This May, the world will be welcoming the new GDPR laws whether they like it or not. The GDPR will give EU residents far greater control over how their data is used. Although the law chiefly applies to local businesses situated within the EU, it will have implications with any business anywhere in the world that interacts with EU residents.
As every company is different, the road to compliance will also vary from one business to the next and having expert guidance is the best way to ensure you don’t fall foul of the regulations, especially in regards to your online content.
The first step to ensuring your business is fully GDPR compliant is to carry out an audit against the legal framework. Regardless of the size of your company, by knowing how the regulations apply to your business you’re lessening your risk of being fined if you do not know how to abide by the new rules; as Sage demonstrates in their GDPR infographic, a fine of up to €20 million or 4% global turnover (whichever is greater) is the penalty for not meeting the new requirements. Therefore, it’s better to be safe than sorry.
While GDPR might not have a direct effect on the content that is published on a website itself, the new regulations will potentially alter the way in which that content can be used. For example, if you currently send out a newsletter or e-book to every customer that makes a purchase from your online store, you will only be able to do so in future if they opt-in to receive such communications.
The situation is different when it comes to user-generated content, which includes blogs and comments as well as photographs and videos. Many websites, especially e-commerce stores, rely on user-generated content to encourage potential customers to complete sales as studies show that buyers have a far higher level of trust for user reviews of a product than they do for information provided by the manufacturers themselves.
GDPR grants individuals a number of fundamental rights. These include the right to be forgotten, which allows subjects to ask for their data to be erased, the right to access and rectification, which means individuals can access and modify their personal data. Companies also need to be able to provide all the personal data they hold on an individual when requested, in a portable format.
In theory, this means that if someone writes a review or a blog post and then decides their views are no longer relevant, they have the right to remove their content. Companies must have measures in place to enable them to fulfill these new obligations or face substantial fines.
Depending on the nature of a particular business, in-house comments may contain personal information about individuals that requires additional consent as a result of GDPR. One example of this could be testimonials from customers that contain some of their personal details. Although permission might already have been sought to use such material, it may be necessary to re-obtain this consent.
One of the key concerns about GDPR is the cost of implementation. At present, the data that is mined from online users forms the backbone of the financial system on which much of the free web content available online rests. So once again, while the content that companies put out online may not be affected by the regulations, the ability of some companies to continue providing the same level content in the future may be less certain.