but some information is also confusing. Once the regulations take effect the problems will surface and hopefully some issues will become more clear. Technically a lot has to happen to be fully compliant with the GDPR.

In the end, be clear and open about the information that you collect. Most people do not trust companies online. If you are clear to visitors on your website you can gain their trust and you can end up with new clients.

I do want to mention one more thing about the Facebook Pixel. Facebook can be the collector of the information but also the 3rd party. If you want to know more about this and you are in the Netherlands I would recommend reading the following article.

GDPR Aandachtspuntent voor Facebook adverteerders