Recently, the world was swept by a new set of regulations governing how businesses hold client information on the internet. These new rules change the legality of the data your website can gather. It gives users of the internet control over their personal data and ensures they have the right to consent or refuse the use of the data.
But this is an EU law that only applies to EU businesses, right?
Wrong. If your business operates globally and you have an EU citizen or resident as a client, you are bound by these new regulations. However, it’s impossible know if you’ve got EU citizens or residents on your database. If there are fields that visitors can fill in on your website, anyone in the world can provide you with the information you’re allowing them to input. There is no way to isolate and restrict users from the EU from providing you with that information. So, effectively, the GDPR needs to be applied across all websites no matter where they are based. The fines for non-compliance are hefty (maximum of €20 million or 4% of a company’s global turnover, whichever is higher), so conformity has been recommended across the globe as a purely precautionary measure.
So, how can my company use personal information?
You can still obtain the details of your customers and leads; however, you must get the consumer’s explicit permission before you use their personal details. Businesses must now tell consumers exactly what they are signing up for and stick tightly to the explanation.
Businesses will no longer be able to reward customers for providing more of their personal information with an upgrade or discount and all customers have the unwavering right to know what information you have about them at any given time. In addition, they must be given the opportunity to delete or alter that information should they feel the need at any time, unless the holding business has a good reason to keep it.
The balloon that holds these rules together is the necessary requirement to implement a higher level of data security than has previously been standard. If businesses don’t comply with this, consumers will have increased opportunity to sue, claiming damages resulting from data misuse.
How can I get explicit consent from a consumer?
Explicit consent is clear permission given freely and specifically by an informed consumer. Consumers need to be told upfront exactly how they can expect their personal information to be used. For example, any electronic marketing material (like emails) that you send on behalf of your business needs to have the customer’s undeniable affirmative consent. They can not have been pressured or coerced into agreeing in any way and must be given the opportunity to opt-out at any point. It would be wise to keep evidence of consumer consent on file in case there is a dispute down the track.
Quick tips to help you comply
- Remove any pre-ticked check boxes from your site.
- Remove any automatic requests for further information in return for a tangible or intangible benefit.
- Ensure consumers have an easy way to access, alter or delete the information they have provided.
- Update your data security and protection measures.
- Report any data breaches to the National Regulator within 72 hours of acknowledgement.
Don’t get caught out failing to comply. Take the necessary precautions today to save the mammoth consequences that you may face in the future. If you need help or advice on what you need to do to make sure you’re following the new GDPR legislation, get in touch with Webcentral today. Call one of our Digital Strategists or send us an email to get the ball rolling on your business’ GDPR compliance.