The deadline for compliance with GDPR (General Data Protection Regulation) is 6 months away (25th May). Organisations need to act now to prepare for this. In order to help, we’ve compiled some FAQs and links to further reading.
We can’t tell you exactly what to do because every organisation is different, plus we’re not lawyers. However, this information should help you evaluate what steps you need to take. For official advice, we recommend you speak to whoever is responsible for legal matters in your business.
Who should be most concerned with GDPR?
If you are an organisation that collects, processes and shares personal data then you need to understand the implications of these rule changes.
Do I have to do anything yet?
Yes! Ideally you’ll have already made the appropriate changes. The regulation will be enforced from the 25th May 2018 and you can’t use any data after the 25th May that hasn’t been collected in a compliant manner. There are no excuses afterwards, we are in the ‘cooling off’ period now.
What is the difference between a ‘data processor’ and a ‘data controller’?
The ‘controller’ is the person/organisation who decides the purpose and manner of personal data use. The ‘processor’ is the person/organisation acting on their behalf. Therefore it’s the ‘controller’ who has data protection responsibility.
Does it affect B2B organisations?
From everything we’ve read and heard GDPR affects B2B data too. It’s likely that B2C businesses are more likely to face prosecution/fines, but that doesn’t mean B2B businesses should ignore it.
What about Brexit?
GDPR is an EU regulation that is being applied to the UK, but that doesn’t mean Brexit changes anything. We haven’t left the EU yet, so it becomes immediately applicable from 25th May.
Furthermore, it is likely that the UK will enshrine this type of legislation into UK law after Brexit, to ensure that trade and relationships continue smoothly with EU countries.
What are the highlights?
There are four main areas that seem to stand out the most to us:
Data processing - If the ICO come knocking, you will have to demonstrate that any personally identifiable data you hold is being stored safely and that every time you use the data you do so in a lawful way. This includes ‘profiling’ the data.
Ultimately the ICO will consider the potential impact any action has had on the individual (e.g. profiling data to help with general marketing insight is fine, but profiling data to target specific individuals would probably require their specific permission).
Opt in permission - There are already ‘opt-in’ regulations in place with the Data Protection Act of 1998 but these go further. Essentially, for any use of the data you collect, you’ll need the individual to explicitly give permission.
(e.g. For a ‘call me back’ form, where the only thing you’ll do with the data is ‘callback’, the messaging on the form will probably be enough. However, if you’re going to sign that individual up to a newsletter and also share their data with a 3rd party, you’ll need to ask them to tick an opt-in box for each).
Unsubscribe - Often referred to as the “Right to be forgotten”. You’re going to need to make it incredibly easy for people to find out how to remove themselves from your database. You’ll also have to make it incredibly clear why you might need to retain some of their information (e.g. to make sure you don’t contact them again!).
Privacy Policy - You need to demonstrate you’ve made an effort to be transparent about what you’re using personal data for, and that you’re using incredibly plain and clear English.
Any attempts to confuse through ambiguity, or to not reveal what you’re doing, is unlikely to be forgiven! Take this as an opportunity to revise your privacy policy so that anyone can understand it, not just your company lawyer.
Will this harm my website conversion rate?
In most cases any changes shouldn’t affect your conversion rates significantly. By being more transparent and clear about your use of data, it may even encourage more people to share their data with you.
We recommend that you apply any changes sensibly (a/b test if you can) and don’t feel that you need to set the standard’ for your sector, just do what you think is required to be compliant.
Is this different from the ‘cookie law’ from a few years ago?
Yes. GDPR is more concerned with ‘personal data’ although there is some overlap, because cookies and IP addresses etc... count as ‘personal data’ according to the new GDPR regulation. To clarify this, there is a new “ePrivacy Law” also being drafted.
When will the new ‘ePrivacy Law’ come into force?
Originally, this was due to apply at the same time as GDPR. However, the EU are taking longer to debate the specifics, so this has been pushed back (possibly until Spring 2019).
So, do I change anything about my cookie policy now?
Although the timing of the revised ePrivacy law has been pushed back you could take this opportunity to update your privacy policy and cookie policy etc. Update your privacy policy in time for GDPR and your cookie policy well ahead of the ePrivacy Law.
Remember, with your cookie policy the key is to understand what you are using cookies for. Explain this to your website visitors and make the information easy to find. The more you do now, the less you’ll need to change in 2019.
Can you give a good example of an opt in form?
There are various ways to be compliant, but we like the way the BBC have changed their registration form to include a “What’s this for?” message alongside each field.
This allows them to provide additional supporting information about the need for every piece of personal data, but the user can choose to reveal this or not.
Can you give a good examples of a cookie policy?
You’ll need to work out what is best for you and your organisation, but we think two good examples are the cookie policies on the TUI website and the John Lewis website.
Who is responsible for this within my organisation?
If you collect, process and share personal data then you’re very likely to need to have assigned someone the specific role of “Data Protection Officer”.
This isn’t a new thing, but expect the new regulations to allow even greater enforcement of this. If you don’t have a specific DPO then you should at least make someone responsible for investigating the impact of GDPR.
What should you do now?
The first step is to make someone in your organisation responsible for this, then they should investigate the implications. All ICO guidance on GDPR is valid, but one specific document we’ve found particularly useful is their “12 steps to take now” guide.
Where can I get more information?
The ICO website provides GDPR updates when available (we’ve been told they are releasing some ‘consent guidelines’ in December).
Furthermore, the IAB also provide updates on how ePrivacy changes might affect the digital advertising industry. The latest is their updated ePrivacy Factsheet.