Don’t Panic! Updating Privacy Notices for GDPR Compliance
The General Data Protection Regulation finishing line of 25th May 2018 is staying steadfastly still while the present moment is hurtling selfishly down the racetrack towards it. Anyone who is aware of this deadline is minutely conscious of all the things that have to be done in this narrowing span of time. The latest item ticked off the list is updating our Privacy Notice and informing our clients that they need to refresh theirs as well.
The purpose of the Privacy Notice is to tell people exactly how you collect their data, what you do with it, who you share it with, how long you will keep it for and how they can reclaim it or request it be deleted. We don’t have a legal department, so we can’t write our clients’ Privacy Notices for them. The best we can do is offer up our own interpretation of a compliant Privacy Notice for them to use as a template and provide them with a list of all the ways that their website captures data.
Disinformation Commissioner’s Office
The Information Commissioner’s Office (ICO), who are responsible for enforcing the new regulation, have done very little help to organisations seeking to be compliant. In the course of our research, we found their labyrinthine website the very opposite of their instructions to others to be ‘clear and concise’. Their own Privacy Notice that we thought might serve as a template is due to be updated on the 25th May. Thanks – that’s really helpful.
Age of Consent
Most businesses with a website have been blithely collecting data from visitors and for the most part doing nothing with it. Some organisations have been using legitimately collected information (e.g. an email address collected so they can send you an e-receipt) for marketing purposes. This is slightly shady under current laws; once GDPR is enacted, it will be absolutely illegal to market to anyone who has not given clear consent for you to do so. No more pre-ticked boxes – consent must be obtained honestly.