On May 25th the GDPR comes into force across all EU member states, bringing the biggest changes to data protection laws in a generation. This is going to affect all businesses and particularly those involved in eCommerce and digital marketing. If you’ve not reviewed your website or email policies yet time is running out. With this in mind we have compiled a GDPR guide of must do’s to ensure clients understand the steps they need to take ahead of the new regulations.
Our experts can advise you and recommend necessary amendments to your website, security and digital marketing in accordance with GDPR directives. We can review your online presence and carry out essential alterations in advance of the GDPR deadline.
List of ‘Must do’s’
The new regulations are far-reaching and extend to every aspect of your digital presence, data collection and online strategy. If the answer to any of the following questions is ‘No’, you should contact us in respect of the GDPR and amendments you need to make to your website or online marketing.
- Data capture – Have you modified your opt-in preferences in view of the GDPR Changes? Fundamental changes are required to your registration and opt-in mechanisms.
- Privacy statements – Have you updated these and their prominence on your website and emails? Like data capture, this a key area of the new regulations.
- Emails – Have you reviewed GDPR requirements for sending emails; to whom, when and for what? It is likely you will have to renew your customer opt-ins – before May 25th.
- Cookies – Are you aware of changes to cookie notices requiring more ‘affirmative’ consent?
- Security – Are you confident your data and how you store it meets the stringent security demands of the GDPR? Can you demonstrate this?
- Data quality – Do you maintain and demonstrate data quality updates? Do you cleanse your data and delete redundant records?
- 3rd parties – Have you revised contracts with 3rd party suppliers? Non-compliance by suppliers could make you culpable.
Data capture – Opt-ins and consent
Strict criteria for opt-ins are stipulated in the GDPR. Users MUST have explicit choice in how they are contacted and what they are contacted about. Most current practices won’t meet the new requirements. If you rely on Consent as your Lawful Basis for handling individuals’ data this must satisfy the new opt-in requirements under the GDPR. If not, you will have to re-obtain opt-ins ahead of the May 25th deadline.
- Consent must be ‘freely given, specific, informed and unambiguous’ and ‘easily withdrawn’
- Opt-ins, T’s and C’s and Privacy Notices must be distinctive, separate and unrelated and consent cannot be a pre-condition for delivery of a service
- Pre-populated tick boxes are outlawed and ‘double opt-in’ confirmations are recommended
- Consent must be ‘granular’, with separate opt-ins across distinct channels
Privacy Notices are a key component of the GDPR and must include clearly stated requirements. Layout, design and formatting are also important requirements, requiring Privacy Notices to be accessible, engaging and easily navigable.
- Full details of all information collected, stored and processed
1. Who is collecting it, how and for what reason
2. How information will be used
3. Who will it be shared with (and why)
- How this will affect individuals and their rights to oppose it
1. Including a direct link to the ICO to report infringement and poor data management
2. Security measures must also be explained, emphasising protection against breaches
You are required to clean up your email lists and MOST IMPORTANTLY, update the ‘Lawful Processing Rights’ for every customer.
- If your database of subscribers were not collected according to GDPR standards (see opt-in), then you will need to do some housekeeping.
- It is likely that you will need to re-confirm consent among existing customers, especially if they haven’t purchased for a while. This could include re-permission emails so that they can choose to re-opt in.
- It is almost inevitable that you will need to obtain renewed opt-in for large numbers of your email subscribers
- We can tell you more about this and help deliver campaigns.
- But you only have until May 25th to do this – after that you will be in breach of GDPR and liable to fines.
More often than not, cookie acceptance notices are standardised and generic. Under GDPR this will no longer be compliant, as it only suggests implied consent rather than demanding a positive, freely given action. Websites will need to gain active opt-in for cookies and ensure privacy notices provide details of cookies used and for what purpose. Consent will need to be an affirmative action, not a preconditioned acceptance of visiting a website.
Websites (indeed, all data collection & storage mechanisms) must review and demonstrate secure and robust data capture and storage. This should involve techniques like encryption, anonymisation and access control. Systems and software packages should be included in Privacy Notices, as should back up procedures.
- Data management systems and resources should not only keep all personal data safe but be capable of managing communication preferences
- Access to data must be regulated and permissioned.
- Data sharing must be encrypted and security protected and all parties must illustrate policies to ensure against data privacy breaches and responses, should this happen
The GDPR emphasises the importance of data quality and ‘minimisation’.
- Non essential data should not be collected and existing data not required for immediate processing should be deleted.
- Data quality needs to be regularly maintained and verified
- Individuals will now have specific rights to ensure this is applied
- Inconsistencies, spurious data and duplicate records need removing
Our software licenses were purchased with this in mind to support the data quality of our clients.
This includes any additional organisation or individual handling, using or acting on data on behalf of a website. This could be anything from payment mechanisms, delivery companies, through to analytics or data validating services. 3rd parties are classified as ‘Processors’ under the GDP and for each one, contracts, security and Privacy Notices need reviewing, both for GDPR compliance and responsibility mitigation.
We appreciate this change can be a little daunting however our team are here for you to advise and recommend the essential alterations needed to ensure your compliance. Please feel free to give us a call on 01743 360000 or send an email to [email protected]