GDPR includes requirements for the way you collect, store and process data. We’ve previously talked about GDPR here but for first hand advice and guidance, we recommend you take a look at the ICO resources here...
12 Key Questions to Help Judge Your GDPR Readiness
In order to give you some prompts about how to consider the way you collect data on your website, I've put a series of questions together.
As we’ve said before, we can’t tell you exactly what to do because every organisation is different (plus we’re not lawyers). However, these questions will help you think about the things you need to investigate further.
For official advice, we recommend you speak to whoever is responsible for legal matters in your business.
Questions to consider are:
- Is your Privacy Policy clearly visible and accessible from every page of your website?
- Does your Privacy Policy clearly state what you use Personal data for?
- Does your Privacy Policy clearly state how you store and process Personal data?
- Does your Privacy Policy clearly explain how someone can request their data is removed?
- Does your Privacy Policy clearly state who to contact with any questions?
- Do you have a Cookie Policy that is clearly visible and accessible from every page of the website? (More and more websites now have a cookie notice bar, to actively promote the cookie policy and to request “permission” too).
- Does the Cookie Policy clearly state what cookies you use, what you do with them and how to manage cookies?
- When capturing Personal data do you keep the amount of data captured to a minimum?
- When capturing Personal data do you make it clear why you need that piece of information?
- When capturing Personal data do you make it clear what will happen next?
- When capturing Personal data do you direct people towards your Privacy Policy?
- When capturing Personal data do you make it clear what they are “opting in” to?
Remember, if you’re using the data for more than one thing, you’ll probably need to have “opt in” permission for each purpose.
But also remember that “permission” can be determined in a few different ways. e.g. If you’re collecting data in a form called “call me back”, provided you make it clear that is what it is, you can reasonably expect someone who submits that form to expect a phone call back.
That means you don’t necessarily need an opt in box for that purpose. However, if you will also use that data to send a newsletter, or pass to 3rd parties etc... you’d need to ask separate permissions for each.
Where can I get more information?
The ICO website provides GDPR updates when available. Furthermore, the IAB also provide updates on how ePrivacy changes might affect the digital advertising industry. The latest is their updated ePrivacy Factsheet.