30 Oct 2017
GDPR - A Practical Guide
Reading time: 10 mins
GDPR - A Practical Guide
There’s been plenty of speculation as to how it’s going to affect not-for-profits and charities, but it needn’t be a cold-sweat-inducing, panic-ridden ride to May 2018. With so much jargon being thrown around, how do you actually find out what practical steps you need to take? We’ve been taking an active approach to the topic and have already been working with organisations to help them with their approach to GDPR. So this article is a quick update on what we’ve found so far and some ideas to get your website into shape.
If you’re just getting out of the GDPR starting blocks, read our article on the top 5 things you need to know.
Clear consent for marketing activities
One of the big questions for arts organisations and charities is consent and the implications of this on databases for marketing. The ICO’s guidance on consent is that it must be ‘freely given, specific, informed and signifying agreement’. What does this mean practically?
Customers, employees, users (what GDPR call Data Subjects) must actively opt into marketing activities, no more pre-checked checkboxes (or even consent below the fold). Under GDPR regulations this would violate the informed rule, as it’s not an active choice by the user. The ICO’s aim is to make approaches to consent more dynamic, rather that a one off tick box, which means keeping better records of who agreed to what (and when) and making sure that user data is securely stored and easily retrievable.
The right to be forgotten
It must be easy for customers to not only edit their data and remove consent to marketing activities but also to delete their account and information entirely from a system. GDPR does not stipulate the exact mechanism for allowing and supporting that but it’s a good idea to check how and where you’re collecting and storing that information. Depending on the size and scale of your operations consider a self-service mechanism that allows users to view, change and/ or delete relevant stored data themselves.
Encryption is a must
Data must be encrypted at every opportunity, including at rest and in transit. Get this right and it’ll both secure your data (i.e. users data) and -if done right and well- help protect you from penalties in the event of any breach.
The GDPR requires organisations to notify consumers in the event of a breach with penalties of up to 4% of their global revenue in the event of non-compliance. However, this requirement also features the following important exclusion:
"The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures should render the data unintelligible to any person who is not authorised to access it."
Therefore, good encryption that renders the data effectively meaningless in the event of a breach will be your saving grace if there’s ever a leak.
Mailing list maintenance
We’re also encouraging organisations to view GDPR as an opportunity, rather than a threat. Often, bigger = better for many organisations when it comes to mailing lists, however GDPR presents an opportunity for quality, not quantity to prevail. Mailing lists, like trees, need pruning every so often. Neglect your lists and they will grow out of control and overshadow what you’re trying to achieve.
While it’s not 100% clear what you need to prove to keep your existing list, GDPR presents the perfect opportunity to re-engage your subscribers by asking them to update their preferences so you have a clear record that will most certainly be GDPR proof.
Keep the messaging positive, but clear to encourage a call to action. A simple ‘We’d love to stay in touch but can only do that if you say it’s OK’ message will suffice. It might mean your list gets smaller, but taking off those that aren’t engaging is only a good thing for your reputation and is a great way of deepening engagement with existing subscribers and it might even re-engage lapsed ones.
A key point with GDPR is an increased responsibility for data processors (i.e. the organisation a user is giving their data to) when it comes to any third parties where data is stored and shared with. For this you’ll need to look at your ticketing system, e-commerce platform, CRM system etc and engage with those providers directly.
Furthermore, GDPR treats online identifiers and location data as personal data - as such cookies are also included in this if they have the potential to identify aka single someone out.
The good news is this will (probably) mean doing away with the annoying cookie pop ups. The bad news is that permissions to track will (probably) lie directly with the user in their browser settings instead. So far we’re recommending the installation of the Drupal Google Analytics module to help prep for GDPR which will anonymise IP addresses and makes sure browser settings are respected (but if you want to talk to us about your specific CMS set up we’re all ears).
Remember - Context is King!
The above is just a few aspects of how GDPR could affect your digital operations, but it’s wise to keep an ear to the ground as there’s no one size fits all approach to compliance.
While the above isn’t intended as legal advice, we thought it was important to start pulling together practical changes you may need to make to your website to get GDPR ready. As we learn more and further legislation is published, we’ll be writing more on the topic so do check back for regular updates.
If you want to chat to us about any changes you think you may need to make, then just get in touch with us and we’ll do our best to answer questions.