Simply by having a website it is almost guaranteed you are collecting data. The EU has substantially expanded the definition of personal data under the GDPR: online identifiers such as IP addresses now qualify as personal data. If the data you process could be combined with other data to identify someone, it can be classed as “Personal Data” or “Personally Identifiable Information”.
- If you have a mailing list or a newsletter, this will also hold personal information. If you use a service such as MailChimp or Campaign Monitor and people sign up via your website, you are taking personal data and passing it on to a third party.
- Google Analytics may be installed on your website, in which case you are collecting data.
- If you operate an eCommerce website then you are obviously collecting user data (as it is required to complete your orders).
- If you have any contact forms on your website, your user is giving you their data whenever they use those forms.
- You must ensure any contact forms, signup forms or any other area on your site in which your user inputs their data carries a checkbox where they give you consent to use their data. This box cannot be pre-checked.
- You need to have adequate security on your website to prevent any breaches. Failure to do so would be a violation of GDPR.
These laws will affect you! Your business can be fined for breaching GDPR: up to a maximum of 4% of annual global turnover or €20 million, whichever is higher.