The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. This article focuses on the changes to your sign up and marketing permission process required to make your sign up forms compliant.
The introduction of the GDPR will fundamentally change how organisations employ data, and this starts with the point of collection.
The fine for not complying with the GDPR is “€20m (£17.6m) or 4 per cent of a company’s total worldwide annual turnover, whichever is higher”. There will be no grace period following Friday 25th May 2018, you are expected to have changed all processes to comply with the GDPR by this date.
You may choose a different legal basis to contact individuals (e.g. legitimate interest for legacy data) however moving forward you should ensure you collect GDPR compliant consent and update your sign up forms and any data/consent collection pages to make sure they comply with the GDPR standards.
According to the Information Commissioner’s Office (ICO), consent under the GDPR must be “freely given, specific, informed and unambiguous consent; which informs subscribers about the brand that’s collecting the consent and provide information about the purposes of collecting personal data”.
You will need to keep records to evidence consent at every step of the process. The ICO advise you to “build regular consent reviews into … business processes”. You “must have an effective audit trail of how and when consent was given, so organisations can provide evidence if challenged”.
You should review the methods used in the past to acquire subscribers, if you’re relying on the legal basis of consent, legacy consents are not acceptable unless they meet the GDPR consent standards – so soft opt-ins need to be re-permissioned before 25th May.
However you cannot repeatedly request consent once the GDPR comes into force. If you send a re-permissioning email asking for consent the GDPR means you must no longer contact that customer, unless they take an action to provide consent.
- Active consent
The consent collected must be unambiguous and requires a clear affirmative action. You “cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or blanket acceptance of… terms and conditions” as evidence of consent. Pre-ticked consent boxes are explicitly banned by the GDPR.
- Consent should have no strings attached.
Consent should not be a precondition to signing up to a service or entering a competition etc.
- It should be as easy to withdraw as to consent
The GDPR prescribes the right to withdraw consent. The right to withdraw consent should be clearly communicated along with the easy steps to withdraw which can be actioned at any time.
- Granular consent
The GDPR requires granular consent i.e. separate permission for each data process. Signing up for updates on email offers does not constitute an opt-in for all communications or other processing/profiling.
Sign up forms
The GDPR dictates personal data can only be collected for specified, explicit and legitimate purposes for which they are processed. You should ensure customers understand how their data is being used and how long it will be kept. The GDPR applies at any point of data/consent collection including the checkout process.
It is important to regularly check the unsubscribe landing page is working, as if there is an error on the page you will still be held accountable.
- Collecting consent
Do not use pre-ticked boxes to collect consent
- Informing of use
You have to inform the individual about how you are going to use their data and give them
- Clear language
You should use easy, clear language. Customers need to easily understand what they are
signing up for. Err on the side of caution – If there is any room for doubt, it’s not valid consent.
GDPR compliant sign up form
GDPR NON compliant sign up form
Right to withdraw
At no point is there any mention of how to unsubscribe.
At no point is there a clear of indication of which brand/organisation you are subscribing to.
If you would like to hear more about how R-cubed can help keep your data GDPR compliant, get in touch here or call us on 01273 220510.
Download a PDF version of this blog here.