Over the last few months, several clients have enquired about GDPR and how the new regulations will affect their company and website. With lots of confusing and conflicting information, we have compiled a short list of the critical requirements for small businesses with websites and what should be changed to work towards compliance.

Remember, if you are found to be in breach of GDPR, your company can be fined up to 5% of your global turnover.
Here are the main things you need to know about GDPR:

  • The definition of 'personal data' has been expanded to include anything enabling you to identify an individual.
  • The law reinforces an individual's protection and rights surrounding consent and access to personal data.
  • Service providers and subcontractors can now be held accountable.
  • Businesses must communicate to customers how they plan to use their data.
  • Businesses must also be transparent about customers' rights to request the restriction of access to, rectification, or erasure of their data.
  • Customers should be able to easily cancel their consent and request the erasure of their data as quickly as possible.
  • Businesses must put preventative measures in place to protect customer data.
  • Businesses must inform customers of any data breach or leakage that may have occurred.
The Question: How did you obtain your customer's data? Do they agree to its use?

First, you must understand and record what 'personal data' you hold as a business, how it was captured, how it is held, how you use it, and where it is going. The GDPR defines 'personal data' as any information relating to an identifiable person. As well as apparent personal data such as email addresses, phone numbers, addresses etc. GDPR includes IP addresses, device IDs, location data and genetic/biometric data.

Scenario: Post 25th May 2018 - If you were asked in a court of law to prove how you obtained a customer's data, you should be able to confirm this. Did the customer opt in via a website? Did they visit your premises/store and opt in by signing something? If the customer made a telephone enquiry and left their email, did they consent to join a mailing list?

Email Marketing & Website Form Opt-In

Consequences of the GDPR for email marketing: The main thing for email marketers to remember concerning the GDPR is a new definition of providing consent or using email marketing parlance: opting in.
Consent to process personal data must be "freely given" as an explicit "affirmative action."In other words, opting in is to be taken very literally regarding the GRPR.
Additionally, businesses will have the burden of showing proof that a contact has affirmatively opted in.
Passive opt-ins and opt-outs are no longer allowed.

  • Passive opt-in: The roundabout process of acquiring contact information involves making opt-in the 'default.' An example would be having a pre-checked box that users must uncheck if they do not want to consent.
  • Opt-out: The process of adding customers to a contact list without their consent after they sign up for a different service. The contact must then unsubscribe if they don't want to be on that list.
  • Opt-in: The process of gathering contact information in which the contact freely and willingly consents to handling their data. This usually comes as a box the connection must check to opt in.

Following this new definition of opting in, you can no longer use email addresses collected through a passive or opt-out process. Consent must be freely and explicitly received from the contact or customer through affirmative action. This means you can only legally use lists 100% opt-in if you can prove that those contacts provided their consent.

Existing DigitalFlare Client? - We are happy to check all forms on your website and advise if you have Passive opt-in or Opt-out forms. In such circumstances, we can change these forms to ensure you conform to GDPR practices.

Is re-consent required for my existing database?

One of the questions we've most commonly been asked in recent months is, 'Does the GDPR mean we have to get fresh consent from our entire marketing database?' In many cases, the answer is 'no' - though the explanation for this is not all that straightforward. We suggest you read the following articles, which offer a greater understanding of this and will allow you to draw your conclusions:

We always advise you to seek independent legal advice on such matters as circumstances will be unique to every company. However, if your data has not been collected consistently with post-GDPR requirements, we (DigitalFlare Ltd) advise you to request re-consent from your existing contacts.

Existing DigitalFlare Client? - If you decide that re-consent is the best way forward and are an existing client, we can help with this process and send new consents to your databases.

If you use a mail system such as "MailChimp" or "SendInBlue" to send newsletters and you would like to do this yourself, the following articles will help:

'Mail Chimp' GDPR Consent Collection
'Send In Blue' GDPR Consent Collection
'Send Grid' Reconfirmation

Does your website use Cookies?

Over 90% of websites store information in peoples' web browsers using cookies- little data files. Some cookies can be 'essential' to the website function (i.e. eCommerce website shopping baskets), but there are also non-essential cookies which advertisers or third parties can use.

If your website contains cookies, your customers should be aware (part of the ePrivacy directive). It is also important to outline their function. Most businesses choose to explain the use of Cookies inside the Privacy Policy. In addition to adding notifications about Cookies on your website, we recommend installing a notification bar to inform customers of the cookie rule with a more obvious solution.

BBC Cookie Notice:

BBC Cookies

GOV.UK Cookie Notice:

GOV.UK Cookie Warning Example

Existing DigitalFlare Client? - We are happy to check for cookies and add such details to your Privacy Policy. We will also be able to display a notification about cookies that customers must accept if they wish to hide the message and continue using the website.

Do you use Google Analytics?

Under the GDPR, if you use Google Analytics, firstly, you should make visitors aware of the use of Google Analytics. This should be contained inside your Privacy Policy. Secondly - like the Cookie Policy, we would recommend that you notify users of its use and offer visitors solutions a solution to switch off Analytics.

On a secondary note, any data sent to Google should not contain PII (personally identifiable data) – data you can track back to an individual. This is best explained here: www.craftedatom.com/is-your-google-analytics-gdpr-compliant/

Existing DigitalFlare Client? - We recommend reviewing your Privacy Policy to ensure you mention single Analytics (or any other 3rd part tracking software). In addition, it is worth installing a website notification bar to ensure customers know about using Google Analytics and your privacy rules. Finally, if you send Google any PII information, this should be prevented. This may include enabling IP Anonymisation.

The above rules apply to other 3rd party tracking software, not just Analytics.

Website Security and GDPR

New data protection rules put more emphasis on online security. Any data submitted on your website must be encrypted, preventing it from being hijacked. An SSL certificate will ensure your site is encrypted, so if you do not have one already, ask your web developer to assist with this. If you are unsure whether or not you have an SSL certificate, look at the address bar of your browser when visiting your site. There should be a padlock symbol and a message stating that the site is secure and encrypted. If this is not present, get in touch with your web developer.

In addition to SSL, Under GDPR, you must demonstrate that you're implementing data protection by design and default. This could change everything from how you design databases to who gets access to data.

Existing DigitalFlare Client? - We can install an SSL certificate on your website if you do not have one. We can also advise you about individual security measures you have on your website and provide details about the security of your hosting package.

Please note: The above points outline some rules required to be GDPR compliant, but remember, it isn't only your website that needs to be respectful.

The content of this web page is a commentary on the GDPR, as DigitalFlare interprets it, as of the date of publication. This content is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your company. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies to your organisation, and how best to ensure compliance.