What is GDPR?
The GDPR defines “personal data” as the following:
” ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
Article 4, GDPR
The thread that ties together all of these recommendations under the GDPR, is the concept of consent being given freely, specific and informed being strengthened, with new rules, which means businesses have provide more transparency.
GDPR mainly effects business to consumer (B2C), if you’re in a B2B market, you may wish to research – Privacy and Electronics Communications Regulation (PECR, aka the ePrivacy Directive).
There are plenty of articles on the internet on how to get your website GDPR compliant. Here are a few things that you may have to change on your website, these were taken from another article: https://www.hallaminternet.com/how-to-make-your-website-gdpr-compliant but gives a brief sum up, it’s mainly centred on contact forms that collect customer data and online commerce where personal information is stored after a transaction.
- Form Active opt ins. You can no longer pre-select the subscribe opt-in on forms making users have to un-check the subscribe check box. These must now be unchecked so the user has to physically click the subscribe checkbox.
- Bundled opt ins. You cannot hide the subscription in hidden terms and conditions, you must specify a separate “Permission to Contact” box that is clearly labelled.
- Split Opt Ins – if you intend to communicate with your customer in different formats, you must give the option so they can select how they are contacted. For example, a separate checkbox for email, fax, telephone etc etc.
- Opt out must be very simple.
- Named Parties – You must name the parties that the customer is consenting contact from and give the option not to receive information from that party. For example, the John Lewis group has multiple companies, when a user subscribes, they can choose not to receive a communication from Waitrose or John Lewis Finance.
- Privacy Terms & Conditions -The Information Commissioner’s Office (ICO) has very kindly provided a sample privacy notice that you can use on your website. It is concise, transparent, and easily accessible. You will also need to update your terms and conditions on your website to reference GDPR terminology. In particular, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office systems.
- Online Payments – If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway.If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.
The list goes on into Google Analytics and Third Party software. Google Analytics tracks anonymously so is fine, but if you are using a third party tracking software like lead forensics, please contact them to find out further information.
GDPR doesn’t just effect online, it covers offline as well. EDGE IT have written an excellent article on how it will effect your business and how to prepare.
To Sum up, you will need to ensure your contact forms that are linked to online mailing lists have a specific check box that the user has to check to agree the sign up.
You will need to update your terms & conditions to cover what your storing and how long for and who is responsible for that data at your company. Most privacy policies include how to request data a company stores on you.
In our next article we’ll tackle how to handle the data you already have.
Please contact us if you wish to ensure your website is GDPR compliant..