In this article, we will explain the impact on collecting personal data on your website, and an event registration platform.
You need to give when you collect under the GDPR
There is a shift away from having all the details in a disconnected Privacy Policy or Privacy Notice to giving details at the time of collection. An example of where changes will be needed are places on a website or event registration page, used to collect First Name, Last Name and Email.
Article 13 of the regulation tells us the information to give. The following is a summary of what is required:
- Details about the data controller
- Contact details about the controller’s Data Protection Officer (if one exists). This could be a generic email address such as dataprotection@company.com as the person in the role could change over time
- What processing is done and the legal basis for doing it (consent, legitimate interest, contractual requirement etc.)
- Who data will be passed on to, if that is applicable. It is no longer valid to say something like ‘our carefully selected partners’, it must be more specific
- How data is protected if it is passed or stored outside the EU. If you plan to use the data in services such as MailChimp or a CRM you need to check where they store data. If it is outside of the EU, their privacy policy should say if it is covered by an agreement such as Privacy Shield
- How long data is retained
- How to exercise the right to have data erased, to withdraw consent, to lodge a complaint with a supervisory authority etc. This will probably be a generic email address such as dataprotection@company.com. There could also be a ‘self service’ area on a website for individuals to maintain the personal data they have provided
The details need to be given using ‘clear and plain language’, especially if the details are collected from a child. The Information Commissioners Office (ICO) code of practice (view here) on communicating privacy information to individuals provides details about how this could be done. Something to discuss with your website developer or event technology provider.
If you obtained the data indirectly, e.g. from a mailing list, you need to contact the individual with details about the source of the data and the categories of personal data you have ‘within a reasonable period after obtaining the personal data, but at the latest within one month’ (Article 14). If you are relying on consent as the legal basis for processing the data, you need to ensure that the source of the data provided evidence that they obtained the necessary consent before you contact the individuals. The issue of consent is for another blog after the ICO have issued the final version of their consent guidelines.
Is this level of transparency unreasonable? I would argue that it isn’t. If you cannot say why you are collecting data and what you will be doing with it when you collect it, you should not have it in the first place.
For more information on how GDPR affects marketers and event organisers, read our article here. Or take a look at our GDPR checklist.
This post was brought to you by Ian Grey, an Information and Cyber Security consultant. Ian will be part of our panel discussion, on Thursday 25th May.
