GDPR (General Data Protection Regulation) is coming, what you need to know

The internet has been a great enabler for many businesses but in recent years there have been mounting concerns around data privacy. Facebook is currently in hot water over the transfer of millions of its user’s data to the third party Cambridge Analytica. There’s an ongoing investigation on nation states meddling in elections and large companies are the target of hacks to access the personal information they store on behalf of their users.
The world is rapidly moving toward better data protection for internet users. At Avoca we think this good news for everyone overall. The time is ripe to proactively review your data collection and privacy policies.

You might have received emails with updated terms and conditions from various companies mentioning GDPR (General Data Protection Regulation) or heard about it in the news. It’s easy to brush these off but GDPR shouldn’t be ignored. Here’s why, it’s the first step to a better internet.

What is the General Data Protection Regulation (GDPR)?

GDPR is a new regulation overhauling the rules around the collection, protection & processing of EU citizens private data online. Basically it requires explicit consent to store and use personal data in your business.

The GDPR will become enforceable on May 25, 2018, and will set a high bar for global privacy rights and compliance. We are actively preparing our business and compliance processes for the GDPR to take effect, and this guide is intended to help our customers do the same.

GDPR covers three key areas:

• Data collection – you need permission and you must explain explicitly what you will do with the data you collect.
• Data storage – all data needs to be stored securely
• Removal and sharing of data – once someone unsubscribes or ends their relationship with your business you have to have the ability to completely remove their data and also share a copy of that data with them upon request.

The key takeaway? #datatransparency, GDPR is about putting control of personal data back into consumers hands, which is a good thing.

Why should New Zealand based businesses pay attention to GDPR?

Everyone who has an online presence needs to pay attention!
There’s a good chance you might have the occasional visitor from the EU. If you are collecting email addresses with an optin, using a contact form on your site, using tracking such as Google Analytics, allowing registrations on your website then you are collecting user data. These regulations cover every part of your inbound marketing strategy. It’s important to remember that it’s not just the EU government bodies that can take action.

• Anyone (any citizen of the EU) can report you
• The fines are potentially massive – up to $20,000,000 Euro or 4% of global revenue

There is another, even more important, reason that you should pay attention. This is the general direction that the whole world is heading in. You just have to look at the trouble that Facebook has recently found itself in over the Cambridge Analytica scandal to see why this is an issue that needs to be addressed. We expect New Zealand, Australia and countries like the United States to follow suit over the next few years.
Here are some excellent examples from the New Zealand Law Society of ways the GDPR regulations can apply to New Zealand based businesses.

How do you become GDPR compliant?

Start by reviewing what might need updating

The first step is to review your current setup. If you’re not sure what is installed on your website or what functionality might need to be adjusted then you might need to consult with your website developer.
If you currently do any of the following activities on your website then you need to review your policies and probably enact some changes:

• Track users with Google Analytics, marketing automation tools like Active Campaign (this is virtually everyone!)
• Use contact forms or any kind of form that contains personal information
• Sell using a shopping cart (Woocommerce, Shopify etc)
• Use email marketing and optin’s to grow an email list – basically any kind of inbound marketing is effected
• Run a membership site, or allow user registrations
• Have a audience in the EU countries or target traffic from EU countries

1. Update your privacy policy

Privacy policy page – to notify website visitors of your alignment and compliance with GDPR you need a privacy policy on your website which is clear, accessible and up to date. It could also include a statement on how you will not share their data with any other company. You might want to talk to your lawyer to have them help you with this. Privacy policies will need to be easy to read and understand (think plain english, not legalise).
Here is a great sample privacy policy template to get you started

2. Get explicit consent to process data in your shop and on your contact forms

When a user submits a contact form or buys a product on your shop they are required to fill in personal data. This is usually stored on your website and emailed to you. You now need to ask for permission to store and use that data to comply with GDPR. This needs to be explicit and cannot not pre ticked.
“I consent to my submitted data being collected and stored”. You can also include a link to your privacy policy here for extra clarity. By making the field required you can ensure that the data isn’t submitted to you without the users consent.

The GDPR regulation requires A ‘lawful basis’ to collect any information – you have to be able to prove at any point in time that you received the consent of the user. 

Users also need to know that at any point in time they can request to have their information deleted from anywhere you may have it stored.

