GDPR: When do you need to comply?

A little late to the party, I know. And what a party it was! Everyone was talking about it. The General Data Protection Regulation, or GDPR, came into effect across the EU on May 25th but it’s effective the world over. Let’s talk about it.

GDPR? Yeah, I’ve heard of that!

I’m not going to bore you with all of the details of what GDPR is. You’ve probably already heard it all. And I’m not going to upsell you on my GDPR compliance services. The truth is, a lot of sites don’t really need it. But most will want it. So I’m going to focus on the what and the why you need to comply. As well as how I’ve been handling it.

There are two key points though to bear in mind:

  1. This is about personal data, which typically means anything that can be used to identify an individual.
  2. GDPR enforces rules about how consent may be granted.

What is personal data?

Strictly speaking, personal data is that information which can be used to identify a specific person. In general, it only becomes useful in that respect when combined. So the surname Smith doesn’t necessarily constitute such data, but combine it with an address and store a Mr. Smith living at 123 Fake Street and you’ve got enough to identify an individual.

Recent changes to the law have made even broader information protected data. So IP addresses, even dynamic ones which change constantly, are now considered personal data across Europe. That presents a bit of a problem if you want to track the use of your website through an analytics service.

It also means that if you are taking visitor information via a contact or subscription form, such as a name, email address or phone number, you need to comply and you need to get your users’ consent.

It’s nothing personal

So if you’re taking on subscribers or contacts, you probably need to make your site GDPR compliant. But there are ways to otherwise mitigate your needs when collecting data for analytics.

Any time anybody visits your website, their IP address is exposed. A basic website might do nothing with that information, but a lot rely on Google Analytics and other services to analyse their traffic. In this case, the IP address is sent to your analytics provider. These providers will store information allowing for detailed overviews of traffic and behaviour, and with IP addresses considered personal data that means extra care is required in handling that data.

Graciously, Google offer an IP anonymisation option with their analytics solution. This anonymises the personal data of your visitors at the earliest possible time, so that no identifying information is stored. It’s good practise, and likely to become standard. But it doesn’t mitigate the problem entirely; the user’s IP is still transferred to a third party in the first instance. Even though it will be anonymised, it isn’t at the point of transfer. So we still need to gain our users’ consent.

You’ve probably been familiar with cookie notices for a long time. They’re not new, but they’re changing in a big way. This is down to what now constitutes consent in EU law. It is defined as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

This means that your cookie notice needs to be prominently placed, it needs to be persistent, and it must state in no uncertain terms what your usage of cookies and user data is. Take a read of mine:

“We serve cookies on this site to analyse traffic, remember your preferences, and optimise your experience.”

The notice is concise but clear in its intent, it’s also prominently visible on both desktop and mobile, and it persists until acknowledged on every page refresh. This is sufficient for my case, where no personal information is stored unless you take other clear, affirmative actions such as chatting with ThomBot or submitting a contact or subscription form.

The notice also links to my privacy policy, provided by the excellent Iubenda which is also linked to in the site footer.

But your site might well do more, it may store user data or use cookies completely differently. And your company size may also exceed the 250 employee limit constituting an SME for which limited exemptions apply. In this case, you need cookie control and preferences and the capability to opt-in and out. Your users have the right to be forgotten.

For cookie preference management and opt-in/out functions there are now a ton of options (GDPR really drove up business!), but one of my favourites is CookieBot.

There’s a lot more to consider both online and off, but we’re not here to get into that. For consultation on the matter, speak to your web developers and legal advisors (for implementation and counsel respectively). And for more from me, subscribe or just stay tuned. I promise to forget you if you ask.

comments powered by Disqus
Add more contrast
Inverted mode