The Do’s and Don’t of GDPR compliance including examples of forms
There is a lot of information floating around the internet about what GDPR is, why it is being implemented and the astronomical fines that you could potentially incur for the most serious cases of negligence involving personal data. However what is lacking is the practical advice and examples to help you work towards GDPR compliance.
Whether you haven’t even started to make changes yet or you are simply looking for a benchmark to check yourself against, we have put together some examples below of existing and GDPR-ready versions of:
It’s worth mentioning that the examples shown below are best case scenarios should you be able to achieve them. GDPR is not an aggressive law that is looking to fine and penalise everyone, causing businesses and marketing agencies (such as this one) to be constantly on edge over data. As long as you have your own versions of the below in place with the key learnings taken from the examples, you will be well on your way to being compliant with the change in data protection laws.
Typically occurring during mobile sign up due to apps wanting to use location for a number of reasons (availability of services in local area, international restrictions, GPS/positioning for maps etc), this option to share your location should now also come with information about what will happen to this data when it has been stored.
The next part concerns subscription centres and the ability to give the control of your users’ data to the user directly. This section doesn’t necessarily compare an existing vs an improved scope for design but rather shows a “minimum” standard compared to an “ideal” design for a subscription centre-style account setting.
In the “Ideal” scenario, there is a special section reserved in the user’s account where they can view their data and consent information. As you can see in the images above, it is clear who the user needs to contact for information about what data is held about them and the user can also see on-screen what information has been stored about them. There are also clear instructions on how to edit and delete information in the online system.
Finally you can see that there is a subscription settings section that allows the user to change what they have previously consented to receive. This can all then be saved to be reviewed again at any time the user wishes.
The main benefit to having the “Ideal” set up is that it greatly reduces admin and processing time on behalf of the organisation. If the user can do all of this themselves then this saves a huge amount of time auditing, searching and amending data as well as documenting the process for GDPR reasons.
The differences between the existing and the improved forms here are quite drastic on first glance but don’t let that put you off.
The first thing to notice about the “Existing” form is that there is a “negative” checkbox. What this means is that the user has to check the box if they don’t want to be notified about new offers. Under GDPR this is a very clear breach in that the new law states you must make it clear and obvious what the user is doing when they are signing up to something or offering their consent to be send information in the future.
In this example, we see an extension of the types of consent offered in the previous “Gaining Consent” section. As you can see by the previous form, there is a simple “Do not notify me about new offers” checkbox which as aforementioned, is a negative way for someone to opt-out.
We also see that it has been attempted to include opt-in/opt-out consent information for GDPR purposes but the non-compliant element is the checkbox that is stating that for someone to opt-out, they must check the box.
Another detail here is that the box to continue or submit this information is “greyed out” and will only be available to click once you have entered a response to the consent question.