Five ways to make sure your digital services comply with GDPR
For many charities, websites and apps are crucial for capturing the personal data needed to improve marketing and customer experience. This data may be collected by asking people to subscribe to a newsletter, fill in a form to download content, make an online payment, enter a competition, book an appointment and so on.
However, under the new General Data Protection Regulation (GDPR), the way this data needs to be handled is going to change significantly. Every time you ask an individual to enter their name, address, email, telephone number or any number of other personal details, the GDPR states you’re going to need to do much more than was required previously to ensure that individuals have provided explicit consent for the way you want to use that data. You’re also going to need to provide sufficient assurances that you’re doing everything you can to ensure the security of the data.
To find out how GDPR will affect your charity, check out the Information Commission’s Office (ICO)’s charity guidance.
Here are five things you can do to set yourself on the road towards being GDPR compliant and user friendly by May 2018.
1. Review how you currently ask for consent
All this means that one of your first actions should be to assess how you intend to communicate your new GDPR-compliant personal data collection processes. You should also look at whether you’re going to need additional help for the task (from a copywriter or lawyer, for example). You could also consider whether it might be worth being a bit more creative to deliver a friendly feel-good factor for users. How this can be done is well illustrated by this video from the Guardian.
2. Plan to end the use of pre-ticked boxes
For a long time now, many organisations have pre-ticked the consent boxes on their websites and apps. They have also relied on the notion of ‘implied consent’, whereby simply using a service, particularly a digital one, can be taken as an indication of agreement or consent. Under GDPR, this practice will need to end. The regulation states specifically that “silence, pre-ticked boxes or inactivity should not constitute consent“.
This means the people using your digital service must take an action, and that action will have to be a clear indication of consent. At a later date you may also need to provide evidence that you gained consent in the correct way. Double opt-in email confirmation, for example, would be ideal.
3. Empower users to access their own data easily
One of the other key changes that GDPR will bring about is the new emphasis it places on users’ right to access their own personal data. In simple terms this means people can make Subject Access requests at any time to check the data you hold and what you do with it.
The danger here is that this process could become very laborious for both the users making the requests and the organisations that need to respond to them.
Digital specialists have an opportunity to make a difference by following one of the GDPR’s key best practice recommendations, which states that organisations should try to provide a secure online self-service system that provides the individual with direct access to his or her information.
This kind of “manage your privacy settings” system is only a recommendation and not compulsory, but it could be well worth exploring if your organisation is committed to digital transformation. In effect it could be a new digital service that organisations can develop to streamline a potentially time consuming processes. It will also provide a better user experience. Getting there will require investment and technical development, but the incentive is that over time, this kind of service could become a differentiator that’s a clear demonstration of your organisation’s overall commitment to transparency and customer service.
4. Consider what’s happening at the back end of websites and apps
Another key consideration for digital under GDPR is that sometimes you will have cases where you are requesting personal data from customers or users that only has a short term use. For example, you may request a mobile number or email address simply to confirm an appointment.
In these cases – where the user does not give consent for any further use or processing of the data – you need to be sure that you’re not storing this personal data in your databases. It may seem obvious, but this means checking the back end of your website to make sure that nothing is happening or being stored to compromise compliance that you weren’t previously aware of.
Also, if you need the user’s email to provide the service or send an email confirmation, you will need a process to let the user know that you will only use the email once and you will not keep it along with other data on record.
5. Be prepared for “the right to be forgotten”
Perhaps one of the most well publicised aspects of GDPR is that it will give users the right to request the removal of personal data where there is no compelling reason for its continued processing.
This is another potential minefield for organisations in terms of the processes it could entail. But there are solutions. For example, if you build the “manage your own privacy settings” service described above, then the process becomes automated and a lot easier for all parties. Users could simply revoke their consent using the same system.
As with all the points we have made, the key is to ensure that no stone (or app!) is left unturned in the drive to make sure that all your digital data entry points are compliant. Perhaps just as importantly, it’s crucial that you consider the user experience at every stage. By doing so, you can not only build and maintain services that meet the requirements of GDPR, but also ones that will make your users feel welcome and protected.
Reproduced and edited with permission from Eduserv’s blog