The General Data Protection Regulation (GDPR) is coming into effect in May 2018, along with its policies, fines and potential accreditation there is quite a bit of information you need to know. We at SocialB, have created a checklist that is beneficial for you and your business to know about.
GDPR For Your Website – Where To Start?
Where Are You Collecting Data?
You might think this is an easy one – contact form and checkout forms, right? Wrong! You’ll need to think bigger than that, though these are the obvious places to start. Think about when someone clicks on your LiveChat feature – they have the option to put in their name and email address, hence this is a data collection point. Clicking on your customer service email link – if they email you, you will have captured their email, name and potentially their phone numbers, company etc. Cookies are another main one as this takes into account a user’s IP address which can roughly track location. As most websites do these days, make sure you have a popup to ensure that people are consenting to their cookie data being gathered and used. Take a good look through these, identify them and move on to the next step.
As we mentioned above, consent is key here and the practices that are outlined above need to apply to each point alongside the Privacy Notices.
Consent On Data Collection
The rules on what constitutes consent have been increased under the new regulations. When working under GDPR, consent has to be freely given, specific, informed and an unambiguous indication of the individual’s wishes.
When accepting live chats from potential customers, this includes taking their name and contact details. Consider if you add them to your customer database – do you ask for their permission prior? Not only does your organisation need to ask for this permission before data is collected, the reasons for their data being stored need to be abundantly clear. Will you be adding them to your monthly newsletter or will you send daily offer emails?
An individual’s consent must also now be actioned clearly. This means that pre-ticked boxes or inactivity no longer constitutes consent. Again, this needs to be at the beginning of your live chat. You must also keep a record of how consent was given – and make sure it is date stamped!
So far, you have asked for consent for your customer’s data to be taken, shown your reasons and what actions will take place thereafter. You then transfer the individual’s data into your normal CRM system to be processed and stored (considerations for your CRM system are continued below).
Consider now what information remains in your live chat software. Once the contact details (that you have asked to take and store) have been moved to your CRM, does the chat transcript need to stay in your software? It is easy to think that it does no harm remaining where it is, but these new regulations require businesses to consider the individual’s privacy first. If you insist that the details need to remain in that software, make sure you are being fully transparent from the beginning of the chat.
Data Being Shared
This applies to data being shared within multiple programmes as well as internally within your employees. Think closely about the information within the live chat transcript and whether it is necessary for all employees within your organisation to have access to it.
The theme amongst these changes is increased transparency when it comes to collecting data from individuals. The overall rights of the user are also increased as individuals have a right to withdraw consent at any time. Make sure that these considerations are taken into account at every point where data is collected from your customers.
What GDPR Means For Your Email Marketing
Article 32 of the GDPR offers the following guidelines when soliciting information from an individual:
Silence, pre-ticked boxes or inactivity should not therefore constitue consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, cconsent should be given for all of them.
Many companies these days corporate websites feature an email list signup forms, often in the form of a pop-up. These pop-ups will block the main content you are after until the website visitor closes them or provides personal information. According to the new regulation that will come into effect May 2018, the language of the pop-up windows will need to be much more specific and provide clear information. This will mean any pre-ticked boxes will need to be eliminated by using clear and basic language which also declares any addition solicitation that could occur in the future.
Use Of Email Addresses
The GDPR prohibits selling and exchanging any personal data belonging to EU citizens. It will also hinder companies the additional use of data that isn’t explicitly indicated when an individual grants permission.
There’s plenty of time to get ready for the new regulation, however, it’s better to get started sooner rather than later. Here’s a checklist of things to keep in mind:
- Determine if you are using email addresses of individuals across EU. This can be determined if the email has a .eu at the end but in most cases, you will need to use the IP address to locate the origins of the email.
- Prepare a new opt-in campaign for your EU customers. Even if you have obtained permission in the past to use their email, you will need to solicit permission from them all again.
- Review any requests for email addresses, this will include any pop-up windows, sign-up forms. It is essential that you ensure the language is crystal clear and covers every single reason you intend to use that address.
- Keep a record of all individual permissions to use their email addresses and prepare yourself to present consent if/when asked for it,
- Take steps to protection your company against potential breaches in security. You will need to review your current data storage and security practices to see if additional measures need to be added or if anything needs to be improved and adjusted.
Internal Preparation For The Upcoming GDPR
While your online data collection and processing does need to be up-to-date with the general data protection regulation; your internal processes will also be affected. As with many government regulations, it’s not 100% clear exactly what needs to happen, but there are precautionary measurements you can take based on the guidelines provided by the ICO. This EU GDPR Documentation Toolkit from IT Governance is a great help in terms of the documentation you will need to put in place.
Appoint A Data Protection Officer
If you are a public authority or considered to be a company carrying out “…large scale systematic monitoring of individuals (for example, online behaviour tracking); or carry out large scale processing of special categories of data or data relating to criminal convictions and offences.” you will need to appoint a data protection officer.
This person will be responsible for:
- Ensuring that your organisation’s practices are compliant with the latest GDPR updates;
- Advising colleagues on the best practices to stay compliant; and
- Acting as a point-of-contact for the relevant data protection authority.
Prepare For Data Breaches
If you don’t already have a procedure for if your systems are hacked, you will need to be sure to put one in place and include reporting the breach to the ICO no later than 72 hours after the incident.
Be Aware Of Risk Assessments
If you are considered to be a ‘high-risk’ organisation, you may be subject to risk assessments. If you have a data protection officer appointed, it will be their responsibility to act as the point of reference for these risk assessments. So be prepared and stay on top of the regulation!
According to the GDPR, all data must be kept in a portable format so that if the subject wishes to have their information moved to another organisation, this can be done painlessly and easily. The responsibility for this lays with the organisation and the subject should not act as a middleman.
Disclaimer: This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.