The General Data Protection Regulation (GDPR) is effective from 25 May 2018.
Under the GDPR, the concept of consent being given freely, specific and informed is being reinforced with new rules, which means businesses must provide more transparency.
1. Forms: Active Opt-In
Forms that invite users to subscribe to your newsletter or indicate contact preferences must default to “no” or be blank. Check your forms to ensure this is the case.
2. Unbundled Opt-In
The consent you are asking for should be set out separately for accepting terms and giftconditions or acceptance of consent for other use of data.
For example, when someone gives you their name and email to receive your opt-in gift this does not give you the automatic right to send them further marketing emails, without express consent.
Clearly set out the acceptance of your terms and conditions and separately set out the active opt-in for your customer's contact permissions.
3. Granular Opt-In
Users should be able to provide separate consent for different types of processing, eg; post, email, telephone. You must also ask permission to pass details onto a third party.
4. Easy to Withdraw Permission or Opt-Out
It must be just as easy to remove consent as it was to grant it and users must be informed that they have the right to withdraw their consent.
In terms of your user, this means unsubscribing could consist of selectively withdrawing consent to specific streams of communication if you registered them into more than just one list.
Users must be able to easily change the frequency of communication, or stop all communications entirely:
5. Named Parties
Your web forms must clearly identify each party for which the consent is being granted. It's not sufficient to give specifically defined categories of third-party organisations. They must be named.
6. Privacy Notice and Terms and Conditions
Here is a sample privacy notice that you might use on your website. It is concise, transparent, and easily accessible.
You will also need to update your terms and conditions on your website to reference GDPR terminology. You must be transparent about what you will do with user information and how long you will retain this information both on your website and also by your office systems.
7. Online Payments
If you are an e-commerce business you will be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway.
If this is the case, and your website is storing these personal details after the information has been sent to your payment portal, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable or necessary.
8. Third Party Tracking Software
Many websites are using third-party marketing automation software solutions on their website. These might be lead or call tracking applications.
The use of these tracking applications raise some very interesting questions in terms of GDPR compliance and remains a grey area. These applications track users without their express consent.
If you are using any tracking apps then contact your web developer or the app provider to ensure that they are GDPR compliant. Even if they give you assurance that the apps are compliant, you will still be responsible if the software is doing something illegal.
The issue for you is to identify the GDPR compliance risks in using this kind of software and to mitigate your risks.
9. Google Analytics and Google Tag Manager
If you are interested in Google’s commitment to GDPR then read Google's statement here: How Google complies with data protection laws
Many websites use Google Analytics to track user behaviour. Google Analytics has always been an anonymous tracking system, with no “personal data” collected, suggesting that GDPR does not impact on its usage.
Google Tag Manager is a powerful tool that enables your website to send information to third-party applications by inserting small amounts of code. You can integrate in-house data repositories, as well as external remarketing and retargeting systems, and many other services. You must ensure that people who have access to your Tag Manager (eg; your web developer or digital marketing agency) understand their legal responsibilities as a data processor on your behalf as data controller.
10. It Isn’t Only Your Website That Needs to Be GDPR Compliant
The changes being introduced with GDPR may affect more than just your website.
- You may have personal client data stored. Do you have a good understanding and documented record of the data you hold?
- Do you need to either gain or refresh consent for the data you hold?
- Do you have a defined policy for how long you retain personal data so you don’t retain it unnecessarily
- Do you ensure the data is kept up to date?
- Is your data being held securely, keeping in mind both technology and the human factors?