Over the last few months or so we have had several clients enquire about GDPR and how the new regulations will affect their company and their website. With lots of confusing and conflicting information out there we have put together a short list of the key requirements for small businesses who have websites and what should be changed to work towards compliance.

Remember if you are found to be in breach of GDPR your company can be fined up to 5% of your global turn over.
Here are the main things you need to know about GDPR:

  • The definition of 'personal data' has been expanded to include anything that would enable you to identify an individual.
  • The law reinforces an individual's protection and rights surrounding consent and access to personal data.
  • Service providers and subcontractors can now be held accountable.
  • Businesses are required to clearly communicate to customers how they plan to use their personal data.
  • Businesses must also be transparent about customers' rights to request the restriction of access to, rectification, or erasure of their personal data.
  • Customers should be able to easily cancel their consent and request the erasure of their personal data as quickly as possible.
  • Businesses must put preventative measures in place to protect customer data.
  • Businesses must inform customers of any data breach or leakage that may have occurred.
The Question: How did you obtain your customer's personal data? Do they agree to its use?

First, it is important that you understand and record what ‘personal data’ you hold as a business, how it was captured, how it is held, how you use it, and where it is going. The GDPR defines 'personal data' as: any information relating to an identifiable person. As well as obvious personal data such as email addresses, phone numbers, addresses etc. GDPR also includes IP addresses, device IDs, location data and genetic/biometric data.

Scenario: Post 25th May 2018 - If you were asked in a court of law to prove how you obtained a customers personal data you should be able to prove this. Did the customer opt in via a website? Did they visit your premises/store and opt-in by signing something? If the customer made a telephone enquiry and left their email, did they consent to joining a mailing list?

Email Marketing & Website Form Opt-In

Consequences of the GDPR for email marketing: The main thing for email marketers to keep in mind with respect to the GDPR is there is a new definition of providing consent, or to use email marketing parlance: opting in.
Consent to the processing of personal data must be “freely given” in the form of a clear “affirmative action.”
In other words, opting in is to be taken very literally with regards to the GRPR.
Additionally, businesses will have the burden of showing proof that a contact has affirmatively opted in.
Passive opt-ins and opt-outs are no longer allowed.

  • Passive opt-in: The roundabout process of acquiring contact information that involves making opt-in the 'default.' An example would be having a pre-checked box that a user would have to uncheck if they do not want to give consent.
  • Opt-out: The process of adding customers to a contact list without their consent after they sign up for a different service. The contact is then required to unsubscribe if they don’t want to be on that list.
  • Opt-in: The process of gathering contact information in which the contact freely and willingly gives affirmative consent to the handling of their personal data. This usually comes in the form of a box that the contact must check in order to opt-in.

Following this new definition of opting in, you’re no longer allowed to use email addresses that you collected through a passive opt-in or opt-out process. Consent must be freely and explicitly received from the contact or customer through an affirmative action. This means that you can only legally use lists that are 100% opt-in - and only if you can prove that those contacts actually provided their consent.

Existing DigitalFlare Client? - We are happy to check all forms on your website and advise if you have Passive opt-in or Opt-out forms. In such circumstances, we can change these forms to ensure you conform to GDPR practices.

Is re-consent required for my existing database?

One of the questions we’ve most commonly been asked in recent months is 'does the GDPR mean we have to get fresh consents from our entire marketing database?' In many cases, the answer is 'no' - though the explanation for this is not all that straightforward. We suggest you read the following articles which offer a greater understanding of this and will allow you to draw your own conclusions:

We always advise you seek your own independent legal advice on such matters as circumstances will be unique to every company. However, if your data has not been collected consistently with post-GDPR requirements then we (DigitalFlare Ltd) would advise you request re-consent from your existing contacts.

Existing DigitalFlare Client? - If you decide that re-consent is the best way forward and you are an existing client, we can help with this process and can send new consents to your database for you.

If you use a mail system such as “MailChimp” or “SendInBlue” to send newsletters and you would like to do this yourself the following articles will help:

'Mail Chimp' GDPR Consent Collection
'Send In Blue' GDPR Consent Collection
'Send Grid' Reconfirmation

Does your website use Cookies?

Well over 90% of websites use cookies - little data files - to store information in peoples' web browsers. Some cookies can be 'essential' to the website function (ie. eCommerce website shopping baskets), but, here are also non-essential cookies which can be used by advertisers or third parties.

If your website contains cookies, your customers should be made aware (part of the ePrivacy directive) it is also important to outline their function. Most businesses choose to explain the use of Cookies inside the Privacy Policy. In addition to adding notifications about Cookies on your website, we would recommend installing a website notification bar to make customers aware of the cookie rule with a more obvious solution.

BBC Cookie Notice:

BBC Cookies

GOV.UK Cookie Notice:

GOV.UK Cookie Warning Example

Existing DigitalFlare Client? - We are happy to check for any cookies and add details of such to your Privacy Policy. We will also be able to display a notification about cookies that customers must accept if they wish to hide the notification and continue using the website.

Do you use Google Analytics?

Under the GDPR, if you use Google Analytics, firstly you should make visitors aware of the use of Google Analytics. This should be contained inside your Privacy Policy. Secondly - like the Cookie Policy we would recommend that you clearly notify users of its use and offer visitors solutions a solution to switch off Analytics.

On a secondary note, any data that is sent to Google should not contain PII (personally identifiable data) – data you can be track back to an individual. This is best explained here: www.craftedatom.com/is-your-google-analytics-gdpr-compliant/

Existing DigitalFlare Client? - We would recommend reviewing your Privacy Policy to ensure you mention the use of Google Analytics (or any other 3rd part tracking software). In addition it is worth installing a website notification bar to ensure customers are made aware of the use of Google Analytics and your privacy rules. Finally, if you are sending Google any PII information this should be prevented.This may include enabling IP Anonymisation.

The above rules also apply to other 3rd party tracking software, not just Analytics.

Website Security and GDPR

New data protection rules put more emphasis on online security. Any data that is submitted on your website must be encrypted, which prevents it from being hijacked. An SSL certificate will ensure your site is encrypted, so if you do not have one already, ask your web developer to assist with this. If you are unsure whether or not you have an SSL certificate, take a look at the address bar of your browser when you are visiting your site. There should be a padlock symbol and a message stating that the site is secure and encrypted. If this is not present, get in touch with your web developer.

In addition to SSL, Under GDPR, you must demonstrate that you’re implementing data protection by design and by default. This could change everything from how you design databases to who gets access to data.

Existing DigitalFlare Client? - We can install an SSL certificate on your website if you do not have one. We can also advise you about individual security measures that you have in place on your website and provide details about the security of your hosting package.

Please note: The above points just outline a few of the rules that are required to be GDPR compliant, but remember it isn’t only your website that needs to be compliant.

The content of this web page is a commentary on the GDPR, as DigitalFlare interprets it, as of the date of publication. This content is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your company. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.