The General Data Protection Regulation (GDPR) is Europe’s new framework for data protection laws. It will replace the previous 1995 Data Protection Directive and post-Brexit the UK data protection laws will likely enforce this framework. The legislation is designed to bring all of the data privacy laws across Europe in line and the Information Commissioner’s Office (ICO) says that GDPR will bring greater transparency, enhanced rights for citizens and increased accountability.
GDPR will come into force across Europe on 25 May 2018 and all organisations that control or process personal and sensitive data will be covered by the GDPR. Personal data includes a piece of information that can be used to identify a person such as their name, address and even their IP address. Sensitive personal data includes information about religious and political views, sexual orientation, and more.
Organisations that have more than 250 employees will be required to have documentation in place that details why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place.
Much has been written about the substantial fines (€20 million or up to four percent of global revenues). The ICO Commissioner Elizabeth Denham has said that she has no intention of overhauling how her office hands out fines and regulates data protection across the UK – that the ICO prefers to work with organisations to improve their practices and sometimes a “stern letter” can be enough for this to happen.
We’re working with our clients to ensure that they are ready for the GDPR. There is no one-size fits-all approach to GDPR compliance but below, we’ve highlighted a few general areas of focus to review and update on your website – depending on your website functionality there could be more areas that will need to be reviewed including but not limited to personalisation, profiling and web analytics. A few general areas to review include:
#1 Clean up your email databases
If your database includes subscribers whose permissions haven’t been collected according to the GDPR’s standards, or if you can’t provide proof of consent for some of your contacts then you should not send emails to those subscribers anymore.
It’s good practice to send a re-permission email so that your subscribers can re-opt in in order to stay on your newsletter list. This might lead to you having fewer subscribers but those who do opt in are likely to be a far more engaged audience; by placing control back in the hands of your customers you are more likely to engender trust and in turn, loyalty.
#2 Use active opt-in
You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or default settings.
For example, ensure that there are no pre-ticked boxes on your contact forms as they will not be compliant with GDPR – a ‘positive-opt in’ will now be required. The ICO advise that if you want consent for various different purposes then you you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together. People should not be forced to agree to all or nothing – they may want to consent to some things but not to others.
“People must have genuine choice and control, and take some positive action” Information Commissioner’s Office
The ICO Commissioner has highlighted that the GDPR is also explicit that you have to make it easy for people to exercise their right to withdraw consent. The requirement for clear and and plain language when explaining consent is now strongly emphasised.
#3 Update your website Cookie and Privacy Policies
The standard “by using this site, you accept cookies” statements will no longer be compliant. Under the GDPR, any cookie or other identifier, uniquely attributed to a device and therefore capable of identifying an individual (or treating them as unique even without identifying them) is personal data. Cookies will require granular levels of control, with separate consents for tracking and analytics cookies and users will be required to make an ‘affirmative action’ to signal their consent.
Further reading and guidance from the ICO
The ICO have a lot of information to guide and advise organisations to prepare for the GDPR, here are a few useful links:
You can adjust your preferences below.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings. If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages. Keeping this cookie enabled helps us to improve our website.