GDPR; New laws that online may not be ready for

May 2018; The new General Data Protection Regulations come into effect, and how many websites will be ready for it?

How many businesses will be ready to pay the fines for non-compliance; 4% turnover or €50million (whichever is greater)? In a few months time many businesses are in for a major shock….. because GDPR is a game-changer!

Previous reviews of the Data Protection Act introduced websites to the joys of asking permission to use cookies… and we all got used to “blipping the x” with no regard to the short or sometimes endless blurb associated. That introduced some usability issues, and many discussions on whether opt-in to further contact should be opt-in or opt-out.

The recording of personal data became more formalised, and breaches of data use (for example, charities sharing donor details) have brought attention to data management. Larger companies brought in more polices and management of personal data, but other than layers of admin, the impact on consumers, or website usability was slight.

In May 2018, there will be a very different landscape.

  • Any form of online tracking; registered user or an anonymous profile, must be done with full consent (human approval)
  • Tick boxes have to be ticked; they cant be pre-filled
  • Every element of tracking must be explicitly approved. So sharing data with any 3rd parties means each must be stated and approved by the user…… any affiliate partnerships out there feeling worried?
  • Every action to be taken with data must have explicit permission; so multiple permission boxes for email, third parties, purchase or search history etc..…. and the length of the form will be HOW long?
  • Companies need a method for providing all data held on an individual (named or by IP) in a simple, commonly used format. Because anyone can demand to see all data held by a company about them. can you hold all said data in one format in one place? 
  • Users can demand complete and permanent deletion of their data from a companies records.... are IT ready to prove they can entirely eradicate data?
  • Data Protection Officers will need to be appointed in businesses with “significant data”... could “significant data” be 2,000 customers with 10 purchases each…?
  • Service teams, and their systems will need new rules regarding data to be gathered, notifications given and access to layers of data… are call centres ready for the system changes needed?
  • A Data Protection Officer in a business must report directly to the highest management level; so MD or higher…. are MD’s ready to grasp the issues?
  • HR will need new processes, contracts (all staff) and training in new laws…. will everyone have to receive new contracts?

For websites the implications could be widespread;

  • Tracking can only be implemented if agreed to… so how will Google Analytics, Double Click, Adwords tracking and all the other codes be presented for “permission”?
  • When the permission requests appear how much page abandonment will occur…. and what impact will this have on CTR, Quality Score etc?
  • Affiliate partnerships based on iFrames, or API data swaps could be under threat
  • Partnerships will need to be visible, giving all competitors potentially sensitive data
  • Responsibility for data collation and passing on to consumer demands, or for data eradication could become complicated where partners are involved
  • A data breach, resulting in a maximum 4% of global turnover fine would result in potential closure/bankruptcy for smaller businesses
  • Updating Content Management Systems (CMS) or data management platforms (SalesForce) will be necessary; and to be compliant may involve buying expensive additional elements. Suppliers may well have clients trapped.
  • Sites running on custom CMS may find the updates beyond the agencies abilities, available resource, management time or just plain blow their own budgets

Whilst data compliance consultants will make a killing from helping companies, what will be critical is working with online management teams to deliver heavily tested/researched changes to usability, design and marketing activity review….. and yes, Braid can help, but that isn’t the point of this post!

For more information and advise contact Braid , and for more reading see the official outline; Information Commissioners website