If you’ve spent even a little time on the Internet in the last few months, you may have noticed an increase in pop-ups and notices about GDPR, cookies, privacy policies and sites collecting data. If you’ve subscribed to as many newsletters as I have, your inbox may also be flooded by messages about privacy policy updates. Internet giants like Facebook, Twitter and the likes have also been sending these emails out and carefully updating their policies. These sites have been collecting data all along, but it has become more apparent since May 25 2018. That’s because the European Union (EU) has made a new ruling on the privacy laws. Laws which regulate how an organisation treats or uses the personal data of EU citizens.

Now if you’re thinking: “I’m in South Africa, this has nothing to do with me” – think again. The Internet is massive. Even if you only serve clients in South Africa, you are likely to get inbound traffic from Internet users from just about anywhere in the world. With that in mind, your website must comply with the laws of the visitor’s country (GDPR in the case of the EU) as well as the laws of South Africa.

social media gdpr

Dessert First: What are Cookies?

Cookies are small text files which user’s computer stores. They are designed to hold a modest amount of data specific to a particular client and website, and can be accessed either by the web server or the client computer. This allows the server to deliver a page tailored to a particular user, or the page itself can contain some script which is aware of the data in the cookie and so is able to carry information from one visit to the website (or related site) to the next.

Cookies can be used to remember a visitors settings even when they aren’t logged in to a site. For example, an eCommerce website may remember your preferred currency settings even if you don’t have an account. They can also be used to store information about a users browsing habits so as to tailor ads specifically for them. A simple example would be the same online shop showing users products that may interest them based on the ones they recently viewed.

What is GDPR?

eu gdpr

With warnings well in advance, the EU has enforced the General Data Protection Regulation (GDPR) On May 25, 2018.

  • The GDPR is a European Union privacy law that supersedes Europes Data Protection Act 1995 which regulates how organisations treats and/or use personal data they’ve obtained from EU citizens.
  • The European parliament has developed and implemented the new regulation which is there to simplify and unify data protection laws across all countries that belong to the European Union as well as to offer better protection to European citizens.
  • When it comes to data protection, no law has been more significant in the last 20 years. It has massive implications for organisations all over the world since it applies to any organisation which collects, stores and processes information about residents of the EU. This includes organisations located outside of the EU – for example, companies in the South Africa or China.
  • Businesses that processes data without consent face the risk of being hit with a severe financial penalty. A penalty way more than anything previously faced. The maximum fine being £20,000,000, or 4% of worldwide annual turnover, depending which is higher.

Collecting User Personal Data

Any  and every organisation must keep a record of and monitor personal data processing activities.

What is Classified as “Personal Data”

The directive is aimed at anything classed as “Personal Data” – which is any piece of data that, used alone or with other data, could identify a person. The following categories are included:

  • Identifying Information – This includes any information that can be used to identify a person (either directly or indirectly), including name, username, ID number (or similar), email address, bank details and an IP address or other personal information.
  • Sensitive Personal Information – This can include genetic information or information about health, sex life, sexual orientation, religious & political views, mental, physiological, economic, cultural or social identities. Basically, anything that could put someone at risk of unlawful discrimination.
  • To give people control over how their data is used and to protect “fundamental rights and freedoms of natural persons”, the legislation sets out strict requirements on data handling procedures, transparency, documentation and user consent.
  • Accessing and using the collected information makes you a data controller. As such, your organisation must keep a record of and monitor personal data processing activities. This includes personal data handled within the organisation and by third parties, the data processors.

Consent is Mandatory

All consents must be recorded as evidence that consent has been given

If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you’ll need to comply with the GDPR.

