It’s been six months since the EU’s General Data Protection Regulation (GDPR) took effect in the UK.
The new rules were designed to give EU citizens more control over their personal data. It meant that businesses had to introduce new policies in data collection, handling and security.
Six months on, we look at how GDPR has affected UK businesses and assess whether the regulation has lived up to its lofty goals.
Email lists
The collection and processing of email data has been one of the most significant changes driven by GDPR.
You will probably remember the tsunami of emails sent before the 25 May GDPR deadline from companies asking their contacts to confirm that they still wanted to receive marketing emails.
If the company did not collect your email in a way that was GDPR-compliant, and you didn’t respond to that email, then the company *should* have removed you from their email list.
To make sure they are meeting GDPR requirements, businesses needed to check some of their processes.
Online forms that collected email addresses needed to have active consent from users before they could be added to an email list. Pre-ticked consent boxes and other underhand techniques were banned.
GDPR also mandated that users be given genuine choice and control when giving their consent. This means that newsletter sign-up boxes can’t be tied to anything else, such as the ability to download a white paper.
Organisations should also make sure that unsubscribing from an email newsletter or subscription is straightforward.
We have seen a few companies that violate these requirements. But generally, we believe that compliance is quite good in this area.
It has also led to a change in email marketing more broadly. Because individuals have more power over their emails, companies need to offer more value in newsletters and other marketing emails.
Many companies have cut a lot of the most self-indulgent fluff and spam from their emails and replaced it with helpful content that subscribers want to read.
Cookies crumble
While people have generally complied with some aspects of GDPR, such as email marketing, other aspects have been roundly or partially ignored. One such example is the requirement for website users to consent to cookies.
A strict interpretation of the GDPR text, cookie information such as IP addresses should be treated as individual data and users should be able to choose whether this information is provided or not.
To try and offer a meaningful choice to visitors, some websites have introduced full-screen pop-ups that ask you to approve cookies before using the site. The only problem is that most cookies are essential to the function of the website, so the visitor has no meaningful opportunity to reject them.
In most cases, these cookie consent pop-ups are unnecessary. Not even the Information Commissioners’ Office (ICO) – the arbiter of GDPR in the UK – doesn’t use one.
You should, however, provide a clear breakdown of all the cookies used on your website and explain what they do.
Inaccessible websites
The threat of GDPR has proved too much for some companies.
Social media ranking app Klout closed down on GDPR day. They made no reference to GDPR when it closed, but the timing looks more than a little suspicious.
Many high-profile US publishers like the Chicago Times and NPR temporarily banned EU citizens from accessing their website.
Other publications like the LA Times and the Baltimore Sun are still blocking EU access.
When you try and access these sites, an error message says that they are looking at “technical compliance solutions” to enable European access.
These publishers obviously believe that the cost and effort involved in meeting the requirements of GDPR outweigh the benefits of having EU visitors.
One thing that we saw a lot in the run-up too and aftermath of GDPR was ‘experts’ giving out a lot of bad advice and running a lot of scare stories to try and sell consultations.
Many of the worst fears about GDPR have not been realised, but some US publishers are still taking no chances.
Privacy policy
One of the first tasks that needs to be completed to comply with GDPR regulations is to set a privacy policy somewhere on the website.
The privacy policy spells out exactly how a person’s data is used and processed. There is usually a link to the privacy notice somewhere in the footer of a website and it needs to meet certain standards.
Article 12 of the GDPR says that you need to communicate information on personal data processing in a way that’s concise, transparent, intelligible, easily accessible, in clear and plain language and free of charge.
This video about the ICO’s privacy policy should make it a little clearer what kind of information you need to include in your privacy policy.
The ICO breaks their privacy notice down into specific sections and questions, so people that have questions can easily find out the answer.
You also need to be aware that you have a responsibility to answer specific questions about data processing whenever one of your data subjects asks. Among other things, this means that you need
Data security
Organisations have a responsibility to protect customer data. If personal data is compromised as a result of a cyberattack, human error or anything else, the company must submit a breach notification to the ICO.
Not every breach will result in a fine. The ICO can also issue warnings and impose temporary processing bans. But fines can reach up to 4% of a company’s annual global turnover for the most serious data breaches.
To minimise the risk of a serious data breach, organisations should take steps to protect the information they hold in individuals.
There are a few at risk areas. The company website should be a high priority. There are some easy ways to prevent a website from being hacked, such as ensuring that the website and any associated plug-ins are updated.
Website administrators can also add an SSL certificate to the site, which allows it to use HTTPS security protocol to encrypt data at both sides of transit.
A high proportion of data breaches are either the result of human error or could have been prevented by humans.
Choosing a strong password is one example of how a person can protect a website. Blunt force hackers can automatically run lists of tens of thousands of the most commonly used passwords to try and crack a system.
You should make sure that employees are aware of potential security risks. Phishing scams are particularly dangerous because they can be initiated simply by an employee clicking a link in an email.