Time to sort your approach to GDPR

Its time to prepare for the General Data Protection Regulation (GDPR) which will apply from 25 May 2018. However, it is important to note that dpc are not GRDP consultants, so to be certain you are complying with the new regulations, we would advise gaining legal advice.

The ICO (Information Commissioners office) have some really helpful and useful information on all aspects of the new laws: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.

It is essential to plan your approach to GDPR compliance now and to gain ‘buy in’ from key people in your organisation. You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large or complex business this could have significant budgetary, IT, personnel, governance and communications implications.

The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. Compliance will require organisations to review their approach to governance and how they manage data protection as a corporate issue. One aspect of this might be to review the contracts and other arrangements you have in place when sharing data with other organisations.

Some parts of the GDPR will have more of an impact on some organisations than on others (for example, the provisions relating to profiling or children’s data), so it would be useful to map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process.

We can help you ensure you are compliant, but we do encourage ALL of our clients to get legal advice on this hot topic.

The principals of the GDPR

Under the GDPR, the data protection principles set out the main responsibilities for organisations.

Article 5 of the GDPR requires that personal data shall be:

a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles."

Making both your website, and your business, GDPR compliant.

dpc are not GDPR consultants and this should not be construed as legal advice. We recommend you seek your own independent GDPR legal advice.

This is a "starter for 10": Ten things to check to on your website now to stay on the right side of the GDPR law, and to keep your customers happy.

We will start with the simple changes and get more and get to the more complex issues towards the end.

1. Data collection: Active Opt-In

All forms on your site, any time you collect customer data, must not be pre-selected. Customers need to actively select a box to opt int o be contacted by you. Check your forms on your website.

2. Unbundled Opt-In

Do not bundle your terms and conditions and consent together. The consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data.

3. Granular Opt-In

Users should be able to provide separate consent for different types of processing (email, post, SMS) and also for different topics of communications (marketing, transactional, etc).

4. Easy to Withdraw Permission or Opt-Out

You must provide a simple and easy way for customers to opt out.

It must be just as easy to remove consent as it was to grant it, and individuals always need to know they have the right to withdraw their consent.

In terms of your web user experience, this means unsubscribing could consist of selectively withdrawing consent to specific streams of communication, or easily change the frequency of communication, or stop all communications entirely:

5. Named Parties

No more "grant 3rd party access". You cannot share data with un-named organisations.

Your web forms must clearly identify each party for which the consent is being granted, each organisation must be named at the point of data collection.

6. Privacy Notice and Terms and Conditions

You need to update your Privacy Policy and your Terms and Conditions, but luckily The Information Commissioner’s Office (ICO) has provided a sample privacy notice that you can use on your website.

It is short, sharp but very transparent:

Here at [organisation name] we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us.

However, from time to time we would like to contact you with details of other [specify products]/ [offers]/[services]/[competitions] we provide. If you consent to us contacting you for this purpose please tick to say how you would like us to contact you:

Post     Email     Telephone     

Text message     Automated call 

We would also like to pass your details onto other [name of company/companies who you will pass information to]/[well defined category of companies], so that they can contact you by post with details of [specify products]/ [offers]/[services]/[competitions] that they provide. If you consent to us passing on your details for that purpose please tick to confirm:

I agree 

You will also need to update your terms and conditions on your website to reference GDPR terminology. In particular, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office systems.

You will also need to communicate how and why you are collecting data. and your privacy policy will need to detail applications that you are using to track user interaction (see points 8-10).

7. Online Payments

For e-commerce businesses, you are probably using a payment gateway for financial transactions however it is highly likely that your own website will be collecting your customer's personal data before passing the details onto the payment gateway.

If this is the case, and your website is storing these personal details after the information has been passed along (you will see all your customer records and personal data in your eCommerce dashboard), then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 to 90 days. (The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.)

8. Third Party Tracking Software

If your website uses marketing automation software (EG: HubSpot, InfusionSoft or Marketo) or user identification/lead tracking software (EG: Lead Forensics) then you really need to hold some specific discussions with your suppliers (and lawyers) as these are currently seen to fall in rather a grey area with regard to the new laws and they are CRM platforms so identify users and automatically re-market your products and services to the individuals. 3rd party call tracking applications like Infinity Call Tracking should also be carefully considered.

Many sites plugging in Mailchimp or Campaign Monitor automated email services are also worth GDPR consideration. Ensure you state at the point of data collection where the data will be stored and the services you will use.

Site optimisation software like Hotjar or Sessioncam all gather anonymous data to help website owners deliver a better user experience, and as the data is anonymous we feel that they probably fall into the same (compliant) category as Google Analytics, but it is worth checking with your legal team as recording user sessions could seen to be a material breach of the new laws.

The use of these tracking applications raise some very interesting questions in terms of GDPR compliance, and in many people's opinions, this remains a grey area. These applications track users in ways they would not expect and for which they have not granted consent.  For example, it is tracking an individual's behaviour each time they return to your website, or view a specific page on your site. However, the suppliers/providers of these applications assure everyone that they are GDPR compliant. But if the software is doing something illegal, then it is your business’ responsibility as the Data Controller. The real question is to identify the GDPR compliance risks in using this kind of software, and to mitigate your risks as a business owner. As a result, you need to review your contract with these software providers carefully."

9. Google Analytics, Adwords and Google Tag Manager.

Google seems to have dealt with the GDPR issues head on and seems to be compliant with regard to their core suite of products (Analytics, Adwords, Retargeting, YouTube, etc).

https://privacy.google.com/businesses/compliance/

Most websites are configured to use Google Analytics to track user behaviour and Google Analytics has always been an anonymous tracking system. There is no “personal data” being collected, so we think it is GDPR compliant, and the same goes for Adwords tags.

And with regards to Google Tag Manager; it is a system that allows you to add in different 3rd party tracking applications, so your focus should be on what 3rd party tracking applications are you using and are they GDPR compliant? Also, ensure you have a contract in place with the individuals that have access to your Tag Manager (eg: your digital marketing agency) to ensure they understand their legal responsibilities as a data processor on your behalf as data controller.

10. And Finally… Your whole business needs to be GDPR compliant.

Ask yourselves these questions:

You probably have lots of personal data stored in various places around the business. Do you have a good understanding, and documented record of the data you hold?

Do you need to either gain or refresh consent for the data you hold?

Do you have a defined policy for how long you retain personal data, so you don’t retain it unnecessarily, and ensure it’s kept up to date?

Is your data being held securely, keeping in mind both technology and the human factors in data security?

Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?