General Data Protection Rules (GDPR) compliance required by May 25
Note: This is not legal advice, but a very brief guide to the requirements of the GDPR. Please consult a legal expert for further advice. Domains Direct won't accept liablity for any losses suffered as a result of following this article.
You've probably noticed those pop-ups on some sites asking for your consent to store cookies on your device. This requirement for sites operating in the European Union (EU) was introduced to protect users and their personal data.
If you conduct any business with private individuals in the EU you'll need to comply with the GDPR rules by May 25th, or risk potentially huge fines.
Fines of up to €20 million may be imposed by data protection authorities for any breach, as well as damages payable to any person that has suffered losses as a result of a data breach.
This affects you if you sell goods or services to a person who lives in the EU, or you monitor the behaviour of a person who lives in the EU, regardless of where you store or process personal data.
Visitor tracking
Cookies allow you to track users on your website by writing a small text file to their computer. If they return to your website you'll be able to identify them as a returning visitor. If your site uses cookies you'll need people's permission to track them.
Some examples of where cookies are used include:
- Google Analytics
- Social media share buttons (Like, Follow etc.)
- Shopping cart software
- User registration system
The rule here is: are you able to trace a cookie back to an identifiable person? So, for example, if your site has a user registration/login system, you'd be able to look up their IP address in Google Analytics to track their activity on your site; which they'd need to give consent for.
Similarly, if you use Google Analytics and you have data collection forms using a GET request (as opposed to POST,) for example, /subscribe?email=user@domain.com then Google is going to log that URL, which is traceable back.
Collecting personal data
If collecting any personal data, people must freely give their consent for you to collect and store it. This isn't just information they fill out on a form; it can include data they might not even know they're sharing.
The definition is fairly broad, but items can include a person's:
- Name, address, phone, email
- Salary or wage details, or credit rating
- Medical details
- Ethnicity, political stance, religious beliefs, sexuality
- Images, voice, or video recordings
- Employment details
- IP address
- Location data
Anonymised data is not included, provided there's no way to trace the data back to a person.
Grounds for data collection
In order to collect personal data, you must have legal grounds to do so. This could include:
- Performing a contract
- A person giving consent
- You have a legitimate interest
- You have an obligation to collect data
- To comply with some law
Enable opt-in for EVERYTHING!
Once you have collected data for a specific reason, you cannot then process it for another reason, for example, if a customer purchases something from your website, you cannot then email them a newsletter or other promotional content later on without their consent. They must have specifically consented to joining your newsletter list.
Most importantly, pre-ticking boxes on web forms does not constitute consent.
This article was written based on information provided by the New Zealand Law Society. See GDPR Compliance in Four Steps - New Zealand Law Society for further reading.