Now if you’re thinking: “I’m in South Africa, this has nothing to do with me” – think again. The Internet is massive. Even if you only serve clients in South Africa, you are likely to get inbound traffic from Internet users from just about anywhere in the world. With that in mind, your website must comply with the laws of the visitor’s country (GDPR in the case of the EU) as well as the laws of South Africa.
Dessert First: What are Cookies?
Cookies are small text files which user’s computer stores. They are designed to hold a modest amount of data specific to a particular client and website, and can be accessed either by the web server or the client computer. This allows the server to deliver a page tailored to a particular user, or the page itself can contain some script which is aware of the data in the cookie and so is able to carry information from one visit to the website (or related site) to the next.
Cookies can be used to remember a visitors settings even when they aren’t logged in to a site. For example, an eCommerce website may remember your preferred currency settings even if you don’t have an account. They can also be used to store information about a users browsing habits so as to tailor ads specifically for them. A simple example would be the same online shop showing users products that may interest them based on the ones they recently viewed.
What is GDPR?
With warnings well in advance, the EU has enforced the General Data Protection Regulation (GDPR) On May 25, 2018.
- The GDPR is a European Union privacy law that supersedes Europes Data Protection Act 1995 which regulates how organisations treats and/or use personal data they’ve obtained from EU citizens.
- The European parliament has developed and implemented the new regulation which is there to simplify and unify data protection laws across all countries that belong to the European Union as well as to offer better protection to European citizens.
- When it comes to data protection, no law has been more significant in the last 20 years. It has massive implications for organisations all over the world since it applies to any organisation which collects, stores and processes information about residents of the EU. This includes organisations located outside of the EU – for example, companies in the South Africa or China.
- Businesses that processes data without consent face the risk of being hit with a severe financial penalty. A penalty way more than anything previously faced. The maximum fine being £20,000,000, or 4% of worldwide annual turnover, depending which is higher.
Collecting User Personal Data
Any and every organisation must keep a record of and monitor personal data processing activities.
What is Classified as “Personal Data”
The directive is aimed at anything classed as “Personal Data” – which is any piece of data that, used alone or with other data, could identify a person. The following categories are included:
- Identifying Information – This includes any information that can be used to identify a person (either directly or indirectly), including name, username, ID number (or similar), email address, bank details and an IP address or other personal information.
- Sensitive Personal Information – This can include genetic information or information about health, sex life, sexual orientation, religious & political views, mental, physiological, economic, cultural or social identities. Basically, anything that could put someone at risk of unlawful discrimination.
- To give people control over how their data is used and to protect “fundamental rights and freedoms of natural persons”, the legislation sets out strict requirements on data handling procedures, transparency, documentation and user consent.
- Accessing and using the collected information makes you a data controller. As such, your organisation must keep a record of and monitor personal data processing activities. This includes personal data handled within the organisation and by third parties, the data processors.
Consent is Mandatory
All consents must be recorded as evidence that consent has been given
If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you’ll need to comply with the GDPR.
- You need to have a legal basis, like consent, to process an EU citizen’s personal data. Under the GDPR, you may use another legal basis for processing personal data, but we expect the majority of clients will rely on consent. This consent must be explicit and verifiable and not implied through use (like visiting a website or sending an enquiry form).
- For consent to be used as the lawful basis, individuals must give their explicit consent (not assumed through a pre-ticked box, etc) and positively opt-in for their data to be held and used – with the option for them to change their mind and update their preferences at any time in a simple, easy way.
- Verifiable consent requires a written record of when and how someone agreed to let you process their personal data.
- All email forms, regardless of opt-in method, collect the email address, IP address, and timestamp associated with everyone who submits an online form.
- For this reason, data collected prior to your adoption of a specific GDPR- informed data policy may have to be discarded.
- Individuals also now have the “right of data portability”, the “right of data access” along with the “right to be forgotten” and can withdraw their consent whenever they want. In such case the data controller must delete the individual’s personal data if it’s no longer necessary to the purpose for which it was collected.
- In case of a data breach, the company must be able to notify data protection authorities and affected individuals within 72 hours.
- Furthermore, GDPR imposes an obligation on public authorities, organisations with more than 250 employees and companies processing sensitive personal data at a large scale to employ or train a data protection officer (DPO). The DPO must take measures to ensure GDPR compliance throughout the organisation.
What’s GDPR Got To Do With Me in South Africa?
- If your website is serving individuals from the EU and you – or embedded third party services like Google and Facebook – are processing any kind of personal data from those visitors, you need to obtain prior consent from the visitor.
- To obtain valid consent, you need to describe the extent and purpose of your data processing in plain language to the visitor, prior to processing any personal data.
- It is required by the GDPR that you must document cookies and online tracking all the time and you must be able to show that documentation to both your users and the EU.
- All consents must be logged as proof and all tracking of personal data, also by embedded third party services, must be documented, here-under to which countries data is transmitted.
What Does GDPR Mean For My Marketing?
- If your website is being tracked by third parties such as Google Analytics and/or Social Media services, the data they hold and process must also be GDPR compliant.
- If you are collecting email addresses for a marketing list using services such as MailChimp, this too must be GDPR compliant.
- Unfortunately, any existing lists and databases built before the GDPR comes into force will need to be erased and built from scratch. When you rebuild your database of subscribers, it is recommended that you give your visitors an option to opt-in.
- All emails should have an unsubscribe button, and working with a company like MailChimp will ensure that the data is being collected, time stamped and tracked – and will aid in you ability to clean all mail lists accordingly.
- Any search and display advertising needs to be logged and highlighted with the ability for users to refuse any tracking in accordance with the GDPR.
- For specific information relating to any third-party marketing service compliance, you should double-check with the provider direct.
What We at BluSilva Offer
As always, at BluSilva, we go beyond simple web design.
- Where web forms are implemented, we will give users the ability to explicitly opt-in and agree to you using their information for the reasons you wish.
What You Can Do
- For mailing lists and client databases, we strongly recommend that your emails have an unsubscribe button and those that choose to unsubscribe are removed from the mailing list.
- For offline databases and client information, it is of utmost importance that documents and information are kept secure at all times, limiting access to them.
Need Advice or Assistance? Contact us to see what we can do to make sure your website visitors are aware of the information you collect and how you use it.