GDPR Compliance Update

GDPR has been with us for nearly 9 months now and although it has gone relatively quiet in the news I can assure you that it’s here to stay – there have been some consequences for non-compliance too.

I’ll be honest many large companies like UBER, Heathrow Airport and even the Metropolitan Police have been received fines. However, if you think you can avoid scrutiny or fines then consider the NHS nurse Clare Lawson or SMB like Everything DM Ltd (EDML), based in Stevenage, who were fined £60,000 for sending 1.42 million emails without consent. Between May 2016 and May 2017, the firm used its direct marketing system called ‘Touchpoint’ to send emails on behalf of its clients for a fee.

A big number of cases related to marketing:

 Boost Finance Ltd: Fined £90K http://bit.ly/2FOvXb1
 Everything DM Ltd: Fined £60K https://bit.ly/2VfwSGN

Take a look at the ICO’s website for more UK enforcement: https://ico.org.uk/action-weve-taken/enforcement/


Our GDPR Compliance Service – Overview

We no longer offer GDPR as an off the shelf service on this website. We do have extensive experience and knowledge of GDPR for both B2C and B2B businesses.

However, we are happy to advise our clients on how best to transition to GDPR compliance. As well as online and offline (GDPR management) best practices. We also share articles on our blog – see our post “Designing for GDPR

Why No Off-The-Peg GDPR Service?

Sadly we have seen the increase in companies offering off-the-peg solutions for GDPR compliance, to website owners. These solutions are most often poorly considered and leave the website owners with little protection should they be involved in a GDPR dispute.

Why “Sadly”?

  • Looking GDPR compliant and being GDPR compliant is not the same so adjusting your privacy policy and adding a simple “cookie bar” to your website is not sufficient and will not help should your business be investigated. However, these are typically the type of “fixes” being offered for cheap.
  • Simply put you and your business will not become GDPR compliant after a few tweaks have been made to your website. It takes more than that and anyone advising you differently is not doing you any favours.
  • Many business owners are being advised that GDPR rules will only affect the large online companies like Google and Facebook – this is the most worrying myth as any member of the public can submit a complaint to the ICO.org – even your competitors.

Getting Started with GDPR 

GDPR requires some initial setup work & ongoing commitment to the people you serve or have access to your website. That ongoing work can to some extent be automated online. Offline the required documents can be stored as templates to simplify dealing with any Data requests you receive. So before engaging someone to help with your GDPR compliance do some due diligence and  ask a few questions.

Here are just a few of the items you will need to consider:

•Collecting & Managing SARs (Subject Access Requests)
•Managing Data Protection Impact Assessments (DPIAs)
•Clauses for Staff Agreements Form
•Consent to Data Processing Guide
•Data Retention Policy
•Data Processing Agreement
•Data Protection Policy
•Risk, Issues & Breach Log Creation
•GDPR Report
I hope this helps you and that you can now better understand why there are no quick fixes to make your business GDPR compliant.
We are happy to take a look at any WordPress website and give you an honest appraisal of it’s GDPR compliance and advise you on how you may fix any problems.
Alternatively, contact the Information Commissioners Office (https://ico.org.uk)

GDPR 2019 Outlook

Some have not yet realized that the ePrivacy Regulation will constitute a legal figure of ‘principe lex specialis derogat legi generali’ with regards to GDPR.
It basically means that the e-Privacy ( lex specials) overrides the lex generals ( GDPR)…
Good news seems to be on the horizon for non-intrusive/ profiling cookies, yet nasty surprises for those who think that having a simple Cookie Consent will do…
2019 also promises local GDPR parity legislation across the world…


Why Most Cookie Consent Bars are not Enough

One of the most tangible requirements of the GDPR is in the definition of what constitutes a proper cookie consent, meaning, that the consent has to be:

  • Informed: Why, how and where is the personal data used? It must be clear for the user, what the consent is given to, and it must be possible to opt-in and opt-out of the various types of cookies.
  • Given by means of an affirmative, positive action that cannot be misinterpreted.
  • Given prior to the initial processing of the personal data.
  • Withdrawable. It must be easy for the user to change his or her mind and withdraw the consent.

What is a GDPR compliant cookie banner?

The above requirements render most of the cookie banners and notifications used prior to the implementation of the GDPR obsolete.

For instance, implied consent and consent given simply by visiting a site is not enough.

The same goes for pop-ups and banners stating ‘By using this site, you accept cookies’.

A simple ok button for accepting cookies is also not sufficient.

What counts as consent?

To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving your consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.

Consent does not necessarily have to be explicit consent. However, consent must be given by clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should be able to disable cookies, and you should make this easy to do.

You should take particular care to ensure clear and specific consent for more privacy-intrusive cookies, such as those collecting sensitive personal data such as health details, or used for behavioural tracking. The ICO will take a risk-based approach to enforcement in this area, in line with our regulatory action policy.

Read the full ICO explanation here

We are using cookies on our website

Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services.