Since the recent enactment of the GDPR there has been an absolute barrage of content, communication and conversation around the topic of personal data, data processing and compliance. Companies big and small are suddenly scrambling to try and understand whether they are at risk with the changes.
Before the GDPR there was the Data Protection Directive which outlined many of the GDPR compliance elements. Locally, in South Africa, personal data is protected by common law. However, explicit definitions and applications when it comes to the use of data in the digital world are not easily apparent in the common law, cue the entrance of “PoPI” (Protection of Private information Act).
Sidebar: As a South African business, if you have not heard of or done some reading on POPI you need to start immediately.
PoPI was signed into law in November 2013 but has yet to become effective as a commencement date has not been established. It has many similarities and correlations with the GDPR and, we can speculate, that local government will make minor amendments since the formalisation of the GDPR which is able to act as a precedent for the implementation of PoPI.
There is a suggestion that, post GDPR, POPI will be implemented by the end of 2018.
With the enactment of the GDPR and the possibly soon-to-be enacted PoPi, businesses operating online must have basic compliance in place. If you have been operating online using tools like Google Analytics, Facebook Ads, AdWords ads etc you should have the very basics of data compliance down.
Even when running an email campaign through Mailchimp or similar systems, there is policy documentation you need to have in place that you agree to when loading your data into the system. Most likely you did what 95% of people do and just clicked “I accept” without understanding the true consequences of the legally binding agreement you just entered into.
Now, it’s tough to go from “what is data?” to a state of “we are fully data compliant”, but ignorance (or ignorantia juris non excusat – ignorance of the law excuses no one for those of you with a taste for Latin) is not an acceptable excuse for not having the basics when your business faces liability. Especially when there are some basic steps you can take.
Personal information can be anything that can be used to identify an individual, including but not limited to the person’s name, address, date of birth, marital status, contact information, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services.
Not all cookies are used in a way that could identify users, however, many do and these will be subject to the GDPR. Cookies used for analytics, advertising and functional tools such as chat tools will all be subject to the regulations.
A good policy will cover:
- Who is collecting it?
- What does cookie mean?
- How can I control or delete cookies?
- What cookies do we use?
It is possible to automate aspects of your privacy management. We would recommend giving Cookie Pro a try for your website
Website Terms and Conditions or Terms of Service
The Terms of Service should outline your mission and the products and services provided.
Some of the provisions that should be contained in your terms of service are:
- A link to your data policy and the user’s privacy choices
- Conditions of use – such as who is entitled to use the site and limits on the use of intellectual property
- Blocking, refusal of access, termination of an account
- Dispute clauses and limits on liability
- Guarantees and warranties where applicable
- Copyright and trademarks
- Governing law
- Changes to agreement
- Community standards and advertising policies
A documented opt-in / opt-out process
One of the biggest changes the GDPR has brought is that it requires is a documented opt-in and opt-out process. Business are required to collect and store the consent they receive as evidence of such consent.
Consent must be “freely given, specific, informed and unambiguous”.
This has the following consequences for digital marketing:
- There must be a positive opt-in – the use of pre-ticked boxes is no longer sufficient;
- Consent requests must be separate from other terms and conditions;
- You can not deny information or access to the user if they do not wish to receive marketing communications;
Documentation required to be kept of the consent includes the data subject who gave the consent, when the consent was given (data and time stamp) and the specific purpose for which the consent was given. The record of the IP address, location and time are insufficient without a screen capture of the form giving the consent.
In order to facilitate the documentation of the consent and to have evidence should the regulator ever come knocking, many companies are choosing the “double opt-in” process? This is whereby the user confirms their email address before receiving email communication. This provides double confirmation that the user would like to subscribe to your newsletter or any other email related service as well as easily stored evidence of the consent.
Should a user feel you have contacted them, retained their data or are tracking them and they do not wish this to continue, you should provide easily accessible documentation on the process they can take to opt-out of being tracked or have you delete their data from your system.
A basic explanation of disabling browser cookies, lists of contacts at the business where user data is stored by the business and online opt-out applications (like an unsubscribe) should be included in this document. You cannot charge the user for this process and you should not require a subscriber to log in or visit more than one page to unsubscribe.
A closing note with some friendly advice:
Downloading a generic template and adding your companies name will not be sufficient for compliance with the GDPR. Each region has specific regulations and laws which will change the requirements drastically, as well as the fact that each company is unique in the ways it deals with data, meaning your policies and terms of service will have to be unique too.
If you want to know more about the GDPR policies and compliance issues contact Black Ink Advisory
*All materials have been prepared for general information purposes only to permit you to learn more about the subject, our services and amount to no more than opinion. The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice.
Also published on Medium.