blog banner svg shape

The Do’s and Don’t of GDPR compliance including examples of forms

There is a lot of information floating around the internet about what GDPR is, why it is being implemented and the astronomical fines that you could potentially incur for the most serious cases of negligence involving personal data. However what is lacking is the practical advice and examples to help you work towards GDPR compliance.

Whether you haven’t even started to make changes yet or you are simply looking for a benchmark to check yourself against, we have put together some examples below of existing and GDPR-ready versions of:

  • Location services request
  • Data requests, right to rectification and right to erasure settings
  • Gaining consent through form fills
  • Opt-out vs Explicit opt-in

It’s worth mentioning that the examples shown below are best case scenarios should you be able to achieve them. GDPR is not an aggressive law that is looking to fine and penalise everyone, causing businesses and marketing agencies (such as this one) to be constantly on edge over data. As long as you have your own versions of the below in place with the key learnings taken from the examples, you will be well on your way to being compliant with the change in data protection laws.

Location Services Request – Choice Modal

Typically occurring during mobile sign up due to apps wanting to use location for a number of reasons (availability of services in local area, international restrictions, GPS/positioning for maps etc), this option to share your location should now also come with information about what will happen to this data when it has been stored.

In the choices above, the “Existing” iteration shows that currently, it is designed in such a way to influence you to quickly click the “yes” option and move on without fully reading the information regarding what you are consenting to. In the “Improved” version, you can see that the colours have been equalled across both boxes to ensure no bias in selection. There has also been a link added to an external page that explains to the user what the location based feature is. This page will typically be the privacy policy that explains the feature, what the data is collected for, how it is used and the rights the user has if they want to be forgotten about.

Data Requests, Right to rectification and Right to erasure

The next part concerns subscription centres and the ability to give the control of your users’ data to the user directly. This section doesn’t necessarily compare an existing vs an improved scope for design but rather shows a “minimum” standard compared to an “ideal” design for a subscription centre-style account setting.

For the minimum requirement, within the privacy policy page you should give clear and accurate information about who in your organisation the user needs to contact in order to request information about what data you hold about them, ask for amendments to be made or to ask for all data to be erased completely (unless it is legally impossible to do so).

In the “Ideal” scenario, there is a special section reserved in the user’s account where they can view their data and consent information. As you can see in the images above, it is clear who the user needs to contact for information about what data is held about them and the user can also see on-screen what information has been stored about them. There are also clear instructions on how to edit and delete information in the online system.

Finally you can see that there is a subscription settings section that allows the user to change what they have previously consented to receive. This can all then be saved to be reviewed again at any time the user wishes.

The main benefit to having the “Ideal” set up is that it greatly reduces admin and processing time on behalf of the organisation. If the user can do all of this themselves then this saves a huge amount of time auditing, searching and amending data as well as documenting the process for GDPR reasons.

Gaining Consent

The differences between the existing and the improved forms here are quite drastic on first glance but don’t let that put you off.

The first thing to notice about the “Existing” form is that there is a “negative” checkbox. What this means is that the user has to check the box if they don’t want to be notified about new offers. Under GDPR this is a very clear breach in that the new law states you must make it clear and obvious what the user is doing when they are signing up to something or offering their consent to be send information in the future.

In the “Improved” section, you can see that it is explained early on to the user what their email address will be used for and a link to the privacy policy. It is then clearly explained under “Contact Permission” what the data will be used for as well as giving the visitor clear and obvious options as to which types of information (if any) they would like to receive. There is also then a notice that the user must agree to the terms and conditions if they wish to use the website.

Opt-out vs Explicit Opt-in

In this example, we see an extension of the types of consent offered in the previous “Gaining Consent” section. As you can see by the previous form, there is a simple “Do not notify me about new offers” checkbox which as aforementioned, is a negative way for someone to opt-out.

We also see that it has been attempted to include opt-in/opt-out consent information for GDPR purposes but the non-compliant element is the checkbox that is stating that for someone to opt-out, they must check the box.

 

Another element to take note of in this particular example is that the consent it is seeking is to allow the company to share information with 3rd parties. The “Improved” example here explains in greater detail that data will not be sold to 3rd parties if you do not consent for this to happen and there is a very clear Yes/No option to the checkboxes. There is also a link back to a privacy policy that will explain this in more detail.

Another detail here is that the box to continue or submit this information is “greyed out” and will only be available to click once you have entered a response to the consent question.

Share this article