What GDPR Compliance means for Botswana based websites – Everything You Need to Know
by Zuri Media
Are you confused by GDPR, and how it will impact your website? GDPR, short for General Data Protection Regulation, is an European Union law that you have likely heard about. In this article, we will explain everything you need to know about GDPR (without the complex legal stuff). The GDPR Compliance deadline is the 25th of May 2018.
Disclaimer: We are not lawyers. Nothing on this website should be considered legal advice.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) law taking effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.
Basically after May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual global revenue OR €20 million (whichever is greater). This is enough reason to cause wide-spread panic among businesses around the world.
This brings us to the big question that you might be thinking about:
Does GDPR apply to my website here in Botswana?
The answer is YES. It applies to every business, large and small, around the world (not just in the European Union).
If your website has visitors from European Union countries, then this law applies to you.
But don’t panic, this isn’t the end of the world.
While GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.
The EU isn’t some evil government that is out to get you. Their goal is to protect consumers, average people like you and me from reckless handling of data / breaches because it’s getting out of control.
The maximum fine part in our opinion is largely to get the attention of large companies like Facebook and Google, so this regulation is NOT ignored. Furthermore, this encourage companies to actually put more emphasis on protecting the rights of people.
Once you understand what is required by GDPR and the spirit of the law, then you will realize that none of this is too crazy.
What is required under GDPR?
The goal of GDPR is to protect user’s personally identifying information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data.
The personal data includes: name, emails, physical address, IP address, health information, income, etc.
While the GDPR regulation is 200 pages long, here are the most important pillars that you need to know:
Explicit Consent – if you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t just send unsolicited emails to people who gave you their business card or filled out your website contact form because they DID NOT opt-in for your marketing newsletter (that’s called SPAM by the way, and you shouldn’t be doing that anyways).
For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.
Rights to Data – you must inform individuals where, why, and how their data is processed / stored. An individual has the right to download their personal data and an individual also has the right to be forgotten meaning they can ask for their data to be deleted.
This will make sure that when you hit Unsubscribe or ask companies to delete your profile, then they actually do that (hmm, go figure). I’m looking at you Zenefits, still waiting for my account to be deleted for 2 years and hoping that you stop sending me spam emails just because I made the mistake of trying out your service.
Breach Notification – organizations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. However if a breach is high-risk, then the company MUST also inform individuals who’re impacted right away.
This will hopefully prevent cover-ups like Yahoo that was not revealed until the acquisition.
Data Protection Officers – if you are a public company or process large amounts of personal information, then you must appoint a data protection officer. Again this is not required for small businesses. Consult an attorney if you’re in doubt.
To put it in plain English, GDPR makes sure that businesses can’t go around spamming people by sending emails they didn’t ask for. Businesses can’t sell people’s data without their explicit consent (good luck getting this consent). Businesses have to delete user’s account and unsubscribe them from email lists if the user ask you to do that. Businesses have to report data breaches and overall be better about data protection.
Sounds pretty good, in theory at least.
Ok so now you are probably wondering what do you need to do to make sure that your website is GDPR compliant.
Well, that really depends on your specific website (more on this later).
Let us start by answering the biggest question that we’ve gotten from users:
Areas on Your Website that are Impacted by GDPR
As a website owner, you might be using various plugins or addons that store or process data like contact forms, analytics, email marketing, online store, membership sites, etc.
Depending on which plugins or addons you are using on your website, you would need to act accordingly to make sure that your website is GDPR compliant.
If you are using a contact form on your website, then you may have to add extra transparency measures specially if you’re storing the form entries or using the data for marketing purposes.
Below are the things you might want to consider for making your website forms GDPR compliant:
- Get explicit consent from users to store their information.
- Get explicit consent from users if you are planning to use their data for marketing purposes (i.e adding them to your email list).
- Disable cookies, user-agent, and IP tracking for forms.
- Make sure you have a data-processing agreement with your form providers if you are using a SaaS form solution.
- Comply with data-deletion requests.
- Disable storing all form entries (a bit extreme and not required by GDPR). You probably shouldn’t do this unless you know exactly what you’re doing.
Simply adding a required consent checkbox with clear explanation should be good enough for you to make your website forms GDPR compliant.
Email Marketing Opt-in Forms
Similar to contact forms, if you have any email marketing opt-in forms like popups, floating bars, inline-forms, and others, then you need to make sure that you’re collecting explicit consent from users before adding them to your list.
This can be done with either:
- Adding a checkbox that user has to click before opt-in
- Simply requiring double-optin to your email list
If you’re running an e-commerce website, then you need to make sure your website is in compliance with GDPR.
If your website is running retargeting pixels or retargeting ads, then you will need to get user’s consent. You can do this by adding a cookie notice to your website
Whether you’re ready or not, GDPR will go in effect on May 25, 2018. If your website is not compliant before then, don’t panic. Just continue to work towards compliance and get it done asap.
The likelihood of you getting a fine the day after this rule goes in effect are pretty close to zero because the European Union’s website states that first you’ll get a warning, then a reprimand, and fines are the last step if you fail to comply and knowingly ignore the law.
The EU is not out to get you. They’re doing this to protect user’s data and restore people’s trust in online businesses. As the world goes digital, we need these standards. With the recent data breaches of large companies, it’s important that these standards are adapted globally.
It will be good for all involved. These new rules will help boost consumer confidence and in turn help grow your business.
We hope this article helped you learn about GDPR compliance. We will do our best to keep it updated as more information or tools get released. If you need help making sure your website is compliant get in touch with us at Zuri Media
8th April 2018
4th April 2018