The GDPR (General Data Protection Regulation 2018) has transformed the data collection methods of all websites and online businesses conducting business or marketing activities in the European Economic Area. However, despite the abundant hype around this data protection policy, many businesses are still searching for information and answers to their questions pertaining to General Data Protection Regulation 2018. There is still a visible lack of information or misinformation regarding the objective of GDPR 2018, the GDPR effect on marketing activities and data collection processes, GDPR fines and penalties, etc. Through this article, we attempt to shed some light on this revolutionary regulation. However, the information provided in this article must not be considered as legal advice.
What is GDPR?
The General Data Protection Regulation 2018 is a European Union privacy law that came into effect on May 25 this year and has supplanted the Data Protection Act 1995. This law regulates every organization’s treatment and use of personal data of EU citizens. Under GDPR, the greatest emphasis is placed on ‘explicit consent’ and unparalleled transparency. This new regulation is developed and designed with the objective of unifying and simplifying data protection laws across all EU countries. It aims to provide more information and control to EU citizens over the collection and use of their digital data and thus provide better protection to them. The ultimate objective is to give EU citizens the right to purge whatever personal data businesses are holding on them.
This law applies to any organisation around the world that holds or processes personal information about EU residents, even if the organisation is not located in the European Economic Area. In the UK, GDPR rules will apply even after the Brexit until the government brings a data protection bill similar to the GDPR.
Personal data, the focal point of GDPR, is any data that, when used alone or in conjunction with other data, could help identify a person. It is subdivided into 2 categories –
- Identifying Information – includes any information that could be utilised to identify a person; such as a person’s name, identification number, email id, IP address, bank details, etc.
- Sensitive Personal Information – includes any data that could put a person under risk of unlawful discrimination; such as a person’s gender, sexual orientation, health history, religious and political beliefs, social or cultural identities, etc.
The impact of GDPR on data collection from your website
The GDPR’s central theme of respect for privacy has brought about significant changes in website data collection processes, tools, techniques, and even objectives. Here are some of the more crucial ones.
You must declare a strong commitment to the rights of the people who entrust you with their personal information. You simply cannot collect, process, or store that information otherwise. You are bound to take stronger measures for protection of such data.
You will need to have in-depth knowledge of the entire life-cycle of data to comply with GDPR norms. Every category of data must be analysed and documented. You must know its origin, who have you shared it with, what use do you make of it, and report all this to legitimate data holders.
You would have to ensure that your data collection processes and documentation adhere to the principle of enhanced transparency which is at the core of the GDPR. all legal notices, information clauses, lead generation mechanisms, etc. must be reviewed and updated. You have to keep the people updated and informed at all stages.
More requirements for permission
You must obtain ‘explicit consent’ to use all data that is stored in your database. Consent based on silence and omission isn’t valid anymore; free, specific, verifiable, and unambiguous communication is what you require.
The impact of GDPR on Google Analytics & its users
The use of Google Analytics by websites also comes under the purview of GDPR. Google Analytics acts as the data processor and you take up the role of the data controller. Google has taken several steps, of which it keeps users posted through regular updates, to make Google Analytics GDPR compliant at the earliest. The Google GDPR policy is currently under formulation and is expected to be drafted, presented and implemented at the earliest.
However, as the data controller, you too would have to make certain changes in the way you use Google Analytics and how it is set up to ensure that Google Analytics GDPR compliance is a non-issue for you. You can start off by doing the following:
- Undertake a complete audit of your website and Google Analytics setup
- Do not ask for, process, hold, and store sensitive personal information of your website visitors and customers
- Do not enable ‘Remarketing’ and ‘Google Analytics Advertising Features’ if you don’t need them
- Make use of the ‘User and event data retention’ and ‘IP Anonymisation’ features that Analytics provides
- Do not track any form field, search term, and campaign that contains personal information
- Refrain from uploading or sending any data to Google Analytics which might contain personal information
GDPR fines and penalties
Any failure to meet GDPR regulations would invite hefty fines and penalties. GDPR fines and penalties are far greater in magnitude than those under any other data protection law. For example, the UK’s Data Protection Act restricted the maximum fine to a limit of £5,00,000. However, in stark contrast, the maximum fine under GDPR for any organization that unlawfully processes personal data of EU citizens could amount to the higher of €20 million or 4% of the violating organization’s global annual turnover.
The amounts seem exorbitant but the Information Commissioner’s Office (ICO), the office authorized to impose fines, has maintained that not all infringements would invite a fine and the GDPR fines would always be ‘effective, proportionate, and dissuasive’.
Like with any landmark regulation, there is bound to be a lot of confusion and upheaval about the implementation of GDPR. However, complying with these laws would not just provide privacy and protection to citizens but would also enhance the integrity of your business which would ultimately strengthen its reputation. This law is for the greater good of all involved.