GDPR - WHAT IS IT & WHAT DO YOU NEED TO DO?
By Tomahawk on
GDPR. No, it’s not just another buzzword that’s afloat on the internet. Everyone with a website needs to pay attention!
What is GDPR?
GDPR stands for General Data Protection Regulation and it goes into effect internationally on the 25th of May 2018. GDPR is an updated version of the Data Protection Directive that has been in effect since 1995. In the simplest terms, it boils down to protecting the rights of people who give you their personal data.
What personal data you may be collecting?
If you have Google Analytics, videos played on your site from YouTube, an e-commerce function that collects billing information and other features that load automatically on your site via “cookies” then you are collecting personal data.
GDPR does not only affect your business and your website but also any 3rd party providers, which in the travel industry means your booking engine provider also.
Since they act as a data processor, they will need to have appropriate security measures in place and notify you of any breaches that happen.
Who does GDPR apply to?
The biggest misconception about GDPR is that you only need to be compliant if you run a business out of one of the EU member states. It actually applies to any business that does one of the following:
- Actively offer products or services to EU residents
- Collect personal data, including pseudonyms, from citizens of the EU
So whether you’re a business based in the US or New Zealand, you are required to comply with the GDPR. In essence, any business that has a website should be concerned about this law as you really can’t control who visits your website.
What you need to do
Now let’s drill down into what you need to be doing to your site to ensure compliance:
- What data you are collecting
- How you collect the data
- What it will be used for
- How you secure it
- Any third parties that will have access to it
- Controls that the user can have over this data collection
ADD A CONSENT MECHANISM
If you are collecting names or emails and/or if you have Google Analytics you are collecting data and using “cookies.”
Cookies are small files that are automatically dropped on your computer as you browse the web. Cookies themselves are harmless bits of text that are locally stored and can easily be viewed and deleted. But cookies can give a great deal of insight into your activity and preferences which can be used to identify you without your explicit consent.
Another consent mechanism to be aware of is your newsletter signups: that opt-in box that already has a check. Well, in the new world of GDPR compliance, that is a big no-no. Think: Active Opt-in. The concept of consent under the GDPR gives importance to consent being freely given, specific and informed. So before you start collecting any information make sure the consent is clear, affirmative and explicit.
DO YOU HAVE SOME SPECIFIC DATA PROCESSING GUIDELINES IN PLACE?
Make sure you have appropriate security measures in place for the data you store, process and keep written records of the personal data processing activities you carry out. Only keep the personal data for as long as it is necessary. How you and your staff handle personal data in your everyday business activity must be controlled and protected.
If you are not yet working towards GDPR compliance, the time to do so is NOW.
There are big penalties that come with non-compliance.