GDPR will mean a prioritization of data security over promotional results. This means that it will reduce the quantity of bulk emails.
So the usual unsubscribe or stop notifications options will no longer be enough. Since May 25th, the companies willing to send a marketing message or interaction will have to be aware about:
- How to public profile of the company is exposed, meaning an increased concern about the contact details
- The user should have the option to choose what will happen with their acquired data
- Data storage and access
- The purpose of collecting data and the period of the storage
- The data subject’s rights
In other words, there are three big segments of change for marketing industry where the regulation will apply: consent, clarity and transparency, and profiling:
The GDPR mandates consent must be "freely given, specific, informed, unambiguous," and articulated by a "clear affirmative action." There is also mandatory that the consent must be archived at put at the authorities disposal when required. If not, the companies may need to remake the consent list by asking for consent updates through the full database.
Clarity and Transparency
The way data is being collected is another important aspect of the regulation. The users should always be informed regarding how information about their activities is gathered. It’s quite a challenge to operate into a fully transparent data environment, especially when it comes to IoT, machine learning and artificial intelligence. A whole guide on 114 page has beed released on the subject.
One particular concern is the digital and IoT data monitoring and saving via a personal identification required. There will be certain questions that marketers should answer regarding the subject. For example if the users are aware of the way their personal data is being collected and if they can understand that AI or machine learning tools are making decisions based in that data.
Another concern raised by the guidance document involves using personal information to profile or analyze customers.
GDPR defines profiling as:
“Any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
Forms exist to collect data offered by your visitors, guests, and members. How can you maintain GDPR compliance while using forms? Let's dive into the details of what this new regulation means for you and your website specifically.
What forms do we need to worry about?
First, not all your forms are necessarily going to be impacted by the GDPR. Running an anonymous survey? Quiz? If you're not collecting personally identifiable information on users, your form's not impacted. However if you're collecting any personally identifiable information whatsoever, GDPR compliance becomes important. So, how to comply? See below:
A. Request as little data as possible
It's always tempting to just throw as many fields as the usability person/designer agrees on, but unless you absolutely need the data for delivering your service, you shouldn't collect it. Names you should probably always collect, but unless you are delivering something, a home address or phone is unnecessary.
B. Consent checkboxes
One of the biggest change that the regulation brings. "I accept the terms and conditions" would no longer be sufficient to claim that the user has given their consent for processing their data. So, for each particular processing activity there should be a separate checkbox on the registration (or user profile) screen.
You should keep these consent checkboxes in separate columns in the database, and let the users withdraw their consent (by unchecking these checkboxes from their profile page). Ideally, these checkboxes should come directly from the register of processing activities (if you keep one). Note that the checkboxes should not be preselected, as this does not count as "consent".
C. Data should be collected for a specific purpose, used only for that purpose and retained for only as long as it meets that purpose
Don't use data for purposes that the user hasn't agreed with – that's supposed to be the spirit of the regulation. If you want to expose a new API to a new type of clients, or you want to use the data for some machine learning, or you decide to add ads to your site based on users' behaviour, or sell your database to a 3rd party – think twice.
I would imagine your register of processing activities could have a button to send notification emails to users to ask them for permission when a new processing activity is added (or if you use a 3rd party register, it should probably give you an API). So upon adding a new processing activity (and adding that to your register), mass email all users from whom you'd like consent.
D. Use a double opt-in mechanism
Having a double opt-in mechanism in place is good practice because it ensures that people are granting you their 'explicit consent'. Double opt-in is already law in some EU countries, such as Germany, and will be enforced more strongly with GDPR. You're most likely familiar with how it works; you register through a form on a webpage, receive an automated email with a 'Confirm' button, which then activates your account.
E. Mention if you will send or share the data with any 3rd parties and which
For each of the 3rd party data processors, check their respective privacy policies and make sure that they are GDPR compliant. In the unlikely situation where a 3rd party data processor is not compliant and has no plans to become compliant by the 25th May 2018 deadline, you should seek to replace them with a similar but compliant provider.
Cookies are mentioned only once in the EU General Data Protection Regulation (GDPR), but the repercussions are significant for any organisation that uses them to track users' browsing activity. In short: when cookies can identify an individual via their device, it is considered personal data.
To become compliant, consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn't count as consent.
‘By using this site, you accept cookies’ messages are also not sufficient for the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means:
- it must be as easy to withdraw consent as it is to give it. If organisations want to tell people to block cookies if they don't give their consent, they must make them accept cookies first.
- sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
Land of Web - GDPR services provider
Short description of our services:
- the identification of the apps (web or mobile)
- Main goal/purpose of the platform/apps
- Technical analysis of the service
- GDPR recommendations
- DPIA means extensive evaluations regarding personal aspects, based on profiling and on measuring the impact of the decisions that will affect the natural person. It's also about processing data relation to legal situations - convinctions.
In order to achieve GDPR compliance, we first need to get a clear understanding of what personal data exists in your organization, where it's used and stored, who has access, and the reason for having it.
A personal data audit will help us identify the weaker parts of your website. An example could be a non-compliant third party data processor. Another example might be contact form submissions that have been saved to your website's database. These have likely long since been acted on or replied to so they no longer need to be kept. Whatever the weak links are we aim to strengthen or remove them.
2. Technical implementation
Most of the GDPR features can be implemented in a few weeks by our team.
Once the audit is being processed, the technical plan follows the implementation steps.
3. Contingency plan
This plan is meant to prevent or reduce the negative effects of unforeseeable problems.
In cases where a leak of sensitive information occurs, the EU GDPR contains a new requirement that private and public enterprises must inform the relevant authorities. The following information will need to be disclosed:
- What types of data were leaked?
- How many registered parties does the leak involve?
- What are the consequences to those registered parties?
- What has been done to ensure that this does not happen again?
4. Continuous supervision of respecting the recommendations and technical implementations
While the short-term goal is to ensure GDPR compliance before May 2018, another task is to ensure continuous compliance after the legislation comes into effect. We also offer long-term solutions for complying with the regulation on a daily basis.