On May 25, 2018, the European Union’s (EU) new General Data Protection Regulation (GDPR) regulations related to personal data collection will go into effect. A quick google search will produce a wide range of sources capable of providing an overview but in a nutshell, it means that if your organization processes personal data of EU citizens, you must comply with required consent measures.
If your organization collects and stores user EU citizen data (often referred to in the regulations as “data subjects”), the individual providing the information needs to be aware of it and give permission before any action is taken.
Along with providing permission to collect data, the GDPR requires that users can request access to their data and have it removed if requested.
One of the more common areas where this will impact your organization is in email marketing opt-in forms and e-commerce checkouts.
Making those forms GDPR compliant is pretty straightforward; in most instances it means included checkboxes for opt-in consent, and editable sections that explain how and why you are using data.
Most major email marketing providers are already incorporating these elements into opt-in and user account functionality, but you’ll want to check with your e-commerce provider and modify any other forms you manage directly that are used to collect user information.
Anything that can identify a living person directly or indirectly, such as:
- Email address
- Social security number
- Location data
- IP address
Data subjects have the following rights concerning their personal data
- Restrictions on processing
- Data portability
- Revision of automated decisions or profiling
Providing data subjects with a way to provide consent is key to the regulations
This is very straightforward, something as simple as a required opt-in checkbox that states “I consent to my submitted data being collected and stored” will suffice.
This should describe why your organization is collecting the information on your form. Example:
ArtsHacker will use the information you provide on this form to be in touch with you and to provide content updates and marketing.
A straightforward checkbox field for each messaging point of contact will suffice. Example:
Please let us know all the ways you would like to hear from us:
- Direct Mail
- Customized online advertising (i.e. targeted search results and social media ads)
Explains how your organization plans on using the data, identify your organization (including any parent company), others besides your company that will be processing user data, a Cookie Statement, and indicate how data subjects can opt-out and obtain a copy of their information. Example (this sample is from the suggested Legal Text provided via ArtsHacker’s MailChimp account):
You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at firstname.lastname@example.org. We will treat your information with respect. For more information about our privacy practices please visit our website. By submitting your information, you agree that we may process your information in accordance with these terms.
This information should clearly explain how and where storage activity occurs. This is where things can get rather involved, especially if you share that information with third party providers. Some examples of storage activity and their locations include, but are not limited to:
- Websites: database plus plugins and add-ons from third party providers that may collect usage data.
- Files: documents, spreadsheets, databases, PDFs.
- Storage and backups: computers, portable drives, USB sticks, DVDs, online.
- Cloud storage: Dropbox, Google Drive, Amazon S3, etc.
- Email and email attachments.
- CRM and ticketing systems.
- Email marketing providers.
- Social media platforms.
- Messaging apps (such as Slack, Facebook Messenger, etc.)
- Productivity and connectivity apps such as Zapier, Trello, Basecamp, etc.
- Good old-fashioned paper and electronic records you store in the office.