The EU's General Data Protection Regulation GDPR takes effect May 25th, 2018
Most processing of personal data by organisations will have to comply with the General Data Protection Regulation.
Organizations can be fined up to 4% of annual global turnover, or €20 Million for breaching GDPR.
Unbundled/ Granular Opt-In
Consent can no longer be generalised and must be requested on an itemised basis. It is not only required for terms and conditions but also for each type of data usage. Users should be able to provide separate consent for different types of processing; choose how they wish to be contacted (email, post, telephone etc.) and also choose whether or not they wish to have their details passed to a third party.
Privacy Notice and Terms & Conditions
If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway. If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a "reasonable period". GDPR legislation is not explicit about the number of days, therefore your own judgement must be used as to what can be defended as reasonable and necessary.
Web forms must clearly identify each party for which consent is being granted where data processing will involve information being passed to third-party organisations.
Third Party Tracking Software
Many websites employ third-party marketing automation software solutions. These might be lead tracking applications like Lead Forensicsor CANDDI. They could also be classed as call tracking applications like Infinity Call Tracking or Ruler Analytics. The use of these tracking applications raise some very interesting questions in terms of GDPR compliance and should need be monitored on an ongoing basis for GDPR compliance.
Forms and Consent
Forms that ask users to subscribe to newsletters or register contact preferences must default to "no" or be blank. All response fields (newsletters etc.) must generate a compliance statement (auto-response) which informs "subscribers" that their details will be "stored on a database to effect the request submitted". They must also be informed that they can unsubscribe /update their preferences at any time via a link, email address or phone. Best practice also suggests that in the text box area where customers are invited to leave their personal information, there should be a statement (or link to a statement) which informs them that their details will be added to a database.
It must be just as easy to remove consent as it is to grant it. Individuals must be advised that they have the right to withdraw their consent as well as give it; change the frequency of communication, or stop all communications entirely.
Oversight and Risk Management
It is important to remember that you, as the business customer and the data controller, have specific legal obligations under the GDPR, including (but not limited to) the aforementioned website modifications. No provider can offer to “solve” GDPR compliance for you. Iperium Real Estate Ltd. does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. You are responsible for ensuring your own compliance with various laws and regulations, including GDPR.
We strongly recommend that you employ the services of an independent, third party Data Protection Officer who will help maintain compliance on an ongoing basis. GDPR is an ongoing business requirement and will need constant oversight if your businesses is to remain compliant.