The GDPR—General Data Protection Regulations, or more specifically Regulation (EU) 2016/679, is a European wide data privacy and protection law that aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It becomes enforceable from 25 May 2018.
The following is not legal advice, rather the opinion of Brian Clifton, author of Advanced Web Metrics with Google Analytics and Successful Analytics: Gain Business Insights by Managing Google Analytics. He is Director of Data Insights & Analytics at Search Integration Sweden AB.
From a website owner’s point of view, little changes in terms of end-user privacy. That is, the EU takes the privacy rights of its citizens seriously and you need to comply with the law if you conduct business with any EU citizen—including EU citizens visiting your website. What does change is your liability. That is, failure to be compliant can lead to a fine of €20M euros, or 4% of your global revenue. The aim is clear—to make privacy laws bite!
Key requirements of the GDPR form a web site owners point of view:
- Ignorance cannot be used as an excuse—You must nominate a Chief Data Officer who is responsible for data privacy.
- If you collect PII, it must be clear and transparent to the visitor who has access to this data.
- If you collect PII, it must be possible for an end-user to request that their information is deleted (this does not include keeping company records of purchases).
- For all website visitors, you must gain explicit consent before you begin to track them (deliberate emphasis on consent and before).
Note that GDPR is not just about operating a website, it’s about how you conduct business with EU citizens. However, this brief guide is only concerned with your website implications of being compliant. See also PII Reference Guide.