Lush Marketing’s series of GDPR (General Data Protection Regulation) updates continues…

Why does my business need to be aware of upcoming changes in regulation if my website has an online enquiry form?  How does GDPR affect my website?

Was your website set up a few years ago and you either don’t have a privacy policy or you haven’t updated it recently?  This may all seem a bit daunting, but we’ll explain more.

From 25th May, 2018, GDPR changes will be enforced in the EU.  The regulation says that you must have “explicit consent” from customers when collecting any data from them.  Well, what does “explicit consent” mean?

GDPR’s definition of consent is:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

So what does this mean?

Consent must be obtained more explicitly. The term “clear affirmative action” nullifies opt-out consent, such as pre-ticked boxes.

If you’re creating or updating an online enquiry form, keep this in mind:

  • Ask for as little data as possible – don’t ask for information that isn’t necessary to processing the query, e.g. if you’re asking for a date of birth and it is a product enquiry call back, then why on earth do you need to know the customer’s date of birth?!  Just collect the information you absolutely need for each enquiry.
  • Make sure terms and conditions are clear – don’t hide them, don’t make them vague and don’t make them too complicated for people to understand.
  • Make it easy to withdraw consent –  customers/online users need to be told straight away that they can withdraw their consent at any time, and you must explain how to do it.
  • Use a double opt-in mechanism – by this we mean that users don’t give their consent by accident.  The first step involves a regular consent form and when completed an email is sent with an attached link.  They need to click this link to verify their consent.
  • Consent must be Unbundled – this means that consent requests are separate from other terms and conditions.  Consent should not be a precondition of signing up to a services unless necessary for that service.
  • Consent must be named – states which organisation and third parties will be relying on consent.
  • Document consent – you must keep records to demonstrate what the individual has consented to, including in this what they were told, when and how they consented.

Your web developer should be able to help you to update your privacy policy wording or to install a privacy policy if it is not there in the first place.  Also, the Data Protection Commissioner has given some good guidelines on their website to follow: