The European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25, 2018.
Back in November, Forrester Research predicted that 80% of firms that are impacted by GDPR will not be ready to comply by May 2018. And as of February, only 26% of firms based in Europe said they were compliant.
What is the GDPR?
The EU is rolling out an aggressive policy that aims to protect the data of all of its citizens. While the harshest regulations will apply to companies with legal entities located inside of the EU, any company that processes the personal data of people who reside in the EU is impacted. And with GDPR, the customer is in charge.
This won’t be the only privacy regulation we’ll start to see governments enforcing — but since consumer perception toward compliance with these regulations is heightened, we’ll want to make our own constituents comfortable, and make sure that they know our marketing is EU-friendly.
The good news is that GDPR gives marketers the opportunity to work with IT and privacy teams to transform their organizations to be truly customer-centric. We’ve been fighting the user-centric battle for years; and this is our chance to propagate that message throughout our organizations.
How to Prepare
You have one month to evaluate, check the boxes, and confirm that you are compliant, so let’s look at the main elements of the GDPR:
- Consent: Companies must make consent language easy to understand, transparent, distinguishable, and provide users with the ability to withdraw consent (as well as give it).
- Breach Notification: Customers must be notified of data breaches within 72 hours.
- Right to Access: Customers have the right to know how their data is being processed and for what purpose, and customers must be able to access all data electronically.
- Right to be Forgotten: Customers have the right to have all of their personal data erased and no longer processed (including by third-parties associated with the company).
- Data Portability: Customers can not only receive their data, but be able to transport it easily and transmit to another company, if they choose to do so.
- Privacy by Design: Data privacy and integrity must be considered at the outset of designing any systems or processes.
- Data Protection Officers: Companies are required to appoint a DPO who understands the entire data processing operations and regularly monitors these processes.
Common definitions used in the GDPR:
- Data Controller — your organization
- Data Processor — any third-party system that captures or uses user data
What Personal Data Points are Included?
Data points include both direct and indirect information about visitors. In addition to typical user data that is provided through forms such as name or email, personal data also includes IP addresses, cookie identifiers, and GPS locations.
- Is “clear, understandable, and concise” for any website visitor to understand.
- Provides detailed information on how cookies work and how to disable them. For example, “You can prevent your browser from accepting new cookies, have the browser notify you when you receive a new cookie, or disable cookies altogether by accessing your browser’s preferences menu.”
- Can be accessed on every page of your website and via organic search.
We really like this example from Pinterest; the updated policy is clear, direct, and doesn’t force you to use a dictionary.
Not necessarily required, but it is not a bad idea.
Cookielaw.org provides us with a few models for cookie law consent, including:
- Explicit Consent: Provides the user with the option to opt-in to cookies or opt-out.
- Soft Opt-In: Informs the user that cookies are being used, and a user affirms by accepting or dismissing the message.
OHO recommends one of three options to be applied to your website:
Option 3 (Explicit Consent): As easy as it is to opt website visitors into cookies, you can also give them a means to opt-out. Either provide instructions immediately in the notification (such as a link to instructions on disabling cookies from the browser), or provide a call-to-action to “disable” or “decline” cookies. The latter is a bit more complex, but ensures that you are providing your visitors with a clear way to turn off cookies.
Bonus: Consider only displaying the notification if a visitor is accessing the website from a country within the EU.
What Other Tasks Can Marketers Complete Now?
- Update Google Analytics
- Sign Google Analytics’ Data Processing Amendment
- Make sure your URLs do not include Personally Identifiable Information (PII).
- Turn on IP Anonymization within Settings.
- Stay up to date on Google’s compliance practices.
- Review privacy notices at every data collection point about how to opt out. The regulation states that “it must be as easy to withdraw consent as it is to give it.”
- Publicly communicate policies around retention and removal of customer data.
- Ensure that your site is secure.
Other Projects To Consider
As you adjust your site to ensure it complies with GDPR, consider using this as an opportunity to take a step back and kick off the following projects:
- Audit all digital data processes.
- Map all sources of digital data and ensure they unite into a single profile, especially since customers can ask to access this profile.
- What data is held? Where did it come from? How is it collected? With whom is it shared? What third party tools and tags are you using?
- Always think of ways to optimize the user experience.
- Our friends at Siteimprove developed a quiz and guide to help you evaluate your site’s readiness for GDPR. Take the quiz
- Cookiebot offers a free scan of your website’s compliance with GDPR.
- Consent Managers:
- Official GDPR Resources: