From 25th May 2018, a new European law will probably make the data collection such as contact forms and shopping carts on your website illegal without some important changes. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

Important: We are not lawyers and no advice or recommendations offered here can constitute or replace professional legal advice. This post sets out to be a simple summary and we make no guarantees about it’s correctness. You should check out the ICO website for the most up to date and accurate advice: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

GDPR stands for the General Data Protection Regulation and it applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. It is the biggest change in European privacy legislation in over 2 decades and aims to give the public more control over what information companies have about them and how they can use it as well as introducing a range of fines and penalties that will be enforced by the ICO in the UK.

When it comes to your website, there are a few things you should bare in mind….

  1. Before any data collection takes place, you must get explicit consent of each user. Requests must plain, easily understandable language and also stand alone from other matters or requests and not be buried in other text.
  2. Have a clear and easily accessible privacy policy that tells your users how data you have collected about them will be kept and used.
  3. Have a process for users to request access and view the data you have collected about them.
  4. Provide users a process to withdraw consent and purge personal data collected about them; i.e. the “Right to Be Forgotten”.

One example could a contact form.. a key part of the GDPR is that companies should request as little information as possible. We have all faced those lengthy contact forms that feel like a passport application just to send an email! Name, address, phone number, consent to your newsletter, probably grabbing your IP address and other tracked information while you’re there. Well no more.. every field on a contact form must be able to be justified and you must clearly let the user know what each piece of information will be used for and how it will be stored before they submit it. The user must actively consent to this, for example, by clicking a checkbox.

If you are a website owner, you should assess your obligations under the new GDPR legislation and ensure that you are instructing your webmaster to make the appropriate changes to your online presence.

The ICO has produced a great document with some of the points you should be taking right now to ensure you are compliant before the May 2018 deadline: https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf