What the New GDPR Regulations Mean for American Web Agencies

The EU’s General Data Protection Regulations come into effect May 25th. Are you ready?

In just a few months, the EU will begin to enforce a new set of regulations that could affect businesses worldwide. These regulations, called the General Data Protection Regulations (GDPR) are intended to protect the personal data of EU citizens. But they have such broad impact because they are user-based, rather than business based.

In other words, it doesn’t matter if your business is located outside the EU. If you handle the personal data of EU citizens, whether as a gatherer or processor of that information, you fall within the scope of these regulations, and could potentially face fees for non-compliance.

With that in mind, you may be wondering what kind of data these regulations refer to, so that you can understand whether you handle it.

The European Commission defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

In other words, if your business collects, stores, or processes this kind of data, these regulations apply to you. And given how many of us handle this kind of information in our global economy, this probably applies to… well, a lot of us.

Consent in data protection takes precedence.

Another major part of the GDPR regulations lies in the emphasis they put on consent. You must have consent from someone before you collect their personal data, and that includes providing them with enough information for them to understand what you’re collecting and what you plan to do with it.

Here’s how the GDPR defines it:

The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​

This has significant implications for websites that use cookies to track visitor for remarketing purposes or those that rely on location data to deliver services. Before you do these things, you have to give notice to your users about what they’re signing up for. They have to agree to allow you to track their personal data, and they have to be able to easily opt-out if they change their mind later.

GDPR makes marketing harder—but (hopefully) better.

A lot of these regulations boil down to one thing: you can’t collect and use personal information any way you want. There are rules you have to follow, or you risk prosecution. Abuse the personal data of anyone under GDPR protection, and you could face significant fines. So, for web and marketing agencies that want to come into compliance before the May 25th deadline, what should you stop doing right now?

For one, you can start practicing affirmative consent in your marketing. For instance, you should stop purchasing email lists. If someone didn’t sign up to receive marketing emails from you, you cannot have them on your marketing list. A lot of big email marketing tools already know this, and as they don’t want to be on the wrong side of these regulations, they will probably begin cracking down on marketers who aren’t following these best practices.

How can you protect yourself? Send out an email to your list asking them to renew their subscription. This will help ensure that the people on your marketing list are the ones who want to be receiving your emails. Worried you’ll lose your whole list? I just received a marketing email about this from a brand I love this afternoon. People are doing it. And yes, I opted back in.

The ICO has prepared a 12-step guide [PDF] for businesses who want to prepare for compliance. It’s worth taking a look at if you’re worried about compliance.

ICO 12-step guide for businesses on how to meet GDPR regulations

The GDPR regulations give an advantage to businesses who already take data seriously.

In some ways, the new GDPR regulations aren’t as big of a sea change as you might think. If you already take compliance issues seriously and avoid black-hat marketing techniques, you’ll probably have to do a quick re-assessment of your practices to make sure your business is tight but you’re probably already most of the way there.

However, if you haven’t been paying attention to data privacy issues, if you don’t follow security protocols in the way you handle sensitive information, or if you engage in black-hat techniques, your time of reckoning may be at hand.

Data privacy is important, as many of the recent security breaches at Equifax and Yahoo! have indicated. But it’s also complicated. So many businesses are gathering massive amounts of data as a matter of course, but their ability to collect this data often outpaces their knowledge of proper security procedures. As a result, they put the personal information unsuspecting individuals at risk, either through negligence or ignorance.

In many ways, the GDPR regulations are intimidating. But they could also be an important step toward creating a safer Internet space for consumers. We certainly hope so.

Published 01/30/18 by Laura Lynch