The European General Data Protection Regulation is a new personal data protection standard released mid-2018 that provides enhanced protection for website visitors coming to your site from Europe.
As you read the following, keep in mind that other countries will soon follow suit.
The European version of the GDPR is more than likely a case of EU being a trend-setter rather than merely a standalone adopter of these personal data protection regulations.
How the GDPR works
GDPR places a huge emphasis on how websites collect, track, and store data from European visitors. The good news is that most modern and in-the-know and established, ethical webmasters are already compliant — at least for the most part.
GDPR, in essence is mostly about being completely transparent with visitors to your website about the information you collect from them, and how it’s later used and stored via tags on your site.
It also places importance on the types of tags you use, and regularly auditing the tags you used to sniff out the nefarious types that share data with unsavory sources, or outright steal personal data for criminal use.
To put it into perspective, are the answers to the following questions obvious to European visitors to your site:
- What information does the tags present on your site collect?: Eg., IP addresses, products/pages viewed, browser type, cookie data, links/ads viewed, time on site/page.
- Are those tags direct or piggyback? (More on this in a minute).
- Can the data be deleted on request?
Direct tags
Direct tags are the obvious type that consumers should expect to be used. They’re attached to trusted sources like Google Analytics, Bing, Alexa, etc., or marketing agencies that collect data such as the number of people using the Internet at any given time or to serve you more targeted content related to your preferences.
Piggyback tags
Piggyback tags are generally problematic. Rather than sending information to a single source, such as Google Analytics or the Google Ad network, these tags literally “piggyback” on legitimate tags and send consumer data to third, fourth, fifth — etc — parties. Consumers don’t know where their data is being shared, and neither does the site owner (unless they’re running a shady website).
How GDPR exploits affect you
The GDPR oversight authorities don’t really care if you know about consumer data leaks on your site or not. You’re essentially responsible for the tags present on your site. Authorities expect you’ll keep a clean house, and if it’s found to be dirty, you’re at serious legal and monetary risk.
First, data leaks resulting in harm to a consumer, including their reputation or finances puts you at risk for legal action. Next, any other party along the path from your website to the consumer is at risk. This includes any third parties that handle your web admin and marketing duties. Even your host is at risk if data leaks are discovered.
Check out this website tag security infographic by DataTrue for the big picture of data privacy issues via website tags’ security holes, and how being GDPR-compliant can solve those issues.
Takeaway: How to protect yourself from GDPR woes?
- Have a firm policy in place to monitor all tags and delete those that are unauthorised. You can hire services for this, or have a trusted team member perform this task VERY regularly.
- Educate your team about tag security and create strict protocols for adding new tags to your sites.
- Make it very clear to all users, not just EU visitors, exactly what information is collected, how it’s used (Ie., marketing), and give those users a choice whether or not you can collect and store that information in the first place.
