Hang on, what is GDPR anyway?
The GDPR – General Data Protection Regulation – comes into force in the UK on 25th May 2018.
This new EU regulation replaces the Data Protection Act (DPA) 1998.
The GDPR has similarities with the DPA as well as new and additional requirements for the handling and processing of personal data. Anyone with day-to-day responsibility for data protection needs to be aware of it.
Failure to comply with the GDPR carries with it some serious fines so now is the time to start preparing for its introduction.
Everything you need to know can be found on the Information Commissioner’s website. We’ve pulled out some key points to get you thinking about what your business will need to do about its digital properties.
Have you got explicit consent from your subscribers?
Can you prove that everyone on your mailing lists – whether customers, prospects, fans or followers – have given explicit consent to be on those lists and marketed to?
Businesses must be able to prove subscribers have positively opted-in to be marketed to. If they filled in a form with a pre-ticked box or simply failed to respond to a call to action (e.g. if we don’t hear from you we’ll assume ….) that’s not good enough.
Implied consent isn’t good enough for the GDPR.
Are your subscribers humans?
If your sign up and opt-in box or page doesn’t have a reCAPTCHA form or confirm your subscription by email process, you might be marketing to robots or unwittingly spamming people. This is not good.
What about those Cookies?
You’ll need to get a handle on exactly what data your website or app is collecting from users.
An understanding of the fair and lawful basis for acquiring that data is required by the GDPR and again, you’ll need explicit consent to do so.
Make sure you’ve got a decent message about Cookies that your users can opt-in to proactively.
Businesses must be clear about why and how they are handling people’s personal data, how they ensure it is adequate (not excessive), accurate and kept up to date.
They must also be explicit about how long they keep personal data and what the removal, archiving or deletion process is.
The GDPR reinforces the rights enshrined in the DPA for individuals to request access to the data an organisation holds on them. Individuals also have the right to rectify inaccurate information and have it erased in certain circumstances.
Have you got procedures in place to allow for deleting personal data wherever it may be stored in your business? You’ll also need a protocol for providing personal data to users who request it.
Don’t forget to update it on your website or app too.
What about your digital partners with software integrations on your website?
It’s time to review which third parties have integrations on your website or app. Are they taking steps to be compliant with GDPR? Have you got proper agreements or contracts in place with them about handling personal data?
There are some helpful recommendations about Digital Vendor Risk Management available from the Media Trust.
Do you know who’s responsible for Data Protection in your business?
Could it be you? Find out. It’s not legally required to appoint a Data Protection Officer but the buck stops with someone. Make sure you know who’s responsible.
These are just some of the things you need to be thinking about now to ensure your business and website are GDPR compliant by May 2018.