“The processing of personal data should be designed to serve mankind.”
Recital 4 EU GDPR
What constitutes ‘personal data’? Good question, and it appears that the creators of GDPR may not be so sure of the answer themselves. On the one hand we have obvious examples, like customer email address, their name or credit card details. This type of information is usually handed over knowingly and it’s easy to get the visitors’ consent before obtaining it. But what about so called ‘cookie data’? With modern technology, we can start collecting personal information within nanoseconds of someone visiting your website. And yes, you can stick a pop up on your site and require that visitors tick it – and that continued browsing constitutes consent. But consent can no longer be assumed under GDPR – so what do we do next? The truth is that no one really knows at this time. While we’re waiting for European Union’s supplementary legislation, the e-Privacy Directive, we can only speculate on what GDPR means for cookie data. Some businesses are so unwilling to risk the 20,000,000 Euro penalty, they’re planning to block traffic to their sites from the European Union altogether. Others have created a black screen covering their whole website until the visitors explicitly agree to cookie data being collected. None of these measures are necessary. Your best bet is to be as open and honest about all data collected as possible. Follow the GDPR advice, as outlined in this template by disclosing all parties with which you share customer data and how that data is used. Basically, don’t be sneaky and you should be fine. Technology is playing catch-up with legislation in this case and data giants like Google and Facebook are now working hard to comply with GDPR and create tools to manage user consent. Soon, you can expect to see a program called Funding Choices developed by Google to get a clear ‘Yes’ or ‘No’ on whether the user wants to see advertising tailored to their interests (by using cookie data). But the internet is not expected to stop working while we’re waiting for this tool to be rolled out to all publishers.
So what ARE YOU expected to do to comply with GDPR as a small business owner, blogger, freelancer or owner of an information site? First of all, don’t assume GDPR doesn’t apply to you. It doesn’t matter if you:
- Don’t live and work in the European Union. If any of your website visitors or email subscribers do, you must observe their rights under EU legislation.
- Are a one-person business. GDPR affects everyone, no matter the size of the business. Everyone is expected to comply, although liability may be limited for businesses under 250 employees. So you might avoid that 20,000,000 penalty after all. Fun fact, most small businesses in the UK are also required to register with the ICO if they handle personal data (which you almost certainly do). To check, you can fill out this assessment: https://ico.org.uk/for-organisations/register/self-assessment/
Now that we’ve established you do need to do something about GDPR, here’s what those steps should be: