For most organisations, websites and apps are crucial for capturing the personal data they need to improve marketing and customer experience or simply operate more efficiently.
They typically collect this data by asking people to subscribe to a newsletter, fill in a form to download content, make an online payment, enter a competition, book an appointment and so on.
However, there is a big issue looming on the horizon, because under the new General Data Protection Regulation the way this data needs to be handled is going to change significantly. This is because every time you ask an individual to enter their name, address, email, telephone number or any number of other personal details, the GDPR states you need to do much more than was required previously to ensure that individuals have provided explicit consent for you to use that data the way you want. You’re also going to need to provide sufficient assurances that you’re doing everything you can to ensure the security of the data.
At Eduserv, we’ve been putting a lot of thought into this issue and what it means for digital teams. Specifically, we’ve looked at how our customers can run websites and apps compliantly while also maintaining a good user experience. Based on this initial work, here are our top five tips for getting started and making sure you are both GDPR-compliant and user-friendly by May 2018.
Review how you ask for consent on your website or app and question whether it’s clear enough
All this means that one of your first actions should be to assess how you intend to communicate your new GDPR-compliant personal data collection processes. You should also look at whether you’re going to need additional help for the task, from a copywriter or lawyer, for example. You could also consider whether it might be worth being a bit more creative to deliver a friendly feel-good factor for users. How this can be done is well illustrated by this video from the Guardian.
Plan to end use of pre-ticked boxes
For a long time now, many organisations have pre-ticked the consent boxes on their websites and apps. They have also relied on the notion of ‘implied consent’, whereby simply using a service, particularly a digital one, can be taken as an indication of agreement or consent. Under GDPR, this practice will need to end. The regulation states specifically that ‘silence, pre-ticked boxes or inactivity should not constitute consent’.
This means the people using your digital service must take an action, and that action will have to be a clear indication of consent. At a later date you may also need to provide evidence that you gained consent in the correct way. Double opt-in email confirmation, for example, would be ideal.
Empower users to access their own data easily
One of the other key changes that GDPR will bring about is the new emphasis it places on users’ right to access their own personal data. In simple terms this means people can make Subject Access requests at any time to check the data you hold and what you do with it.
The danger here is that this process could become very laborious for both the users making the requests and the organisations that need to respond to them.
Digital specialists have an opportunity to make a difference by following one of the GDPR’s key best practice recommendations, which states that organisations should try to provide a secure online self-service system that provides the individual with direct access to his or her information.
This kind of ‘manage your privacy settings’ system is only a recommendation and not compulsory, but it could be well worth exploring if your organisation is committed to digital transformation. In effect it could be a new digital service that organisations can develop to streamline a potentially time-consuming processes. It will also provide a better user experience. Getting there will require investment and technical development, but the incentive is that over time this kind of service could become a differentiator that’s a clear demonstration of your organisation’s overall commitment to transparency and customer service.
Consider what’s happening at the back end of websites and apps
Another key consideration for digital under GDPR is that sometimes you will have cases where you are requesting personal data from customers or users that only has a short-term use. For example, you may request a mobile number or email address simply to confirm an appointment.
In these cases, where the user does not give consent for any further use or processing of the data, you need to be sure that you’re not storing this personal data in your databases. It may seem obvious, but this means checking the back end of your website to make sure that nothing is happening or being stored to compromise compliance that you weren’t previously aware of.
Also, if you need the user’s email to provide the service or send an email confirmation, you will need a process to let the user know that you will only use the email once and you will not keep it along with other data on record.
Be prepared for ‘the right to be forgotten’
Perhaps one of the best publicised aspects of GDPR is that it will give users the right to request the removal of personal data where there is no compelling reason for its continued processing.
This is another potential minefield for organisations in terms of the processes it could entail. But there are solutions. For example, if you build the ‘manage your own privacy settings’ service described above, then the process becomes automated and a lot easier for all parties. Users could simply revoke their consent using the same system.
As with all the points we have made, the key is to ensure that no stone (or app!) is left unturned in the drive to make sure that all your digital data entry points are compliant. Perhaps just as importantly, it’s crucial that you consider the user experience at every stage. By doing so, you can not only build and maintain services that meet the requirements of GDPR, but also ones that will make your users feel welcome and protected.
Vee Rogacheva, user experience specialist, Eduserv