General Data Protection Regulation (GDPR) is a game changer for online

3 Minutes
Mark Gregory

The General Data Protection Regulation (GDPR) comes into effect in 2018 introducing new laws that the online world may not be ready for. It will change the way your business can collect, use and transfer personal data.

Previously, we have seen the introduction of permission to use cookies on websites following a review of the Data Protection Act. We all very quickly got used to pressing the x on the box and taking little notice of the blurb associated. That introduced some usability issues, and many discussions on whether opt-in to further contact should be opt-in or opt-out. 

The way in which personal data was recorded then became more formalised, and breaches of data use (for example, charities sharing donor details) have brought attention to data management. Larger companies therefore brought in more policies and management of personal data, but other than layers of admin, the impact on consumers and website usability was minor.

In May 2018, there will be a very different landscape.

Any form of online tracking; if either a registered user or an anonymous profile, must be done with full human approval and consent.

Below is a list of actions which will be necessary to complete.

  • Every element of tracking must be explicitly approved. So sharing data with any 3rd parties means each must be stated and approved by the user
  • A Data Protection Officer in a business must report directly to the highest management level – MD or higher
  • Every action to be taken with data must have explicit permission; therefore, multiple permission boxes for email, third parties, purchase, or search history etc
  • Companies need a method for providing all data held on an individual (named or by IP) in a simple, commonly used format. Because anyone can demand to see all data held by a company about them
  • Tick boxes must be ticked; they can’t be pre-filled
  • Users can demand complete and permanent deletion of their data from a company’s records
  • Data Protection Officers will need to be appointed in businesses with “significant data
  • Service teams, and their systems will need new rules regarding data to be gathered, notifications given and access to layers of data
  • HR will need new processes, contracts (all staff) and training in new laws

For websites, the implications could be widespread;

  • A data breach, which would result in a maximum 4% of global turnover fine would result in potential closure/bankruptcy for smaller businesses
  • Tracking can only be implemented if agreed to. So here is a question? How will Google Analytics, Double Click, Adwords tracking and all the other codes be presented for “permission”?
  • When the permission requests appear how much page abandonment will occur and what impact will this have on CTR, Quality Score etc?
  • Affiliate partnerships based on iFrames, or API data swaps could be under threat
  • Partnerships will need to be visible, giving all competitors potentially sensitive data
  • Responsibility for data collation and passing on to consumer demands, or for data eradication could become complicated where partners are involved
  • Updating Content Management Systems (CMS) or data management platforms (SalesForce) will be necessary; and to be compliant may involve buying expensive additional elements. Suppliers may well have clients trapped
  • Sites running on custom CMS may find the updates beyond the agencies abilities, available resource, management time, or just blow their own budgets

There is a lot to think about from this post. Make sure you are ready for this change and the implications and look out for further information on the impact of your online activities.