GDPR becomes EU Law in 2 weeks time. We’re sure that your own internal processes are in place and when the ICO knocks on your door, you can present your GDPR policy documents that detail how you handle your customers data.
Failure to produce this document will result in a large fine if someone lodges a complaint against you, which may seem remote, but being prepared can remove some anxiety. In this article, we look at the least you need to do to be compliant and answer some questions that are applicable to most of our clients.
Do I need to send a re-permissioning campaign?
No doubt your inbox has been bombarded with emails from companies you had forgotten you’d signed up with asking you to confirm your information. These are re-permissioning campaigns.
Crowd have alway recommended a double opt-in process when dealing with mailing list sign ups. It’s always been best practice and having instigated this on our sites, for most of our clients it negates the need to run a re-permissioning campaign (https://www.mailjet.com/gdpr/consent/#double-opt-in-definition).
Do I need to update my sign up forms?
Yes! Mailchimp has introduced extra GDPR fields which can be included on it’s forms by checking a setting in the Mailchimp control panel.
This form adds explicit descriptions on what the data will be used for.
With time running out, we would recommend switching this form on at the very least. Ideally Crowd would update the form on your website to include these extra fields and this is something that you should consider asking us to do as part of your service contract work.
The default behaviour of a Mailchimp sign-up form means that if a field is missing from the form, then the user is taken to a version of the form hosted on the Mailchimp website which pre-populates those fields already completed on the website and adds the missing fields where information is required.
By switching on GDPR fields in Mailchimp, we will force this expanded form to show and therefore ensuring there is a compliant step.
I use Google Analytics is this compliant?
Yes! It is a breach of GA policy to record personal data within GA and therefore is not something Crowd will have done.
Do I need to update my contact form?
Yes! You should add a checkbox to your form that states what is to be done with the data and a link to your Privacy Policy page.
What you do with the data that is submitted through the form will need to covered by your GDPR policy: a legal document that describes the process for receiving and storing personal information collected.
This will vary based on what you do with the data whether this is storing it in a CRM or a spreadsheet or your inbox.
When you receive a request from a user to remove their data do you know where it is and how to remove it or who to ask to remove it?
Do I need to update my privacy policy?
Yes! For most of our sites data collection is limited to either a newsletter sign-up, typically Mailchimp and a contact form, but the Privacy Policy still requires extra details on GDPR based processes.
The ICO who will be policing GDPR compliance have provided a checklist of things that need to be included on your Privacy Policy. These include:
- Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
- Purpose of the processing and the legal basis for the processing
- Retention period or criteria used to determine the retention period
- The right to withdraw consent at any time, where relevant
For more information on what needs to be included you can view the full list on the ICO website. Your legal or IT team will be able to advise on the wording for this and the Policy itself will be editable in the WordPress CMS.
Crowd and GDPR compliance
As part of the new law, Crowd is liable for the non-compliance of our clients within our agreements and may be subject to fines should a client contravene GDPR law. Therefore, Crowd must work with you towards ensuring services and delivered solutions are compliant.