My head hurts trying to figure this out, but it’s something we have to do.
Can anyone link to good resources that clearly explain what we need to do?
I don't know how much you know already, but I just throw these videos in here for everyone who's no idea of what GDPR is.
Here are some of my takeaways. Take it with a pinch of salt, though. Not completely figured it out myself.
But the meat and potatoes seem to be that you've got to be clear about what you'll do with their data, and give users control over theirs. For example when you're offering a lead magnet, you NEED to tell users -- and get their active consent -- that you will use their e-mail adress to contact them with additional offers in the future (if that's what you do).
You can't longer do the "By using this site, you accept cookies" trick. Users must have the choice to either accept or reject that data collection.
Users will need the option to opt out from your data collection. That's why Google Analytics just launched a couple of new functions that allows us to, for example, delete all data associated with an individual user:
Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data.
Action: Please review these data retention settings and modify as needed.
Before May 25, we will also introduce a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). Details will be available on our Developers site shortly.
Addition: I also think that if the data you're collecting is hacked, lost etc, you are obliged to report the incident to your country's data protection regulator. But only if it has a detrimental impact on individuals whose data is collected.
For example if it could lead to lost money, confidentiality breaches, damage to reputation.
What is GDPR? The need-to-know guide | WIRED UK
Last edited: