The Protection of Personal Information Act (POPIA) and the General Data Protection Regulation (GDPR) have a significant impact on websites and other digital platforms like social media, email marketing and e-commerce activities. In South Africa, Businesses have until 1 July 2021 to comply and to make their websites compliant.
POPIA and GDPR are data privacy laws that affect all business websites that collect data. The regulations are there to protect the online privacy of visitors and it covers how personal data is used and extracted when users visit and interact with a website.
Websites collect information in various ways and if a site uses analytics, opt-in forms, WordPress forms or email marketing, then they are collecting personal information. It is essential for businesses to obtain consent from visitors to collect and process their personal information.
Without consent, they cannot share this information with their marketing team as these regulations have been designed to protect people against data breaches. To avoid massive fines and lawsuits, businesses need to comply by informing users about the data that their website collects.
Here are some key areas that business leaders should review and discuss with their web development team.
- Business websites must explicitly disclose if they are collecting personal data.
- They must inform visitors about why, how and where they store and process this personal data.
- Visitors may request a copy of the personal data collected from them.
- Visitors may request to have their personal data erased.
- Businesses must report serious breaches within 72 hours.
More importantly, they need to review all data collection points on their website. This could include the registration page, IP addresses, a checkout page and other analytics. It is critical to cover all these areas and to obtain consent to collect information.
The latest version of WordPress has built-in privacy and compliance features as part of its core. Merely by updating WordPress, one could ensure a higher level of compliance. Some new key features of WordPress include explicit consent, new data erase and export features and a policy generator.
WordPress previously stored data to ensure that people did not have to retype their personal information when making a new comment. Now, people have to click a checkbox to ensure their personal data is stored and reused.
The data export and erase feature enables businesses to easily export a user’s information into a zip file or completely erase it from the database. This feature helps simplify managing visitor’s personal information.
Visitors should be made aware that your site will collect their personal information when they complete any contact forms including registration forms and opt-in forms. One can easily create a tick box to accept the terms of service.
One also needs to inform visitors that your website collects cookies.
Businesses must inform visitors about any policy updates or data breaches, this can be done via email.
Third-party services or plugins like Google Analytics and Google Adwords need to be managed correctly, one needs to anonymise the data before storage and processing. This could be complicated but there are POPIA and GDPR compliant plugins available, they automatically connect Google Analytics to your website and they can make data anonymisation easy.
e-Commerce businesses likely use a payment gateway and your own website may be collecting personal data before passing it onto the payment gateway. If so, the regulations require you to remove any personal information after a reasonable period.
Compliance reassures visitors, they are likely to share personal information when they understand how you will use their information. Adding compliance policies will certainly benefit your business, it will prevent future data breaches and protect personal and company information.
It will also ensure that visitors’ personal information is not compromised.
By Nick Durrant, CEO Bluegrass Digital