The new GDPR (General Data Protection Regulation) law comes into force on the 25th May 2018 and if you haven’t already done so, it’s now time to start putting measures in place to meet the new demands. Here’s a checklist for your website that will provide basic guidelines as to how to keep on the right side of the law. The following recommendations are not exhaustive but will provide a few areas to focus on and will mainly look at data capture forms.
Firstly What Are GDPR General Aims For An Individual Contact?
Right to rectification – The right to ask that information be updated or corrected.
Right to be forgotten – The right to ask that information be permanently deleted.
Right of portability – The right to have information transferred to another organisation.
Right to object – The right to prohibit certain uses of personal data.
Right of access – The right to know what personal data has been collected and how it’s being used.
GDPR And Website Forms
Some of the main aspects of the new GDPR is relating to consent, the ability to choose to be contacted and how personal data will be used. Typically most websites will include sign up and subscription forms for a variety reasons, for example newsletters, bulletins, regular updates and promotional offers. Under the new rules, website forms and means of capturing personal information should include the following:
Have a clearly defined opt-in:
An Opt-in should not be pre-ticked and therefore not be predetermined. The initial choice shouldn’t be to opt-out, with opting- in being an action taken by the subscriber/user.
Make opting out easy :
It needs to be visible and clearly state what the opt-out relates to. An opt-out should enable complete withdrawal and to be able to unsubscribe with no further communication. It’s always useful however to provide the choice to unsubscribe from separate aspects. For example some people may want to be informed of promotional offers but not receive a newsletter, so instead of completely stopping all correspondence, only the newsletter will be unsubscribed.
Clearly separate different reasons for using data – un-bundled data:
For example one op-in maybe to receive promotional offers, another to agree to terms and conditions, they cannot be combined, the emphasis is on clarity not ambiguity. Consent is required separately for the different ways in which the data will used, it should not be a ‘one size fits all’.
Third party opt ins:
Separate consent will be needed in order to share information with third parties. All third parties have to be named and a reason given for sharing the information.
Mode of contact consent.
Permission needs to be given as to the type of contact method chosen for correspondence, which is normally, phone, email, post and SMS.
Privacy terms and conditions must be easily accessible, transparent and current.
Finally think about tracking and analytic systems on your website, their providers should be GDPR compliant, but it’s worth checking out.
I have only covered a particular area of website implementation here, plus companies acquire information through other means and in other ways. If you require further information the following link will take you to the Information Commissioner’s Office GDPR report, which provides full guidelines on the new implementation. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf