The General Data Protection Regulation (GDPR) has been adopted on April 14, 2016 but it wasn’t until this year that it became enforceable — on May 25, 2018, to be precise.
If you’re a bit out of the loop, GDPR is a legal framework for the collection and processing of personal data within the European Union (EU). It’s a data protection reform aiming to answer the challenges arising from new digital realities.
Adapt or Die Get Fined
Even though GDPR was announced years ago, many webmasters waited and waited until the last minute to make necessary changes.
You’d think that Internet giants like Google and Facebook would know better, yet they were among the first to be hit with privacy complaints — exposing themselves to fines that could end up totaling $8.8 billion.
What about the ones at the helm of such a big change? The European Commission is questionable at best, leaking personal data of its own citizens all over the place. According to them, the law only applies to the continent. Talk about double standards!
GDPR is a good reminder that you should plan ahead — especially when you're dealing with an ever-evolving market like the Internet. And if you can’t be bothered to adapt, at least ask someone to lend a hand because the consequences can be real nasty.
When the hammer strikes: the costs of not being compliant
GDPR is big news and as you read it earlier big corporations aren’t shielded from sanctions.
Consequences range from written warnings in first offense cases to hefty fines for subsequent faults:
- Up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
- Up to €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher
Individuals also have the right to seek additional compensation—so you really don’t want to be found guilty of breaching data privacy laws.
I’m an affiliate, should I bother with GDPR?
Short answer is: yes.
If you gather any of the following personal data from EU residents, pay attention even if you are based outside the European Union.
- Name
- Identification number
- Location data
- Online identifier
Here’s a definition of personal data per the European Commission: “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Ergo, it’s better to be safe than sorry!
For instance, if you have a newsletter or store cookies on your website, you need to obtain explicit consent from EU visitors. This is achieved with a clear and explicit opt-in. However, consent isn’t indefinite: users must also be able to withdraw easily through a simple opt-out mechanism.
So no pre-ticked boxes, threats or vagueness if you happen to target EU consumers, which is likely no matter where you’re located.
What can I do to be compliant?
The first step is actually knowing what GDPR entails and that’s already behind you. If you wish to read more details, for instance about the scope of this regulation, go to this page.
Then, there are some measures you can take in order to be compliant. Please be advised the following advice does not convey or constitute legal advice.
Information audit
Under GDPR, it is your responsibility to disclose any and all personal information you are in possession of. Said data must be accurate: if you shared information that is no longer valid with another organization, you need to raise a flag so the records are updated. Failure to do so exposes you to penalties as part of the data protection principles.
Update your privacy notice
GDPR is a big change and requires an overhaul of your privacy notice. This public statement informs the public just how your organization processes data. It must be presented to the reader in clear and plain language, one that is transparent, concise, free and accessible.
Make sure you respect individual rights
Under the GDPR, individuals are provided with the following rights:
- The right to be informed (articles 12, 13 and 14)
- The right of data access (article 15)
- The right to rectification (article 16)
- The right to erasure or “right to be forgotten” (article 17)
- The right to restrict processing (articles 18 and 19)
- The right of data portability (article 20)
- The right to object (article 21)
- Rights related to automated individual decision-making, including profiling (article 22)
If you would like to get precise information about each article, you can consult Chapter 3 of the GDPR.
What we’ve done
Of course, CrakRevenue is no stranger to new online regulations and changes. Not too long ago, we were still figuring out the Chrome 64 puzzle, refreshing our banners to be compliant.
We prepared for GDPR a number of ways as to not wind up paying for errors that could have been prevented. Here’s 2 recent examples:
- We made minor adjustments to our Privacy Policy by adding the possibility to ask for the modification or complete removal of personal data on a case-by-case basis
- We added a new checkbox for our mail catcher on the blog (active opt-in)
What we’ve seen
Apart from our inboxes getting flooded by multiple websites almost begging us to opt-in again to their mailing lists in order to obtain explicit consent (can’t blame them), we've compiled some recent everyday examples of the new mail catchers used by webmasters today.
In this case from Creative Bloq, only a checkbox was added with a clear mention of what you’re getting by subscribing to their newsletter.
In this rather extreme example, webmasters went out of their way to not only obtain explicit consent, but also segment their users based off their interests. A lengthy disclaimer tells everything you need to know about your personal data and how it’s being handled.
Litmus also wrote a pretty in-depth article about GDPR compliance. Above, you can see a bad example (left) of an opt-in with a pre-ticked box and a great example (right) of the same opt-in.
Playing by the rules
If you need help setting up your sites for GDPR compliance, thankfully there’s some popular tools available that can help with that transition.
One such option is MailChimp, powerful mailing software with newly updated forms and segments. Perfect for your newsletter needs!
Running a WordPress site? Try downloading the GDPR plugin for free. It’s extremely useful in creating pages required to be compliant with the new regulation. Here’s a brief overview of its features:
- Consent Management
- Cookie Preference Management
- Rights to Erasure
- Right to Access
- Right to Portability
- Encrypted Audit Logs
- Data Breach Notifications
- Anonymization
- Telemetry Data
If you’re using cookies, you can use any of the free tools recommended by Google that add a consensual component (and function) to your website.
And while we’re on the subject of Google, Analytics offers IP Anonymization at the earliest stage of the collection network:
Finally, the multinational technology company lets you protect sensitive data with its cloud data loss prevention API!
Is GDPR bad for business?
Not really.
Tightened data regulations isn't the worst thing in the world ... because at the end of the day, your database of users will be all the more accurate and valid — with people actively looking forward to your updates.
On the downside, you may need to fork some money out to be compliant. Depending on the size of your business, it can be a significant investment. While for entities such as Facebook these costs are a drop in the bucket, the same can’t be said for average Joes.
The real question mark is about how the regulation will be enforced, especially in countries outside Europe. Will they be held to the same standards as EU member states? Also worrying is the incredible amount of bureaucracy involved with hundreds of companies all looking to dodge potential fines and become GDPR-compliant, sometimes spending fortunes to achieve just that.
What do YOU think about the newest regulation? Does it feel any different for you? What steps did you take to become compliant? Feel free to share your experience below!