GDPR — Transparent advice and implications for you

As you may already be aware, the GDPR (General Data Protection Regulation) implementation should now be completed across all UK and EU websites. This has a large impact on how you collect, store and process the data of individuals. We’ve put this blog post together as a means of providing an introduction to this and to advise on some steps that you will need to take to become compliant.

This does not just affect your website but all data collected on individuals, including your internal employee data. The GDPR has eight key points related to data and processing (e.g. using an email address for marketing). This legislation has been brought into action to ensure that individuals have more transparency and access to the data you collect on them. There is also the concept of informed consent with regards to data collection.

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

Regarding your website, item 1 is the most important and should form the basis of your revised privacy policy. It provides individuals with information on what data is collected, how long it is retained and how it will be processed. It also needs to inform the individual of the ways to request the other points. The other points will each need an internal policy for what to do if someone requests that item ­i.e. how you will provide information on their data held.

When collecting data to be used for marketing you always need to be asking for explicit consent. There must be some form of clear affirmative action – or in other words, a positive opt-­in — as consent cannot simply be inferred from silence, pre­ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you’ll need to provide simple ways for people to withdraw consent. In practical terms, this means that you must provide an additional checkbox for marketing alongside any other terms agreements with links to the privacy policy above. If the data is regarded as essential, then this is lawful under other terms and no consent is required. An example of this would be an online shop where the customer address is required to actually carry out the order. However, if there’s ever an intention to send any marketing or other follow up emails (e.g. review requests) to the customer following the original transaction, then consent must be explicitly given.

There are other requirements if you collect or hold additional personal data. The ICO has good resources regarding this and is worth reading to ensure you are compliant across all aspects of your business: https://​ico​.org​.uk/​i​c​o​-​i​n​t​r​o​d​u​ction…

This is probably also a good time to review your general website legalities, terms and conditions and also cookie consent. The current interpretation for cookies is to explicitly inform that cookies are being used to track your interactions or that they’re simply there to help improve your overall experience, rather than have a full opt-­in. These should be specified in your terms and conditions/​privacy policy. Within all your digital communications (website, plus all business emails) you also need to include your full company name, number and registration address.

Steps to becoming compliant

No 1) First of all, you need to review your current database and consider if explicit consent was given. For example, the standard newsletter system used by Verse is not compliant, so we would either need to gain additional consent or, simply delete our database and start again.

No 2) Review your Terms and Conditions and Privacy Policies to ensure you’re compliant and also to avoid potentially hefty fines going forward. We can provide advice on this for you but ultimately, we would recommend seeking legal counsel as the buck stops with you.

No 3) Review your cookies policy, although this isn’t specifically related to GDPR, it is a legal requirement. Again, we can provide advice on your cookies policy but you are ultimately responsible for getting this right.

How Verse can help 

No 1) Audit your website taking particular attention to double (and triple) check your Terms and Conditions, Privacy Policies, Cookie Policy and consent to your data forms to give you some recommendations to become GDPR compliant.

*Our recommendations will as far as we are aware, make you fully GDPR compliant but we hold no ultimate responsibility for your actions.

No 2) Adding explicit consent to all your data forms. The scale of this can vary quite a bit, depending on how many data forms you have. It’s also important for your users/​customers to understand what you intend to do with their data.

No 3) Integrating a system like MailChimp or Campaign Monitor. We would strongly recommend you go down this route as these systems are built for this particular purpose and their double opt­-in consent will ensure that you’re GDPR compliment.

No 4) Update your current Cookie policy provision. This would either be a new page template for you to add your policy to or maybe a pop-up with consent option.