4 April 2018
4 April 2018
From May 2018 the new General Data Protection Regulation (GDPR) will determine how your business does business. And that includes making sure your website is GDPR ready too.
Your business will need to manage, administer and protect personal data, no matter what sector it is in.
To help you prepare (and to help us prepare too) we have developed a GDPR checklist based on the latest information that’s available. We have also made a GDPR Infographic for you to download; use it to your heart’s content. Share it, print it, email it. Heck, use it to base your own checklist off! Just make sure you implement it. Because the monetary fines for not being GDPR regulated is not a fine that you want to pay.
You’ve probably heard all about cookies, but did you know they could represent a major breach from a legal point of view, when considering GDPR?
Cookies are small files that are automatically left on computers as the web is being browsed. Normally these are harmless bits of text that are locally stored and can be easily viewed and deleted.
However, these cookies can give an in-depth insight into the activity of the user and their preferences. This means their identity can be identified without their consent.
As data technologies grow more and more sophisticated, the user’s privacy is increasingly compromised. Although cookies don’t usually originate from the websites the user has visited, third parties can track the users for marketing purposes.
And although not all cookies can be used to identify the users, normally those that are most useful to the owners of the website will be subject to GDPR. Cookies used for analytics, advertising and functional services, such as survey and chat tools, are all examples of cookies that can identify users.
Below is information on how to make your website and your business GDPR compliant:
Legitimate interests refers to the limitations that a company has when it comes to processing personal data. This may imply a benefit inherent in processing for that company itself or perhaps for wider society. It’s important to ensure that the legitimate interests ‘must be real and not too vague’. The Data Protection Network state that “an ‘interest’ can be considered as ‘legitimate’, as long as the controller can pursue this interest in a way that complies with data protection and other laws”.
Check that the legitimate interests is the most appropriate lawful basis for processing.
Ensure you have explained how or why you need an individual’s personal data when you collect it.
Ensure that individuals are well informed of what you plan to do with their data when you collect it.
Always give individuals the option to refuse marketing and that it’s explicitly stated and easy to exercise that right.
Only collect the minimum data necessary and delete records after use – You can keep data needed for a suppression file and you need a valid reason to process an individual’s personal data using your legal legitimate interests.
Direct marketing is recognised as a legitimate interest in GDPR recital 47. For example, an individual may have bought a product from a business so that business can market similar products to the customer.
Some interests are likely to be legitimate because they are ‘strictly necessary’ for corporate governance or related legal compliance issues, particularly where there is no legal obligation to comply with, but the processing is essential to ensure the controller meets external or internal governance obligations. Whether you rely on consent or legitimate interests for your marketing, you need to do similar things to make sure you are GDPR compliant:
For an in depth account of what exactly legitimate interests in regards to GDPR is and how to work out if your company is compliant, check out the Data Protection Network’s Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation.
Consent is a lawful basis for processing and can legitimise use of special category data, restricted processing, automated decision-making and overseas transfers of data.
With the new regulations, this is not sufficient and does not comply with the consent rules.
Relying on inappropriate or invalid consent could destroy trust and harm your reputation. Plus, it may leave you open to large fines.
If existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing” – The Information Commissioners Office.
The Records Must Cover
Check out Credit to the Information Commissioner’s Office (ICO) GDPR consent guidance: www.ico.org.ukfor more information.
When collecting personal data you will need to make sure individuals are aware of the following:
When collecting personal data through cookies, you should be mindful of the following:
Third-party cookies are set up by another website, not the one that the user is on and is often used to collect certain information to carry out research into the user’s behaviour, demographics and targeted marketing.
When buying third party data, make sure you do your due diligence, as GDPR makes you accountable and responsible for making sure the personal data you use for marketing is compliant. To be sure, give third party data suppliers rigorous checks.
Session cookies are temporary and expire once the user has left your website. They’re mainly used on eCommerce sites to hold items in baskets whilst the user is shopping online.
Permanent cookies stay on your user’s disk for a long time after the session has ended. By law, it should be deleted every 12 months at the very least, but a cookie has the potential to stay on there forever. These cookies hold data such as login details, contact information and account numbers.
First-party cookies are the cookies issued from the website the user has accessed. They remind the website about the user’s data and preferences.
Depending on their duration and on their origin, GDPR can affect them in different ways.
Profiling means evaluating personal data so you can make predictions about an individual or a group. This means that marketing communications can then be targeted and personalised for individuals or groups.
To continue marketing to individuals on your website and on your database, you must make sure that data is GDPR compliant.
If you need a consultation on your GDPR & Privacy Policies, please don’t hesitate to get in touch with us.
Your account will be closed and all data will be permanently deleted and cannot be recovered. Are you sure?