So What Counts as Personal Data?
Any data that can be used to identify a living person directly or indirectly.
- Phone Number
- Email address
- Location data
- IP address
What Rights Do Data Subjects Have Under GDPR?
As explained by the ICO, data subjects have the following rights concerning their personal data:
- Restrictions on processing
- Data portability
- Revision of automated decisions or profiling
The GDPR refers a lot to data processing. This simply refers to any operation that is performed on personal data – collection, storage, amendment, deletion etc.
Consent must be collected when no other legal basis applies. e.g Contracts, Expenses etc
- Data Capture Forms
- Privacy Statement
- Data Processing
Consent must be:
Given freely – no-one should be tricked or coerced into supplying their personal data.
Explicit – if you want to add email addresses from a contact form to a mailing list, you can’t use a pre-ticked checkbox automatically opting them in.
Specific and separate – if there are multiple processing purposes, consent must be obtained separately for each one. So if they were to opt-in for a competition, you would also need the second checkbox to join your mailing list.
- Yes to enter the competition under its terms and conditions.
- Yes to receiving email marketing.
Named – state your company name and any others that will be processing the data.
Able to be withdrawn at any time – if someone wants to opt out later, you must allow them to. You should make it easy to do this.
- Include a clear opt-out on email marketing, SMS or notification settings in-app.
- Include a form on your privacy statement page or direct users to a point of contact to request information on the data you have stored on them.
You need to record:
- What someone has consented to.
- When they consented.
- How they did it.
- What they were told about how their information would be used.
A Compliant Website
The minimum requirement for a compliant website covers 3 areas:
- Compliant Records of Consent (CRM Records storing IP address, consent statement, date & time)
Data Collection Grade A+
Forms: Active Opt-In
Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You will need to check your forms to ensure this is the case.
As an example, Boots registration form used pre-ticked opt-in boxes, forcing the user to actively opt-out. This is naughty & must be changed.
The consent you are asking for should be set out separately for accepting general terms and conditions, and acceptance of consent for other ways of using data.
In this example, Sainsbury’s clearly set out the acceptance of their terms and conditions, and separately set out the active opt-in for their contact permissions.
It’s a shame Sainsbury’s didn’t get the option to be more granular in terms of communication opt-in preferences (email, SMS, post).
Users should be able to provide separate consent for different types of processing.
In this example, ABC Awards are asking for specific permission for each type of processing (post, email, telephone) and also asking permission to past details onto a third party.
Another superb prototype from the ICO, also useful in mobile UIs particularly, is the just-in-time privacy notice.
As you can see in the GIF below, when the user engages with a data field, relevant information is displayed at that time with a pop-up style hint.