  • You need to have a legal basis, like consent, to process an EU citizen’s personal data. Under the GDPR, you may use another legal basis for processing personal data, but we expect the majority of clients will rely on consent. This consent must be explicit and verifiable and not implied through use (like visiting a website or sending an enquiry form).
  • For consent to be used as the lawful basis, individuals must give their explicit consent (not assumed through a pre-ticked box, etc) and positively opt-in for their data to be held and used – with the option for them to change their mind and update their preferences at any time in a simple, easy way.
  • Verifiable consent requires a written record of when and how someone agreed to let you process their personal data.
  • All websites that use cookies for analytics, advertising and functional services, such as surveys and chat tools that collect IP addresses and are time stamped.
  • All email forms, regardless of opt-in method, collect the email address, IP address, and timestamp associated with everyone who submits an online form.
  • For this reason, data collected prior to your adoption of a specific GDPR- informed data policy may have to be discarded.
  • Individuals also now have the “right of data portability”, the “right of data access” along with the “right to be forgotten” and can withdraw their consent whenever they want. In such case the data controller must delete the individual’s personal data if it’s no longer necessary to the purpose for which it was collected.
  • In case of a data breach, the company must be able to notify data protection authorities and affected individuals within 72 hours.
  • Furthermore, GDPR imposes an obligation on public authorities, organisations with more than 250 employees and companies processing sensitive personal data at a large scale to employ or train a data protection officer (DPO). The DPO must take measures to ensure GDPR compliance throughout the organisation.

What’s GDPR Got To Do With Me in South Africa?

  • If your website is serving individuals from the EU and you – or embedded third party services like Google and Facebook – are processing any kind of personal data from those visitors, you need to obtain prior consent from the visitor.
  • To obtain valid consent, you need to describe the extent and purpose of your data processing in plain language to the visitor, prior to processing any personal data.
  • This information must be available to the visitor at all times, e.g. as part of your privacy policy. You must also make available an easy way for the visitor to change or withdraw consent.
  • It is required by the GDPR that you must document cookies and online tracking all the time and you must be able to show that documentation to both your users and the EU.
  • All consents must be logged as proof and all tracking of personal data, also by embedded third party services, must be documented, here-under to which countries data is transmitted.

What Does GDPR Mean For My Marketing?

Digital Marketing and GDPR

  • If your website is being tracked by third parties such as Google Analytics and/or Social Media services, the data they hold and process must also be GDPR compliant.
  • If you are collecting email addresses for a marketing list using services such as MailChimp, this too must be GDPR compliant.
  • Unfortunately, any existing lists and databases built before the GDPR comes into force will need to be erased and built from scratch. When you rebuild your database of subscribers, it is recommended that you give your visitors an option to opt-in.
  • All emails should have an unsubscribe button, and working with a company like MailChimp will ensure that the data is being collected, time stamped and tracked – and will aid in you ability to clean all mail lists accordingly.
  • Any search and display advertising needs to be logged and highlighted with the ability for users to refuse any tracking in accordance with the GDPR.
  • For specific information relating to any third-party marketing service compliance, you should double-check with the provider direct.

If you have a website that doesn’t collect any personal data, this law will not affect you, However, it highly likely you website does store cookies, in which case it is still recommended that you let your users know and have it stated in your Cookie Policy. For companies in South Africa who gather information about their visitors, specifically those providing services worldwide, it is of utmost importance that you get professional legal advice and a web developer who can make sure that all the above requirements are GDPR compliant are implemented.

What We at BluSilva Offer

As always, at BluSilva, we go beyond simple web design.

  • If we design you a website that collects information and uses cookies, we will draw up a privacy policy page that thoroughly informs visitors which aspects of the website collect information and why. We DO NOT provide legal advice, and as such, you must have your legal advisor(s) inspect the document. We will ask you to provide consent that you are satisfied with the policy and that it meets your requirement.
  • Where web forms are implemented, we will give users the ability to explicitly opt-in and agree to you using their information for the reasons you wish.
  • Certain aspects of your websites cookies may be out of our full control (ie plugins and third party software). We can however give you full information about which of these use cookies or collect data. This may be chargeable depending on the size of your website.

What You Can Do

  • For mailing lists and client databases, we strongly recommend that your emails have an unsubscribe button and those that choose to unsubscribe are removed from the mailing list.
  • For offline databases and client information, it is of utmost importance that documents and information are kept secure at all times, limiting access to them.

Need Advice or Assistance? Contact us to see what we can do to make sure your website visitors are aware of the information you collect and how you use it.