GDPR – our approach

filed under:

Questions and confusions… the GDPR 1 is in effect and we’re getting lots of questions from everyone, how to best make their sites compliant and ensure that any queries can be dealt with swiftly. We’ve all be inundated with emails and are witnessing the different approaches people take to dealing with the new legislation. The web is once again littered with pop-ups asking for consent to cookie use and this is now no longer something we can avoid.

We have spent a considerable amount of time to read up and educate ourselves, to ensure our own compliance and be able to advise our clients and friends. We are not legal experts, of course, so these are our conclusions only. The following is a summary of  how we now approach each new site. The checklist is expanded upon with a few explanations and examples.

GDPR checklist

  1. privacy policy
    • details on data collected
    • designated person to respond to queries
    • information on opting out
  2. active consent
    2.1 FORMS

    • add information on data handling + link to privacy policy page
    • (unchecked) checkbox to ask for consent to data handling

    2.2 COOKIES

    • (unchecked) checkbox to ask for consent to cookie use
    • add specific information on cookies and preferences + link to privacy policy page

1. privacy policy

Most sites will already have a privacy policy page, this text now needs to be updated to include the new specifics. This now needs to cover the following:

  • details on data collected
    — what is collected
    — what is the purpose of collecting this information
    — how is it stored, updated and handled
  • designated person to respond to queries
    — who will deal with questions and requests for data records or deletion
    — contact information
  • information on opting out
    — fitting instructions on how to disable cookies
    — reference links as needed

2. active consent to data collection

The Cookie Law from 2011 allowed passive consent – meaning that by accessing a website, consent to data collection (via forms or cookies) could be assumed as long as clear information was given. This is now no longer the case.

The GDPR requires ‘active consent’ specifically 2 – which is defined as consent given by direct action. Pre-empting consent by setting checkboxes by default will not be considered sufficient as the details of the agreement could easily be overlooked or skipped. Consent needs to be given actively by the manual ticking of the checkbox and recorded.

For example, on a typical contact form – a checkbox will now need to be added to ask for consent to collect the information entered into the form. This checkbox cannot be checked by default (as we might have done before). The checkbox now needs to be both left unchecked as well as be required to be checked before the form submission can be processed. This will facilitate the now required direct action, i.e. the manual ticking of the checkbox to state consent.

2.1 forms

Any online form is designed to collect and process information which now requires the active consent to be given and recorded. This means that each form needs to include  information on the handling of data, link to the privacy policy and ask for consent to be given before processing the form submission.

  • add information on data handling + link to privacy policy page
  • (unchecked) checkbox to ask for consent to data handling

Essentially, your form is likely to already include required form fields — now you will need to offer clear information on why you are asking for these details and how you deal with this data (collection/storage/security). Additionally, you are required to ask for consent and record this, as well. By checking this box, you are given permission to collect and handle this information by your site’s visitor in the manner outlined in your privacy policy.

2.2 cookies

The consent to use cookies now needs the same active consent. This means any website which uses cookies for any purpose will need to state this clearly and ask for consent—this will be the case for most sites. The notice about cookies now needs to include clear information on the specific cookies set and for what purpose and ideally offer granular control over which to allow or not. This consent form will need to be shown on initial page load and—if agreed to—be hidden for a period of time when revisited.

  • (unchecked) checkbox to ask for consent to cookie use
  • add specific information on cookies and preferences + link to privacy policy page

The consent form can be shown as pop-up/overlay over content, or as fixed header/footer element, the latter being our preference as the least intrusive option.

The required addition to this consent form is clear information on what details are collected and for what purpose. Typically, this is done via a pop-up/overlay with a tabbed interface, offering controls as well as link to privacy policy page.

final thoughts

While it is a shame to see the web once again littered with pop-ups – we, as site owners or visitors, need to remember that this legislation has been put in place to protect our privacy. Hopefully, time will bring changes which maintain our rights but offer less annoying options to comply. The transparency of data handling is a positive step forward — so let’s run with that for now :)

  1. General Data Protection Regulation, read the ICO’s Guide for further information
  2. for guidance, have a look at ‘How should we obtain, record and manage consent?’ on the ICO site