Your browser is no longer supported

For the best possible experience using our website we recommend you upgrade to a newer version or another browser.

Your browser appears to have cookies disabled. For the best experience of this website, please enable cookies in your browser

We'll assume we have your consent to use cookies, for example so you won't need to log in each time you visit our site.
Learn more

Five ways to make sure your digital services comply with GDPR

  • Comment

For most organisations, websites and apps are crucial for capturing the personal data they need to improve marketing and customer experience or simply operate more efficiently.

Vee rogacheva

Vee rogacheva

Vee Rogacheva, user experience specialist, Eduserv

They typically collect this data by asking people to subscribe to a newsletter, fill in a form to download content, make an online payment, enter a competition, book an appointment and so on.

However, there is a big issue looming on the horizon, because under the new General Data Protection Regulation the way this data needs to be handled is going to change significantly. This is because every time you ask an individual to enter their name, address, email, telephone number or any number of other personal details, the GDPR states you need to do much more than was required previously to ensure that individuals have provided explicit consent for you to use that data the way you want. You’re also going to need to provide sufficient assurances that you’re doing everything you can to ensure the security of the data.

At Eduserv, we’ve been putting a lot of thought into this issue and what it means for digital teams. Specifically, we’ve looked at how our customers can run websites and apps compliantly while also maintaining a good user experience. Based on this initial work, here are our top five tips for getting started and making sure you are both GDPR-compliant and user-friendly by May 2018.

Under GDPR, simply saying ‘click here to read our privacy policy’ is no longer going to be good enough. GDPR sets out a specific requirement to use plain English that explains why you are collecting personal data at the point you are collecting it. You also need to provide a comprehensive explanation of ways that you intend to use it. In addition, if you intend to make any data available to third party providers, such as Google Analytics or telemarketing companies, you need to get explicit consent for that and explain it.

All this means that one of your first actions should be to assess how you intend to communicate your new GDPR-compliant personal data collection processes. You should also look at whether you’re going to need additional help for the task, from a copywriter or lawyer, for example. You could also consider whether it might be worth being a bit more creative to deliver a friendly feel-good factor for users. How this can be done is well illustrated by this video from the Guardian.

Plan to end use of pre-ticked boxes

For a long time now, many organisations have pre-ticked the consent boxes on their websites and apps. They have also relied on the notion of ‘implied consent’, whereby simply using a service, particularly a digital one, can be taken as an indication of agreement or consent. Under GDPR, this practice will need to end. The regulation states specifically that silence, pre-ticked boxes or inactivity should not constitute consent’.

This means the people using your digital service must take an action, and that action will have to be a clear indication of consent. At a later date you may also need to provide evidence that you gained consent in the correct way. Double opt-in email confirmation, for example, would be ideal.

Empower users to access their own data easily

One of the other key changes that GDPR will bring about is the new emphasis it places on users’ right to access their own personal data. In simple terms this means people can make Subject Access requests at any time to check the data you hold and what you do with it.

The danger here is that this process could become very laborious for both the users making the requests and the organisations that need to respond to them.

Digital specialists have an opportunity to make a difference by following one of the GDPR’s key best practice recommendations, which states that organisations should try to provide a secure online self-service system that provides the individual with direct access to his or her information.

This kind of ‘manage your privacy settings’ system is only a recommendation and not compulsory, but it could be well worth exploring if your organisation is committed to digital transformation. In effect it could be a new digital service that organisations can develop to streamline a potentially time-consuming processes. It will also provide a better user experience. Getting there will require investment and technical development, but the incentive is that over time this kind of service could become a differentiator that’s a clear demonstration of your organisation’s overall commitment to transparency and customer service.

Consider what’s happening at the back end of websites and apps

Another key consideration for digital under GDPR is that sometimes you will have cases where you are requesting personal data from customers or users that only has a short-term use. For example, you may request a mobile number or email address simply to confirm an appointment.

In these cases, where the user does not give consent for any further use or processing of the data, you need to be sure that you’re not storing this personal data in your databases. It may seem obvious, but this means checking the back end of your website to make sure that nothing is happening or being stored to compromise compliance that you weren’t previously aware of.

Also, if you need the user’s email to provide the service or send an email confirmation, you will need a process to let the user know that you will only use the email once and you will not keep it along with other data on record.

Be prepared for ‘the right to be forgotten’

Perhaps one of the best publicised aspects of GDPR is that it will give users the right to request the removal of personal data where there is no compelling reason for its continued processing.

This is another potential minefield for organisations in terms of the processes it could entail. But there are solutions. For example, if you build the ‘manage your own privacy settings’ service described above, then the process becomes automated and a lot easier for all parties. Users could simply revoke their consent using the same system.

If you don’t have such functionality in place, you will still need to have a process in place to ensure the same result. For example, you will need to plan to include a ‘find out what information we hold on you’ and ‘remove all information about me’ call to action and on your privacy policy page.

As with all the points we have made, the key is to ensure that no stone (or app!) is left unturned in the drive to make sure that all your digital data entry points are compliant. Perhaps just as importantly, it’s crucial that you consider the user experience at every stage. By doing so, you can not only build and maintain services that meet the requirements of GDPR, but also ones that will make your users feel welcome and protected.

Vee Rogacheva, user experience specialist, Eduserv

  • Comment

Have your say

You must sign in to make a comment

Please remember that the submission of any material is governed by our Terms and Conditions and by submitting material you confirm your agreement to these Terms and Conditions.

Links may be included in your comments but HTML is not permitted.