This post is for you if you’re a small business owner, freelancer, blogger, or have a website which processes personal data of any kind.
“The processing of personal data should be designed to serve mankind.”
Recital 4 EU GDPR
But what about so called ‘cookie data’? With modern technology, we can start collecting personal information within nanoseconds of someone visiting your website. And yes, you can stick a pop up on your site and require that visitors tick it – and that continued browsing constitutes consent. But consent can no longer be assumed under GDPR – so what do we do next?
The truth is that no one really knows at this time. While we’re waiting for European Union’s supplementary legislation, the e-Privacy Directive, we can only speculate on what GDPR means for cookie data.
Some businesses are so unwilling to risk the 20,000,000 Euro penalty, they’re planning to block traffic to their sites from the European Union altogether. Others have created a black screen covering their whole website until the visitors explicitly agree to cookie data being collected.
None of these measures are necessary. Your best bet is to be as open and honest about all data collected as possible. Follow the GDPR advice, as outlined in this template by disclosing all parties with which you share customer data and how that data is used. Basically, don’t be sneaky and you should be fine.
Technology is playing catch-up with legislation in this case and data giants like Google and Facebook are now working hard to comply with GDPR and create tools to manage user consent. Soon, you can expect to see a program called Funding Choices developed by Google to get a clear ‘Yes’ or ‘No’ on whether the user wants to see advertising tailored to their interests (by using cookie data). But the internet is not expected to stop working while we’re waiting for this tool to be rolled out to all publishers.
First of all, don’t assume GDPR doesn’t apply to you. It doesn’t matter if you:
- Don’t live and work in the European Union. If any of your website visitors or email subscribers do, you must observe their rights under EU legislation.
- Are a one-person business. GDPR affects everyone, no matter the size of the business. Everyone is expected to comply, although liability may be limited for businesses under 250 employees. So you might avoid that 20,000,000 penalty after all. Fun fact, most small businesses in the UK are also required to register with the ICO if they handle personal data (which you almost certainly do). To check, you can fill out this assessment: https://ico.org.uk/for-organisations/register/self-assessment/
Now that we’ve established you do need to do something about GDPR, here’s what those steps should be:
2. The controller needs to carry out an assessment of how your organisation currently collects and handles personal data. This assessment should be documented and needs to include listing all data processors who have access to the data and evaluating how those companies handle data.
So for example, a blogger from the UK will likely list Google, Facebook and Mailchimp as their data processors (processing personal data on their behalf). They should then check how that data is collected – are they outright asking the user’s permission to collect the data? Are they informing the user of what type of data is being collected and how it’s going to be used in plain language? Are they making it easy for them to read more, should they wish to do so?
If your assessment flags up any issues or risks, you are required to consult with a supervisory authority (in the UK that’s the ICO). Failure to do so can result in a penalty. So, for example, if you discover that the email system you use doesn’t maintain records of personal data (which they’re required to do) – you must inform the supervisory authority.
3. During your assessment you will also analyse the way in which you collect data at the moment and check if it’s in line with GDPR.
So for example, a standard lead magnet sign up box, like the one we’d find on almost any website:
6. Start maintaining a record of how you handle personal data. Demonstrate your safeguarding processes and how you monitor all your data processors. Be prepared to prove that you obtained consent for all of the personal data you handle.
7. If you suffer a personal data breach (like your website being hacked), you must notify the supervisory authority and the data subjects of that fact within 72 hours. Yes, that means you must email all your subscribers to tell them you’ve been hacked and their data might have been compromised.