General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is coming into effect on the 25th May 2018. These are regulations which expand on the current Data Protection Act and it’s important that business owners are aware of its content.

The purpose of this article is to summarise some of the points that will affect business owners in regards to their website and mailing lists. It is NOT INTENDED TO BE ADVICE on what to do. It is your responsibility to read up on the GDPR so you are able to fully implement its requirements.

An overview of the GDPR can be seen here (PDF – Information Commission Office – ICO).

Mailchimp has also produced an easy to understand summary which you can read here.

Some key points for anyone who has a form on their website (quoted from the ICO overview):

Consent – page 10

Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given.

Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data.

You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.

We were unable to define “repaper” but in this case it seems to mean to get consent again. So if the personal data you originally collected required a specific consent i.e. a tick-box that someone had to actively tick to agree to you sending them information, then they would not need to be asked to consent again.

Individual rights – Page 13

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

The right to be informed – Page 14

The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.

Privacy Notice

If your website collects personal information such as on a contact enquiry form or online shop, it should have a Privacy Policy. The points that need to be included in the privacy policy according to the Information Commissioners Office (ICO) are:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

Actions to Take

Based on our interpretation of the information some actions to take in regards to a website would be:

  • Add a tick-box to forms to explicitly approve the collection of the person’s information and asking them to agree to further contact
  • Modify the Privacy Policy to ensure it covers the points above
  • Contact your current mailing list and ask them to opt-in to the list – unless the list already contains contacts who have opted to on the list

If you use an online mailing system such as Mailchimp, ConstantContact or iContact they are likely to already have informed you of changes to make on your forms.

Posted in Marketing.