An important note about data privacy – are you ready?
GDPR is coming
On Friday 25th May 2018, European general data protection regulation (GDPR) comes into force. These regulations aim to protect the data privacy of EU residents the world over. The regulations carry harsh penalties for companies anywhere in the world that don’t comply with them. Penalties are severe and can reach EUR 20M or 4% of “total worldwide annual turnover of the preceding financial year” whichever is the higher.
What do the regulations require?
GDPR requires companies that capture personal data belonging to EU residents to process and store it carefully. Such companies are subject to a number of obligations which will in some cases be more stringent than those that are required under Australian laws. Some of these obligations are:
- When capturing personal data, to state clearly all the ways the data will be used, and to only use the data for such purposes.
- To take “appropriate technical and organisational measures” to secure personal data during transmission and storage.
- To notify all people who may be affected by a personal data breach within 72 hours of such an event.
- To allow people to have a copy of the personal data you store on them, to unsubscribe and be “forgotten”.
The entire GDPR runs to 99 articles and can be read online. If you haven’t done so already, you should consult your lawyer to ensure you are compliant.
How is this relevant to Australian websites?
While most of your website users will be from this side of the globe, you cannot be sure that none of your users are EU residents, or may move to or from Europe in future. In any event — eye-watering fines aside — GDPR represents good data privacy practice.
It is likely that your website is storing user data in a number of ways:
- Google Analytics, Google Tag Manager, Facebook Pixel and other similar third-party scripts may be tracking visitors to your site anonymously to evaluate traffic and to serve relevant ads. If you engage in remarketing to these visitors, or ever want to do so in future, you will need to secure their explicit consent to be targetted with such ads.
- Any active form on your website that can be tied to a particular individual – typically by means of an email address – will generate personal data which does fall within the scope of GDPR. Such form data is typically emailed to you when the form is submitted. The same data is often stored in the website’s content management system or some other connected system such as a CRM (Salesforce, Hubspot, Pardot, etc.), booking system or email broadcast platform (MailChimp, Campaign Monitor, etc.).
What can I do about it?
First, we recommend that you seek legal advice. Every business is unique and while a lot of personal data originates from visitors to your website, you are responsible for how that data is managed once it is in your possession.
Secondly, we recommend that you ensure that your website have the following in place:
- A clear statement on forms about the uses to which the supplied data will be put.
- An opt-in consent mechanism if you wish to remarket to EU residents.
- An SSL certificate.
- The latest stable WordPress and plugin versions.
If you would like to discuss any of the above items with us, we’d be happy to assist.