Insights Newsletter

Sign up for our Insights Newsletter and receive regular news & views from the team including:

  • Our take on the world
  • Free resources & downloads
  • News & inspiration
  • Ridiculous things that happen here

A bit scared we'll email you crap? We hate spammers so we promise we'll only send you awesome content roughly once a month.

Come & Say Hello

We love building relationships with our clients that will last. Give us a call to talk through your ideas.

01279 883119

Pop in for a Cuppa:
Rubber Cheese Towers
Unit N, The Maltings,Station Road,
Sawbridgeworth, Hertfordshire CM21 9JX

Are you ready for GDPR? Learn how to comply

The General Data Protection Regulation (GDPR) is a new EU legal framework, set to replace the existing UK Data Protection Act from way back in 1998. As of the 25th May 2018, if organisations don’t comply with the new regulation, they could be fined up to 4% of their turnover, or a whopping 20 million Euros, whichever is higher.

Written By:
Kelly Molson
Category:
Insight
  • 21/11/2017
  • Mins to Read
  • By: Kelly Molson
  • Share

If you’re thinking ‘didn’t we vote to get rid of all this EU red tape?’ then bad news I’m afraid. The government has confirmed Brexit will have no effect on plans to implement GDPR in the UK.

Despite this, the UK has the lowest GDPR awareness level in Europe, with only 39% of companies identifying the law as a compliance concern.

Are you in that 61% who aren’t concerned? If so, it’s time to wise up!

But GDPR won’t affect my business…?

Sorry, it probably does.

If your business stores or asks for any information relating to an individual, you need to comply. This information can be classed as anything, including:

  • names
  • photos
  • email addresses
  • bank details
  • posts on social media
  • medical information
  • IP addresses

This is not by any means an exhaustive list. If you handle anyone’s details of any kind, then GDPR should be on your radar.

So how can we comply?

The Information Commissioner’s Office (ICO) have provided a guide to getting ready for the GDPR, with a detailed breakdown of what your organisation needs to get on top of between now and the May 2018 deadline.

This can be daunting, but don’t worry, you don’t need to go it alone! We can help you get your website ready for the new regulations.

What are Rubber Cheese doing to comply?

We’re updating our public privacy policy to make sure it explains clearly what we do with the data we hold.

We’re also busy documenting and reviewing all the information we hold, and taking a fresh look at our data procedures. This involves rethinking:

  • the type of data we need
  • how we use it
  • where we get it
  • how and where we store it
  • who we share it with.

Our newly-appointed Data Officer will be responsible for maintaining our high levels of password security, as well as locating and erasing any personal data that people want us to get rid of.

To top it all off, we’ll be re-contacting everyone on our email marketing database over the next few weeks to confirm they opt in to letting us contacting them.

How we can help you comply?

We can help you meet the new GDPR regulations with a number of data services.

Privacy policy revamps

Your website should have a privacy policy page, and the ICO requires you write it in plain, easy-to-understand language.

If you haven’t, we can create a page for you, or update your existing one with the new copy.

Your privacy policy needs to include:

  • Your identity
  • How you intend to use information
  • The lawful basis for processing the data
  • How long you retain data for
  • Explanation of an individual’s right to complain to the ICO if they think there’s a problem with the way you handle their data.

We can provide guidance for what your privacy policy should say, but we advise you speak to a specialist solicitor to provide the final copy.

Data protection plug-ins

To better incorporate data protection into your processing activities, we’ll add a Secure Sockets Layer (SSL) certificate to your website. This will encrypt the transmission of your customer data when they complete your contact form.

Google loves sites with SSL certificates! In fact, if you don’t have one, your users might see a warning message that the website isn’t secure. This will immediately scare them, so it’s a good idea to add one sooner rather than later.

Processing consent review

We’ll carry out a full review of any systems or websites that Rubber Cheese has designed and built specifically for you, as well as your processes for finding, recording, and managing consent to hold your customer’s details.

Once reviewed, we’ll suggest and implement improvements on how you ask for and manage consent.

These improvements might include:

Unbundling: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service, unless it’s necessary for that service.

For example, if a user accepts your terms and conditions, they’ve not consented to receiving marketing updates, even if it’s written in the T&Cs.

Active opt-in: Pre-ticked opt-in boxes are invalid. You have to present unticked boxes for users to opt into, or similar active opt-in methods. Failure to opt out is not consent.

Granular opt-in: Give granular options to consent separately for each type of processing wherever appropriate. Having one check box for receiving updates both via SMS and email isn’t acceptable.

Named consent: Clearly name your organisation and any third parties who will be relying on consent. Anyone who benefits from consent needs to be named separately.

Documenting: Keep records to demonstrate what the individual has consented to, including what they were told, when, and how they consented.

Easy withdrawal: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.

Double opt-in

GDPR states that you must have a proven record that the person you contact has given you permission to contact them via their details.

If your website relies on a single opt-in, anyone could type in someone else’s email address. A double opt-in process proves the person you are emailing has agreed to your communications.

One method for double opt-in is to ask a user for details on your website and then confirm their subscription via email, this process makes sure the details are accurate and consented.

We’ve suggested double opt-in to clients for the past few years, and we’ve seen it dramatically reduce the amount of spam companies receive.

Get ready for GDPR with Rubber Cheese

Now you’ve seen how important GDPR is for businesses around the UK, and how we can help you prepare, let’s chat about making it happen!

Contact Rubber Cheese today for details of how we can apply our data expertise to protecting your business.

Comments