The truth about GDPR for your firm (and its website)
You are probably aware by now that the Data Protection Act of 1998 is being replaced with the General Data Protection Regulation (GDPR) on 25 May 2018. It’s important that firstly, you understand what it is, and secondly, you implement what is necessary to ensure that your contacts’ data is protected.
Personal data can be anything used to identify a person, so that can be a name, photograph, email address, bank account details, medical information, computer IP address, and even some social media posts.
This legislation applies to everyone that handles or processes data about EU citizens, regardless of their location as a business. You may have noticed in the news that J.D. Wetherspoon, the popular pub chain deleted its entire list of email contacts, most likely to completely remove them from any suspicion of data misuse. However, this can all be avoided as long as you’re aware and know what to do to protect your firm.
The main point is: Consent.
- The contact must give their details freely and they must give consent for you to contact them.
- Any requests for consent must be put in separate terms in clear and plain language.
- Individuals have a right to say no, they also have a “right to be forgotten”.
- If you are a Data Controller, you must be able to show an example of the individual giving consent to contact them.
- Parental consent is required if the individual is under 16 (13 in some EU countries).
If you do not comply, you will be fined €20m or 4% of global turnover per breach – whichever is higher. So you don’t want to get caught out.
So how will it impact your website? The obvious place to start is form submissions, e.g. general enquiry form, conveyancing quotes, call-me-back form, as contacts will be submitting their personal details and entrusting you with them.
Here are the form modifications we will make to comply with GDPR:
- Form data will be separated into “form-summary” (form activity, date/time) and “form-detail” (contents in the form)
- Form-detail will be held for 60 days
- Form-summary data will be made anonymous after 60 days. However, it will be retained indefinitely so that long-term trend analysis can be performed by marketing and BD.
We already implement a clear ‘yes’ and ‘no’ opt-in for any forms that ask contacts if they wish to subscribe to a newsletter, but it’s always worth checking that you have it anyway.
And as previously stated, your contact has a “right to be forgotten”. This means that when asked by an individual to do so, you must erase all personal data and stop third parties from processing it.
Fundamentally, it’s about being aware and respectful of your clients’ personal details. For more in-depth information about GDPR and how we plan to help you make any changes necessary, take a look at our GDPR document.