The European Union has implemented a rule known as the General Data Protection Regulation, or GDPR. You may have seen this mentioned in the news, in your email inbox, or on the websites you visit. It’s highly visible to you as a consumer, but how should it affect you as a business or site owner? Let’s find out.
Please note that the following opinion is not legal advice.
What does the GDPR regulate?
The entire text of the GDPR regulation contains about 54,880 words, and of those words, almost 5% are either “personal”, “data”, or “processing”. Labeling the GDPR as a regulation on personal data processing is quite accurate.
The GDPR contains a few definitions that show who and what is being regulated. “Profiling” is the automated processing/evaluation of personal data including preferences, interests, and location. “Controllers” determine the purpose and means for processing data. “Processors” capture and process data for the controller. If your organization’s website uses contact forms or analytics, then your organization is a controller; the form data recipients or analytics services — e.g. Google Analytics, HubSpot, or Hotjar — are processors.
Who does the GDPR affect?
The GDPR regulation applies to controllers regardless of where they’re located. If your organization offers services to individuals located in the EU, then the regulation applies. This means that B2B company in Minnesota with one client in the EU could be affected by the GDPR.
What does GDPR require from site owners?
Despite the volume of the text and its translations, the GDPR lacks notable guidance to determine what constitutes lawful personal data processing. As with any new regulation, the law is still being interpreted in many ways.
The GDPR still applies to the collection of information from people located in the EU, however, it’s an open question at this point how the EU is going to enforce that against an entity that has no presence in the EU.
For many organizations that use contact forms or analytics on their websites, that processing may be considered lawful. Point (f) of Article 6(1) allows processing when used for the “legitimate interests” of a controller, like your organization.
Unfortunately, there is no specific guidance or instruction on what exactly “legitimate interests” may be. Even the official EU opinion of a precursor to the GDPR fails to clearly define these “legitimate interests”.
Alternatively, the UK-based Information Commissioner’s Office maintains an informal quiz to determine your organization’s lawful basis for processing. When determining legitimate interests, the quiz asks “Are you happy to take full responsibility for justifying your processing? Have you identified a legitimate interest? Is there another reasonable way to achieve your purpose without processing the data? Is your legitimate interest compelling enough to justify the potential impact on individuals, or any element of the processing which would be unexpected?” Answers to these questions that demonstrate the personal data is processed in ways people understand and expect, without causing harm, may be considered legitimate interests.
The most onerous regulations of the GDPR include appointing a representative to the EU when an organization outside of the EU engages in frequent, large-scale processing of highly sensitive data (e.g. race, politics, religion, union, genetics, health, sex life or orientation, criminal convictions) of EU data subjects.
What can you do to stay “compliant” with GDPR?
Assuming your organization has determined that it has legitimate interests for processing personal data of EU-based individuals, consider taking these actions:
- Add links to the privacy policies and contact information of your data-collection services.
- List a contact method to handle privacy requests.
If your organization wants more protection and seeks to gain explicit consent from users prior to processing personal data, then you may also take the following steps. If possible, it may be sufficient to apply these only to visitors identified as EU-based users.
- Update each contact form to include an explicit, affirmative consent checkbox — the default option for this input should be to decline consent.
- Utilize a tool like Cookiebot to ask for and require explicit, affirmative consent before loading tracking scripts and cookies.
As we’ve mentioned, this article is based on our opinions and doesn’t represent legal advice. We recommend that you check with your own legal counsel to get recommendations that are specifically tailored to your needs. This will help you to feel confident that you’re complying with the GDPR to the best of your abilities.