Changes in data privacy: GDPR

You may have heard about the upcoming change in data privacy, and we wanted to highlight some changes that you may need to make to your website. The EU General Data Protection Regulation (GDPR) comes into enforcement on 25 May 2018. Briefly, the main GDPR requirements are:

  • Explicit consent. GDPR requires that users give explicit consent BEFORE submitting personal data. Personal data can be anything that allows an individual to be identified such as a name, an address, or an IP address.
  • Right to access. Individuals have the right of access to their personal data, so that they are aware of and can verify the lawfulness of the processing.
  • Right to erasure. Individuals have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

GDPR also states that organisations shouldn’t process or retain extraneous personal data. For full information, please see the GDPR portal or ICO website.

Some changes you may need to make to your website

  • Contact form. Only collect data that is strictly necessary, and add a (data consent) checkbox at the foot of the form for an individual to confirm that they consent to their data being collected, with a link to your privacy policy.
  • Privacy policy. If you are collecting personal data, you should update your privacy policy webpage in line with GDPR requirements. For example, you will need to explain what information is being collected and how it will be used. ICO provides comprehensive guidance on privacy notices that you can use as the basis for creating/updating a privacy policy webpage.

As always, please do get in touch if you have any questions or concerns.