With changes in the global regulatory landscape, being an entrepreneur and starting a business can be daunting. Recently, the European Union introduced the General Data Protection Regulation (GDPR) to protect the privacy of EU consumers.
This article aims to help you to evaluate your business and website compliance with GDPR regulations. And how to make your business GDPR compliant?
What Is GDPR?
The General Data Protection Regulation (GDPR) came into effect on 25 May, 2018 and aims to protect the fundamental right to privacy and the protection of personal data of European Union (EU) citizens.
How Does It Affect Your Business?
The GDPR regulations affects any business (including websites) that processes the personal data of any EU citizens. Whether or not your business is located in the EU, if you have an EU visitor or your marketing campaigns target EU customers, GDPR affects you.
In this article, we will provide you with a GDPR checklist to help your business comply with these regulations. We will cover the following topics:
GDPR Consent Forms
Email Marketing Templates
Third Party Apps
Important Notice: Any information contained herein is not legal advice and we recommend that you seek legal advice to fully understand and comply with the GDPR regulations.
GDPR Articles 12, 13 and 14 outline the need to provide privacy information to data subjects (website visitors).
According to GDPR, the information provided must be:
Concise, transparent, intelligible and easily accessible;
Written in clear and plain language, particularly if addressed to a child; and
Free of charge
What type of information do you collect?
Detail the type of personal information you collect from your website visitors. Personal information may include, name, email, IP address, billing details and identification number.
The information collected may be provided directly by visitors (e.g. web form) or collected automatically through tracking tools (e.g. Google Analytics).
Sample: "We receive, collect and store any information you provide on our website, including personally identifiable information (including name, email); payment details (including credit card information), comments, product reviews and personal profile. When your access our website, we may collect and record usage information, including geo-location, IP address, device type, browser information and web log information and all interactions through our website. We may also collect supplemental information (including demographics) obtained from third parties for marketing, data analytics and other purposes."
How do you collect personal information?
You should clearly explain the process for collecting personal information from your website visitors. For example, when visitors subscribe to your newsletter.
Sample: "When you conduct a transaction or complete a form on our website, we collect personal information that you provide us, such as your name, email address and address. Your personal information will be used for the specific reasons stated."
Why do you collect personal information?
You need to explain why you collect personal information from your website visitors. For example, you might collect email addresses for marketing campaigns.
"We collect both non-personal and personal Information for the following purposes:
To provide products and services to our users;
To provide users with customer assistance and technical support;
To contact our users with general or personalized notices and promotional messages;
To aggregate statistical data and other non-personal Information, which we use to improve our services or provide to our business partners;
To comply with any applicable laws and regulations."
How do you store, use, share and disclose personal information?
We may store and process personal information on servers in different jurisdictions around the world. We retain information for as long as it is necessary for our operations. Information from closed, deactivated, inactive or suspended accounts will be retained to comply with the law, prevent fraud, collection of fees, dispute resolution, enforce our Terms of Service and other actions permitted by law.
We will not sell or rent your personal information to third parties for their marketing purposes without the user's explicit consent. We may integrate your personal information with information obtained from third parties to improve and personalize our solutions, content and promotions."
How can visitors withdraw their consent?
You must explain how your website visitors can withdraw their consent for collection and use of their personal information and how they can access, update or delete this information.
Sample: "If you wish to update, access or delete your personal information we have collected, please contact our customer support team at <your email> or <phone number>."
2. GDPR Consent Forms
If your business uses lead generation forms, email newsletters or sends marketing communications, you will have to include GDPR consent in your web forms.
We have several examples with various consent options and UX designs for your reference.
Permission for SMS, email, mail and telephone communications are all lumped together into one consent option. Although it is clear and easy for users to select either "Yes" or "No" options, users do not have the option to select their preferred channel of communications.
Users are required to consent to each contact method separately (e.g. SMS, email, call). The Granular Consent method allows users to consent to certain communications, rather than nothing at all.
Some businesses may be part of a larger group and if you want to share customer data across different entities within the group, users need to consent. For example, Waitrose asks users to consent to receiving communications from Waitrose, myWaitrose, John Lewis and John Lewis Finance.
3. Email Marketing Templates
Now that the GDPR regulations are in effect, what do you need to do? Contrary to popular belief, it is still legal and effective to send marketing emails.
If your existing website and forms do not collect the necessary customer consent, you will need to send a repermissioning email to your customer base.
How do you design repermissioning emails? Here are some great examples to help you.
If you are already GDPR compliant, then great! Let's review your email marketing campaign and consider the following factors:
Allow customers to opt-out
Add an opt-out option in your email marketing templates. And if a customer or subscriber requests to be removed from your email list, you must remove them from future marketing campaigns.
Allow customers to access their data
GDPR gives consumers the right to access personal data collected about them. The personal data collected can range from an email address (for newsletters) to millions of customer touch-points in a CRM or marketing database. Business will need to be able to find this information and provide it to the user upon request.
Allow customers to delete their data
GDPR gives consumers the right to delete personal data collected about them. If customers ask for all their data to be deleted, they should also be unsubscribed from further email campaigns.
What if customers unsubscribe from your email campaign? All unsubscribe requests have to be kept in an email suppression file to ensure the email is suppressed from all future email campaigns. But companies need to explain to customers that it has a legal requirement to store the email address (to exclude email from campaigns).
4. Third Party Apps
Now that you have spent the time and effort to be GDPR compliant, case closed? Under the new GDPR rules, any third party processors you use is now directly and legally obligated to comply with the regulations.
What is a third party data processor?
An entity that processes personally identifiable information (PII) on behalf of a controller. A controller is defined by the GDPR as an entity that determines how that data will be processed and for what reason. Third party processors include Email Service Providers (ESPs), Customer Relationship Management Systems (CRMs) and many others.
Who is responsible?
Experts believe that it is the responsibility of the data controller (your business) to assess and monitor third party vendors and work with them to be GDPR compliant. Businesses will have to ensure third party vendors properly collect, store and process personal data.
What can you do as a controller?
Discuss with your third party partners and read their privacy policies. For new vendors, thoroughly review their privacy policies. Check to see if vendors have the proper certifications and ensure they have the tools to retrieve and delete user data.
With increasing global regulatory complexities, businesses need to take necessary steps to comply with these regulations. From country specific data protection laws in Japan and Australia to the EU GDPR rules, privacy and the protection of personal data is here to stay.
By reviewing your processes, website and marketing campaigns, business can implement best practices to comply with regulations while retaining a great UX/UI website design.
Vorbly | Marketing Made Easy