GDPR - and how it could impact your business

If you operate a website in Australia and collect user data, it will apply to you if you...

• Use a European language other than English on your website, or
• Use a European currency on your website, or
• You enable European residents to pay in euros, or
• You mention European based customers or users, or
• If you have an office or a base in the Europe, or
• You track European residents online and process their data, or
• You profile European residents to analyse and predict their personal preferences, behaviours and attitudes

If you say ‘yes’ to any of these checkpoints, then you may need to comply with GDPR.

Here is a list of the main things you need to consider. Please note that you should seek specialist legal advice to ensure full compliance.

Confirm that your website is secure

Google has been penalising non-secured sites for a while now, so your website is most probably already secured - but this isn’t 100% true of all sites. Users expect a secure and private online experience, so you must implement a TLS Certificate and ensure your website runs via HTTPS - Hypertext Transfer Protocol Secure.

Confirm your new Google Analytics data retention settings

Google Analytics has recently launched new Data Retention controls that may affect your data starting May 25, 2018, so, if you haven’t already done so…

• Log in to your Google Analytics account
• Review the Data Processing Amendment under Admin > Account Settings
• Confirm your Data Retention settings under Admin > Property > Tracking Info

If you’re not sure which option to go with, the default setting of 26 months could be best. Ideally, you should apply the shortest setting appropriate for your business.

For example: larger organisations that rely on personalisation may want to retain data longer than a local business with a simple web presence.

Conduct a website data audit

• What information/data are you collecting?
• Is it personal?
• How/where is it stored? How long for?
• Who has access to it?
• Do any third-parties have access?
• How is it being used?
• Do you have explicit consent from the user to have and use the data?
• Does any of your data need to be encrypted?
• Do forms need to keep data in a database, or could they just be emailed to you?

Ensure your website privacy policy is up to date

You may already have a privacy policy that’s compliant with the Australia Privacy Act. That’s a great place to start, but GDPR gives users broader rights which means that your current privacy policy may need to be updated. Seek advice from your legal team to write a privacy policy that clearly states the key information about the data your website stores.

If your website uses cookies, ensure they're 'opt in'

• Users must opt in not opt out - consent must be freely given, and consent must be sought in clear and plain language
• Users should be able to access your site regardless of whether cookies are enabled or disabled, even if functionality is lost
• If consent is not given and a cookie collects personal data, which, under GDPR, includes IP addresses that are tied to users, this may be an infringement and subject to penalty
• Consent is not required for cookies that are used specifically for the collection of "non-sensitive personal data" – like a cookie that's used to track items in a user's shopping cart
• This applies for third-party cookies - for example, Google Analytics is a third-party that uses cookies via your website.

Make sure consent forms are unchecked by default

All your consent forms must use a clear, positive opt in process, with an easy confirmation.

This applies to...

• A terms and conditions checkbox
• A sign-up for a mailing list

Make sure you have a process in place for easy data deletion

Within GDPR, European residents have the right to be forgotten. That means you must have a process to comply with a user request for their data to be completely removed from your website storage system. Your wording needs to be clear and simple, and you must be able to action their deletion request within 30 days.

Work with GDPR compliant third-party providers

You must ensure that all aspects of your data processing comply. Your business can be held responsible for breaches made by your providers. This includes your email service provider, your CRM service, and your marketing and PR agencies. Your processes and policies must clearly state what third-party data processors you use and where a site user's data is passed to.

Your website and the GDPR compliance – a practical checklist

The Original, Universal Solution For Cookie Compliance Updated To Meet GDPR Requirements.

Cookies And Consent: How GDPR Impacts Online Tracking

Cookies Consent Under the GDPR

MarTech Today’s Guide to GDPR — The General Data Protection Regulation

EU’s GDPR: What This Means To Australian Businesses

The General Data Protection Regulation is new European Union legislation that comes into effect on 25 May 2018. GDPR aims to protect the personal data of European residents, and it applies to all businesses worldwide that collect this data - not just European enterprises.

Penalties for breaching GDPR can attract substantial fines – up to 4% of annual global turnover or €20 million (approx $32 million) - whichever is greater.