What Exactly is GDPR Compliance and Should We Care? with @KerryGorgone #vcbuzz

I bet you have received good hundred of those updated privacy policy emails at one point. And you probably deleted all or most of them.

But as a website owner, have you thought about how that GDPR notice is effecting you and your business? Is there something you need to be doing to stay safe?

Privacy is no joke! According to Aura, every 10 seconds someone becomes a victim of identity theft and 23% of victims end up having to pay for charges from fraud or identity theft!

How can we protect our site users?

Let’s discuss!

***Add #VCBuzz chats to your calendar here.

***Please sign in here to follow the chat -> twchat.com/hashtag/vcbuzz

About Kerry O’Shea Gorgone @KerryGorgone

We already had a pleasure of sitting through Kerry’s #VCBuzz lesson when she was talking about blogging disclosures.

To give you a quick summary of today’s expert bee, @KerryGorgone is speaker, lawyer, writer and podcaster. She is director of product strategy @MarketingProfs and writes for Social Media Explorer, @HuffingtonPost, @SpinSucks, @MarkWSchaefer, @MackCollier, and many others.

Questions we discussed

Q1 What exactly is GDPR, in very simple terms? Why should people outside of the European Union care?

GDPR is the General Data Protection Regulation, European Union privacy legislation designed to protect consumer privacy.

If you collect personal data or behavioral information from someone in an EU country, your company must comply with the GDPR. Note that a financial transaction doesn’t have to take place: you just have to be collecting personal data.

Whether or not GDPR applies can actually be a bit complicated. For example, for GDPR to apply, you must target users in the EU, and “generic marketing” is not typically enough to do this.

In other words, if you run a local interest website, written in English, for people in New York State, you probably aren’t subject to GDPR.

If, on the other hand, you sell software and your website translates product pages into French (or German, or Croatian, etc.) for those browsing in the EU, that would likely constitute “targeting” and trigger GDPR. What crosses that line isn’t entirely clear yet.

GDPR is still new, and people haven’t quite sussed out the ramifications of social login and SSO yet. Safest thing would be to have people accept your new privacy policy the first time they log in using their social accounts. Interpret data collection broadly for GDPR. I’ll cover more on this, but think about things like hiring and recruiting, as well as consumer info you gather via online behavior.

Q2 What changed, in terms of online privacy, once GDPR went into effect?

What is new is the mindset GDPR requires companies to take. The consumer or “Data Subject” is in complete control. Individuals own of their personal data. That is a major shift.

For marketers, this means not only the data you collect but the data you pass to third parties and vice versa. Make sure everyone complies or your organization will be held responsible under GDPR!

Keep in mind, “data” isn’t just website data. Data spans the entire organization. Think about the hiring process. Where does your data go after you apply for a position? How do you know it’s been properly deleted from ALL servers and by anyone who handled your resume?

Example: if HR collects a resume, how does the applicant know that the resume is flushed from the system after the agreed amount of time by law? GDPR puts checks and balances in place, requirements hiring organizations must follow.

Big companies will have someone in house or use a qualified third party to handle GDPR compliance inquiries.

Websites are required to display an email address that directs to a human who can respond within 24 hours and/or comply with your “right to be forgotten,” or request for a data record within 72 hours. This is important!

GDPR is a huge shift for marketers, who have been somewhat lax in terms of how (and why) data is collected and handled.

GDPR creates urgently needed transparency, and reduces the amount of data marketers collect (or hoard), but never do anything with! GDPR forces marketers to ask hard questions and focus on useful data.

So the change is more of mindset (consumer first) than sweeping changes to the legal environment. That said, putting control of consumers’ personal information back into their hands through GDPR does require a major change in how we approach data collection.

Q3 Why should website owners care? What is anyone who fails to comply risking?

To browse the list of possible fines and penalties under GDPR, check this out.

To browse the list of possible fines and penalties under GDPR, check this out.

From a brand standpoint, it’s also important to ask yourself why you’d want to collect people’s personal data without having a clear purpose in mind. Collecting and storing data requires resources. GDPR compliance should help save you resources in the long run!

Thinking about the data breaches we’ve seen in the past few years and the impact those breaches have had on consumers, it’s clear that hoarding unnecessary data can also damage your brand reputation significantly.

So quite apart from fines and penalties, think about your relationship with customers, and the hard won brand loyalty you enjoy. Don’t blow it by being lax about data collection and GDPR compliance!

Q4 What parts should be included into the privacy policy page to comply?

Under GDPR, your privacy policy must include the address for your “Data Protection Officer” (which can be an official job title or just someone you designate), as well as your terms and conditions.

GDPR requires that a data protection officer be appointed for all public authorities and at companies where core activities involve “regular and systematic monitoring of data subjects on a large scale.”

GDPR also requires a data protection officer be appointed if a company processes a lot of “special categories of personal data” (Think race, political affiliation, religion, etc.)

Something that’s new under GDPR is that you can’t rely on one general acceptance of “cookies” as the opt-in for all data collection. You must let people know what specific data you’re collecting, and how you’ll use it.

Under GDPR, you can’t hide the information on how you’ll use people’s data in your terms and conditions, either. It must be in a pop-up the first time a user comes to your website. And really, why wouldn’t you want to tell people what you’re collecting and why?

The simplest way small businesses can ensure they comply with the GDPR is to only to use plugins and services that have demonstrated they are compliant. If you can’t easily find a statement of GDPR compliance on a service or plugin, don’t use that service! Run away.

For large enterprises, some marketing platforms have GDPR compliance built in. 6.4 handles data compliance and data subject requests and opt-outs. That is a big load off marketers’ minds!

  • Where are we collecting data now and how does it help us reach a specific goal? If you can’t answer that, you don’t need the data!
  • Why are we using this data? This leads to how it helps you to reach a specific goal, but you might also find you are hoarding data and simply don’t know why. In that ase, stop collecting that data point!
  • How does the data we collect better serve our customer/reader/visitor? Think about whether you’re using the information to enhance the customer experience or improve people’s brand experience somehow.
  • When will this data be used? Is this data actionable in the next 30 to 90 days? If you don’t have a use for it in the next quarter, do you really need to collect it today?
  • Who will take care of ensuring this data is flushed and deleted? Who is our contact when a data subject contacts us via email and requests deletion?

So it’s essentially everything you needed in a privacy policy before, plus a few key bits GDPR requires that more thoroughly inform people about the specific data you’re collecting on them, how you’ll use it, and how they can get it deleted!

Kelly’s list is super handy, and a great guide to keep printed out at your desk when pondering data collection questions for your company.

Q5 Are there any GDPR-compliant privacy policy generators bloggers can use? Or how would you suggest website owners put together a solid privacy policy page to stay compliant?

First, make sure you run any draft privacy policy by your attorney. Failing to comply with GDPR and other privacy regulations can result in costly fines, so it’s worth investing some legal fees to avoid violations.

That said, if you want to whip something up fast that can serve as a starting point for your lawyer, there are several sites that enable you to create customized privacy policies they say are GDPR compliant. (I’d still double check with an attorney!)

Starting with a draft privacy policy created with a generator is fine IF you bring it to an experienced attorney who understands GDPR and the online space. They should have experience drafting terms of use for websites. I love attorney ! ← Hit her up!

Our previous social media chats:


Viral Content Bee is the free platform for social media sharing helping you get more shares for your high-quality content

More Posts - Website

Follow Me:

Leave a Reply