GDPR has been with us for nearly 9 months now and although it has gone relatively quiet in the news I can assure you that it’s here to stay – there have been some consequences for non-compliance too.
I’ll be honest many large companies like UBER, Heathrow Airport and even the Metropolitan Police have been received fines. However, if you think you can avoid scrutiny or fines then consider the NHS nurse Clare Lawson or SMB like Everything DM Ltd (EDML), based in Stevenage, who were fined £60,000 for sending 1.42 million emails without consent. Between May 2016 and May 2017, the firm used its direct marketing system called ‘Touchpoint’ to send emails on behalf of its clients for a fee.
A big number of cases related to marketing:
Take a look at the ICO’s website for more UK enforcement: https://ico.org.uk/action-weve-taken/enforcement/
We no longer offer GDPR as an off the shelf service on this website. We do have extensive experience and knowledge of GDPR for both B2C and B2B businesses.
However, we are happy to advise our clients on how best to transition to GDPR compliance. As well as online and offline (GDPR management) best practices. We also share articles on our blog – see our post “Designing for GDPR“
Sadly we have seen the increase in companies offering off-the-peg solutions for GDPR compliance, to website owners. These solutions are most often poorly considered and leave the website owners with little protection should they be involved in a GDPR dispute.
GDPR requires some initial setup work & ongoing commitment to the people you serve or have access to your website. That ongoing work can to some extent be automated online. Offline the required documents can be stored as templates to simplify dealing with any Data requests you receive. So before engaging someone to help with your GDPR compliance do some due diligence and ask a few questions.
Here are just a few of the items you will need to consider:
One of the most tangible requirements of the GDPR is in the definition of what constitutes a proper cookie consent, meaning, that the consent has to be:
The above requirements render most of the cookie banners and notifications used prior to the implementation of the GDPR obsolete.
For instance, implied consent and consent given simply by visiting a site is not enough.
The same goes for pop-ups and banners stating ‘By using this site, you accept cookies’.
A simple ok button for accepting cookies is also not sufficient.
Consent does not necessarily have to be explicit consent. However, consent must be given by clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should be able to disable cookies, and you should make this easy to do.
You should take particular care to ensure clear and specific consent for more privacy-intrusive cookies, such as those collecting sensitive personal data such as health details, or used for behavioural tracking. The ICO will take a risk-based approach to enforcement in this area, in line with our regulatory action policy.