3. Review the visitor tracking you have installed on the site

Tracking website visitors is a key part of measuring the success of your online efforts and 99% of websites will have some kind of tracking installed. Google Analytics is the most common tool for this purpose. Google Analytics has release new tools to anonymise IP addresses and other data privacy changes to comply with GDPR. However there are features in Google analytics such as demographic information that, if in use, require explicit consent from your users.
In recent years marketing automation companies like Active Campaign and advertising companies like Facebook have developed tools for tracking audiences that use your website. These tracking tools provide you with better data to help segment your email list and advertising efforts. Under GDPR tracking tools like this now all require explicit consent.
You should consider removing tracking services that are not really needed. If you’ve installed one just to “have it ready incase I need it”, then now is the time to remove it until you have a clear use case and can ask your users for permission.
Here are some helpful links to companies advise on consent around tracking on your website

• Facebook – https://developers.facebook.com/docs/privacy
• Google Analytics – http://www.blastam.com/blog/5-actionable-steps-gdpr-compliance-google-analytics

4. Review your inbound marketing, email marketing and optin strategies

Optins – Are you trading information for an email address? Under GDPR you can no longer offer a resource/download and automatically add them to your database, email list and send them further marketing information or emails. If you have downloadable information that you trade an email address for (e.g. you offer ebook for download -> get email the customers address -> send ebook -> and the email address ends up in your email database) then you may have to change the way this is done.
You need clear, explicit consent form the user before you add them to a list. A prefilled checkbox in a contact form or a vaguely worded optin form are no longer enough. 

A double optin email signup process is acceptable for consent. i.e You have to offer an explicit opt in to make the visitor aware that “as I download this I have to explicitly opt in to receive any further communication from you. or can that they can still get the resource without opt-ing in.

5. Setup Data Processing Agreements (DPA’s) with services you use (e.g. Mailchimp)

Contracts with third party data processors are now required that define how they are using and storing your clients information.

Here are some companies you might need data processing agreements with

• Google Analytics
• Stripe – contact customer service privacy@stripe.com and they will email you a data processing agreement to sign online.
• MailChimp
• PayPal
• Any other payment processing service
• Zapier
• Active Campaign – https://www.activecampaign.com/gdpr-updates/

Typically they make it easy – go online and find it fill in the form

6. Set up a process for removing clients who request it or those you no longer work with

What happens to the personal data you have collected once the customer is no longer a customer? If you don’t have a plan in place for this then you need to familiarise yourself with where all the data is and how to remove it upon request. Under the regulations, anyone can request at anytime that you delete their data you have stored.
Also it’s a great opportunity to clean out your email lists of old, unengaged subscribers that are not bringing you new business anyway.

When do these changes need to be in place?

These changes should be in place before the regulations come into effect on 25 May 2018.

WordPress Specific GDPR tools and links

There are a number of WordPress specific tools and WordPress itself is about to release an update that will help you become GDPR compliant. The upcoming 4.9.6 update to WordPress gives you tools to audit and remove users personal data from your website. We’ll be updating all our websites, as soon as this is released.
A good quick fix for businesses that just have ecommerce or contact forms on their websites is the WP GDPR compliance plugin. That will help you place the required permission checkboxes in the contact forms and shopping checkout.
https://wordpress.org/plugins/wp-gdpr-compliance/
Commonly used plugins on our sites have put together guides on how to make your site compliant

• Gravity forms, our go to form plugin has this advice on GDPR – https://docs.gravityforms.com/wordpress-gravity-forms-and-gdpr-compliance/
• Woocommerce – https://woocommerce.com/2017/12/gdpr-compliance-woocommerce/

What if you don’t really understand GDPR and need help?

GDPR is a massive, far reaching change in the data protection landscape. We can help you wrap your head around it and make the required changes to your website. Drop us a line with your questions or concerns.
Disclaimer: The advice and suggestions in this post are NOT legal advice. Please consult a lawyer versed in GDPR if you want to ensure your efforts fully comply with the regulations.

What does the future hold?

We don’t have a crystal ball to see what other parts of the world will do. However, we believe that the rest of the world will follow suit at least to some extent and enact data protection laws over the next few years. Now is a great time to review your existing policies. Make sure you have explicit permission for the data you are collecting.
It boils down to some key principals; don’t trick people, use their data wisely, be honest and you will prosper.