Northwoods Forest

A Quick Look at GDPR and How it Will Impact Your Organization

Jenna DehnJenna Dehn/Digital Marketing Strategist
March 14, 20184 min read

What is the General Data Protection Regulation (GDPR)?

GDPR is a new set of EU regulations going into effect on May 25, 2018. It provides citizens (and potentially non-citizen residents) of the European Union greater protections and rights pertaining to what companies can do with their personal information. The primary objective of GDPR is to protect individuals by reducing the amount of personal data available to organizations, and to provide them additional control over that data. Once this law goes into effect, the penalties for non-compliance increase significantly, and care has been taken to make these penalties enforceable globally.

I don’t live in the EU, does the GDPR still affect me?

Yes. Any website anywhere that collects and uses personally identifiable information about an individual residing in the EU must comply with GDPR. The regulation states that penalties are enforceable regardless of the country in which the company using the data operates.

What is considered personal data?

The EU GDPR laws apply quite broadly. The legislation defines “personal data” as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.” This information includes, but is not limited to:

  • Name
  • Photos
  • Email address
  • Location information
  • Identification Numbers
  • Bank Information
  • Social Media posts
  • Medical information
  • IP Addresses

Consider Requests for Personal Data

GDPR grants users the ability to access their data in several ways, including:

  • Requesting corrections to their data
  • Removal of their information, or
  • Requesting to review the personal information collected.

A user requesting such information must provide the site operator with details necessary to identify that user. Be prepared for such requests; Determine what information you require to verify individual identify and locate their information within your systems.

What web features are subject to the GDPR rules?

  • Web forms that collect personally identifiable information.
  • Features tracking IP address, session ID, or other unique identifiers that can be tied back to an individual.
  • Meta tag snippets that contain tracking code that collects personal information on users, such as Google Analytics.
  • Third-party integrations, including CRMs, marketing automation tools, and ERP systems.

What do I need to do?

Your responsibility for maintaining GDPR compliance will vary based on the nature of your business, target markets, and data collection methods your organization has implemented. The GDPR has many requirements about how to collect, store, and use personal data. Take these steps to evaluate your data’s compliance with the new regulations:

1. Awareness

Educate your organization on GDPR compliance requirements and appoint a primary point of contact for digital privacy related enforcement and education.

2. Audit

Review all systems within your organization that collect or process end user data. This is not limited to your website platform. Consider CRMs, ERP Systems, Marketing Automation tools, and more.

3. Transparency

Disclose to end users what information you are collecting, why you are collecting it, and who they can contact with questions. This is often done through a privacy policy.

4. Management

Review your procedures pertaining to the collection, storage, and processing of personal data falling under GDPR. Be mindful of the new data retention regulation and set up periodic reviews and audits of your data.

5. Respond

Set policies and processes for effectively and appropriately reporting data breaches pertaining to data falling under GDPR. Be able to easily extract user data from your database.

Northwoods and CookiePro by One Trust can help you streamline cookie consent to meet both current and future privacy laws. Find out how.

Do I need to obtain consent before collecting personal data?

Yes. The GDPR requires that before collecting or processing personal data, controllers must have a specific legal basis to do so. Organizations must provide:

  • What data is being collected
  • What the data will be used for
  • Who has access to the data
  • How long the data will be kept
  • Who to contact with concerns

Acquiring agreement could be as simple as including a checkbox on a form that requires users to confirm consent to the collection and storage of information before they can submit their requests. It must also be easy to remove that consent if requested.

What information should my privacy policy include?

It is important to remain transparent in the personal data you collect and how you intend to use that information. Many users are concerned that their data will be sold to other companies or kept in an unsecure environment. Put their minds at ease with an updated privacy policy that includes the following:

  • Identity and contact details of data controller
  • Purpose of data processing and legal basis
  • When and how personal information is shared
  • Information collected that could be personally identifiable
  • Information you do not collect from end users
  • Relationships that may result in data transfer to third parties
  • Safeguards to protect data
  • Cookie Use and Purpose
  • Data Retention Procedures

What happens if I am not compliant with GDPR regulations?

GDPR penalties fall into two tiers, depending on the severity of the infraction:

  • Tier One
    • Two percent of global annual revenue, or
    • Ten Million Euro
  • Tier Two
    • Four percent of global annual revenue, or
    • Twenty Million Euro

The tier applied will depend on the nature, duration, and severity of non-compliance, including:

  • Was the non-compliance intentional or negligent?
  • How many data subjects were impacted?
  • How many data subjects were impacted?
  • What was the duration of the infringement?
  • Were data prevention mechanisms in place?
  • Does the data controller follow basic GDPR requirements?
  • Are privacy policy and requests for consent adequately transparent?
  • Are there prior infringements form the data controller or data processor?
  • Did the data controller or data processor cooperate with regulators?
  • Was the infringement reported voluntarily or under duress?

Are you a Titan CMS user? Read how the GDPR will impact your Titan CMS instance here. 

Jenna DehnJenna Dehn/Digital Marketing Strategist

Jenna Dehn is the WordPress Lead at Northwoods and manages projects all the way from sales to build. She creates responsive web designs that match the design aesthetic of the client. During each website build, Jenna makes sure to use current best practice techniques to create not only beautiful, but smart websites. Meeting with clients to understand their challenges and goals is an important part of Jenna’s role at Northwoods. She makes sure to design websites that addresses these challenges and provides clients with one-on-one training to empower users to easily maintain and manage their own websites.

Connect with Jenna on LinkedIn | Read Jenna Dehn's Blogs

Related Blog Posts

Securing Your Site with HTTPS: What You Need to Know

Browsers have recently raised the visibility of websites' security status. But soon, they'll be kicking it up a notch, and users will quickly become wary of providing contact information on sites labeled "non secure." Switching carefully to HTTPS can help.

Manufacturing Website Design & WordPress: What to Consider When Moving to WordPress

All too often, people choose WordPress too quickly and too thoughtlessly. Managers should carefully consider their company’s needs before settling on any platform for a manufacturing website.

New Year, New Web Accessibility News

Chances are, this update to Section 508 of the Rehabilitation Act of 1973 -- now called Section 508 Refresh – will not directly apply your website. Still, do not ignore the update. Section 508 Refresh recognizes WCAG 2.0 A & AA as its standard. In this, the U.S. joins most of the world in recognizing WCAG 2.0 as the standard and guideline for website accessibility. WCAG 2.0 is now the de facto international web accessibility authority.

View All Blog Posts



Subscribe to our blog for expert tips, insights and analysis on digital trends, best practices, and more.

Share Your Thoughts

The following required items were not provided or are in the wrong format. Please provide the required responses and submit again:

  Please enter your name
  Please enter a valid email
Comment: 250 characters left
  Please enter a comment
Cookie Settings