Even savvy marketers can be forgiven for thinking that GDPR isn’t something they need to worry about – it applies only to EU citizens, right?
While that’s technically true, you could be at risk if your website is accessible from EU countries. Even more importantly, similar privacy-protecting legislation is being implemented here in the US. Similar, although not the same. The current patchwork approach to privacy complicates issues for digital marketers, so it’s worth thinking about privacy protections now.
What PII Are You Gathering
For starters, you’ll want to look at the PII (personally-identifiable information) you are gathering and how you’re handling, transmitting, and storing that information. If your site includes any sort of ecommerce functionality, you’re probably already quite familiar with the underlying issues. (Though you may be relying on third parties like Authorize.net to manage them for you.)
Regardless of any transactional functionality, you may want to examine mail forms and other obvious front-end features as well as discussing with your technology team whether cookies and other back-end tools are gathering and storing information about site visitors.
What About Partners and Vendors?
You should also discuss these issues with your partners and vendors. Plugins, modules and widgets may all be gathering information, even if you’re not using that info or even aware it’s being gathered. Chances are you didn’t read the terms of use or privacy policies associated with each – who does? – but you may want to have someone do so now.
Even your web hosting partners should be part of this review – logging IP addresses of site visitors can be considered PII.
How To Protect Yourself
You may not currently be able to get to 100% data cleanliness – not all of your vendors may be capable of meeting as high a standard as you’d like. But alerting them to how important this has become to you – and your clients and website visitors – is critical to moving the needle toward good data protection practices.
Of course, the usual legal provisos apply here. I’m not a lawyer – I don’t even play one on TV – and nothing in this article should be construed as legal advice.
Consult with a lawyer knowledgeable on privacy issues in your jurisdiction to craft a data privacy policy. There’s a bit of a chicken-or-the-egg aspect to this: you will need to know what your partners, vendors, and internal IT team are capable of delivering before you write the policy. (Meaning, you have to be able to meet the standard you set out.)
You may find that you’ll want to consult the lawyer, write a draft policy that meets best practices standards, and then work with your team and vendors to see how close you can get to those standard before adjusting them to the reality of your situation. (And then reviewing with the legal team again.)
It’s tempting to wish for the good old days when the web was a bit more like the Wild West, but the hassle of increased regulatory scrutiny is well worth the increased trust the public will have in their interactions with you, me, and all marketers online.
