Estimated reading time: around 9 minutes
It seems like all the commotion around the GDPR (General Data Protection Regulation) has passed and it’s now become old news nobody gets too excited about. Undeniably, media has the power to create urgency and put a spotlight on major events and current issues, but this doesn’t mean that once the topic stops being in public focus – it stops being significant overall.
Shortly put: if you don’t actively talk about it, it doesn’t make it go away.
The GDPR came into effect on the 25th of May, 2018, and it brought us historical changes in the field of data privacy and protection. Since the previous data protection directive from 1995 became outdated, especially due to rapid digitization and sophisticated marketing and advertising tactics – it was necessary to tighten up the security standard and ensure the law sees through the way the world has developed.
Whether you’re a business owner or an independent blogger, if you handle data from the EU citizens – you need to ensure all your activities comply with the GDPR.
The GDPR: Overview of Changes it Brought
The most important things the GDPR brought are
- Greater legal responsibility (for both data collectors and data processors)
- More power to users so they have full control over their own data
- New definition of what accounts as personal data (in addition to personal names, bank accounts, photos, and social security numbers – IP addresses, geolocation, economic status, biometric data, and basically – anything that can be used to uniquely identify a certain person, all account as personal data)
Businesses and organizations have to be completely transparent about the way they collect data and the reason they do it. User consent is now mandatory and opt-ins have to be crystal clear so that a person who agrees to share her data knows exactly what she is giving consent to. In addition, they are valid only for a single purpose.
Under the GDPR, users have the right to access their personal data records (defined as the right to access), request a deletion of these (the right to be forgotten), or demand their data gets transferred to some other entity.
In addition, the GDPR has a much larger territorial jurisdiction scope, given the fact it’s applicable worldwide: each business and organization that handles data of EU citizens has to comply. Given the fact it’s highly unlikely not to have any contact with the EU, the GDPR has actually set a new global standard for data privacy and protection.
Now, let’s move on to assessing what you’ve done so far in order to make your website GDPR compliant, so you can address anything that you possibly oversaw in the last few months.
If it’s applicable to your case, you can openly state you won’t collect personal data unless it’s necessary to provide a certain service. For instance, if you have an e-commerce business, users need to leave their personal information in order to make a purchase; this falls under the legitimate interest as defined in the GDPR.
Create Clear Opt-ins
Most of bloggers and businesses collect email addresses in order to build a list of subscribers and deliver newsletters and promotional emails directly into their relevant prospects’ inboxes. In the age of personalization, tracking software and cookie data fuel up marketing strategies that try to treat each customer as a unique individual.
However, the GDPR has raised a bar in terms of what counts as user consent.
As it is stated in the Article 32 of the official GDPR document:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. […]
This means you have to design your opt-in forms so that they are fully transparent: be open about the reason you’re asking for consent. The tricky thing is that users will continue to expect personalized experiences, but they will be more cautious about sharing their personal data. With effective copy and great, user-friendly visual design, you can educate users about the way they can benefit from sharing their data and work on building digital trust.
Check Your Website Plugins and Any Third Parties Involved
Most webmasters use Google Analytics in order to measure performance of their blog posts and web pages, track conversions, traffic, audience behavior, etc. Luckily, Google has made it easy to configure GA so to comply with the GDPR by offering plenty of resources and useful information on the topic, but also by making changes to the tracking software so that users can comply to GDPR with just a few simple adjustments.
If you have been actively collecting data for marketing purposes or any other purpose that doesn’t fall under legitimate interest, here’s what you need to do:
- Run a full data audit in order to pinpoint any personal data you have collected
- Turn on IP anonymization (given the fact IP addresses are now considered to be personal data, you need to turn on the IP address anonymization feature)
- Check if your GA uses pseudonymous identifiers (pseudonymization falls under the GDPR, just keep in mind that Google supports User ID/Client ID deletion)
It’s important to understand that it is solely your responsibility as a webmaster to review plugins and third-parties’ data collecting software and make necessary changes in order to comply.
Don’t Take the Easy Way Out
Many webmasters, business owners, and organizations choose to completely cut off EU citizens by denying them access to the website. This way, they think they have outsmarted the system and avoided complying to the GDPR. However, this might not be the best practice; here’s why.
Firstly, the GDPR has indeed set a global security standard and it is likely new data protection regulations of this kind will emerge in other parts of the world, too. It’s only a matter of time when this will happen and the GDPR will serve as a legal model; so, ignoring EU citizens is not a smart decision, at least not if you have a broader picture in mind.
Secondly, EU is not a small market you can disregard that easily.
Thirdly, blocking users from the EU might bring damage to your SEO. For example, if a significant number of people from the EU linked towards your content and you choose to block this traffic, you can expect higher bounce rates or a great number of links lost. In addition, you might want to think twice before actually discriminating users based solely on their location.
It’s far better to take all the necessary steps and comply to GDPR. Ultimately, new regulation is a good thing as it shows respect for users and brings them full control over their data. This brought disruption to the data economy, given the fact data collectors and controllers cannot earn money over other people’s data anymore. Some companies such as the Personal Black Box work towards opening new opportunities in the data economy, creating a mutually beneficial ecosystem for both users and advertisers.
Undoubtedly, the GDPR caused headaches and panic, especially among marketers and businesses that heavily rely on used data to create successful growth strategies. However, it also made a significant step towards creating a more ethical place in cyberspace and building more digital trust overall.
Disclaimer: This article does not offer legal advice, but merely an overview of basic steps to make one’s website GDPR-compliant. Still, every website is specific, so we recommend you to reach out to a legal expert for additional advice.