Internet shopiing has been on the rise for several years and during the COVID-19 pandemic, its rise was magnified by the temporary closure of physical stores which drove consumers to further embrace online shopping, more than ever before.
In amongst the need for businesses to market their products and services in what was, for a time, a wholly digital marketplace for many businesses, the need for transparency had never been greater when it came to being clear to consumers about any charges that might apply either further down the line.
Do businesses need to state their delivery fees and/or charges up-front?
When and why do they need to state them?
What if businesses don’t know what the charges will be until the checkout stage, when the shoppers cart/basket contents are known?
What if the charges only affect specific locations, such as the UK mainland, Northern Ireland, Channel Islands or the Isle of Man only? To name but a few examples.
Can you advertise a product as ‘free’ if you’re applying charges or delivery fees?
Your Definitive Guide
To find the answers to these important questions and to stay within the law in terms of what you can and cannot say when it comes to advertising product prices, it’s crucial that businesses are also clear about any charges that might apply.
GDPR comes into force in the UK on 25 May 2018. Are you ready? And more importantly, are you compliant?
UK Data Protection Laws Overhauled
Some would say that updating the data protection laws is long overdue, and they’d be right. Why? Because in an age of a vast array of extensive and advancing digital technologies, our personal data is becoming more accessible (and virtual) than ever before.
The aim of the new regulation is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
Tech Talk: The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. (Source: www.eugdpr.org).
GDPR affects the collection & processing of data online & off line
What’s The Plan?
Essentially, the new regulations seek to give individuals more control over what happens to their personal information. It will:
enable UK citizens to ask for personal data, or information posted when they were children, to be deleted
give people more control over their data, require more consent for its use, and prepare Britain for Brexit
make it simpler for people to withdraw consent for their personal data to be used
require firms to obtain “explicit” consent when they process sensitive personal data. The changes mean it will be harder for businesses and organisations to obtain consent and easier for individuals to withdraw
expand personal data to include IP addresses, DNA and small text files known as cookies
let people get hold of the information organisations hold on them much more freely
make re-identifying people from anonymised or pseudonymised data a criminal offence
How Does That Apply In The Real World?
Here are some examples, with the third example quite possibly having the biggest and most significant impact on present processes used by businesses and organisations whether that consent is obtained via their website (or other on-line platforms), eNewsletter marking or via a paper form.
any firm that holds your personal data, from your name to your DNA, you’ll be able to ask them to delete it
if you worry about embarrassing social media posts lingering online for years, you will soon have the right to ask for them to be removed
consent requires a positive opt-in. Businesses and organisations MUST NOT use pre-ticked boxes or any other method of default consent. Explicit consent requires a very clear and specific statement of consent
Top Tip: Remember to reflect the data protection changes by reviewing and updating your Privacy & Cookie Policies and/or Terms & Conditions accordingly.
Regarding GDPR and web design, the new regulations make the people in charge of website planning or data input responsible too, rather than just the website owner or web hosting company, which therefore covers a much larger array of people.
What Are The Key Changes?
If you’re keen to establish what you need to do in preparation for GDPR, please find below a summary of the key changes. There are also some helpful resources at the end of this article.
The video below is particularly helpful too. Stewart Room, Global Head of Data Protection at PwC Legal, discusses the new General Data Protection Regulation and its impacts for entities and citizens:
GDPR Changes Summary
Jurisdiction – Increased Territorial Scope:
Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.
The conditions for consent have been strengthened, and companies will no longer be able to use long and complicated terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Breach Notification: it will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach
Right To Access: the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose
Right To Be Forgotten: Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data
Data Portability: the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine readable format‘ and have the right to transmit that data to another controller
Privacy By Design: the inclusion of data protection from the onset of the designing of systems, rather than being an addition, and for data controllers to hold and process only the data that’s absolutely necessary for the completion of its duties
Data Protection Officers (DPO): internal record keeping requirements and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences
The Price To Pay For Non-Compliance?
Ensure that you’re compliant with GDPR
In the UK firms that suffer a serious data breach could be fined up to £17m or 4% of global turnover (ouch!).
The current maximum fine firms can suffer for breaking data protection laws is £500,000.
The UK’s Information Commissioner will have its powers strengthened and extended to help it police the new regime.
Compliance should involve a holistic review of risk — looking at the classic trio of people, processes and technology. It will also need to be an ongoing effort and not just a one-off review.
The new GDPR and the Digital Single Market Directive essentially mandate that security is built-in, not bolted-on as an afterthought, and that data is protected by design and by default.
In a nutshell, security is not just about complying with the rules, it’s about protecting your customers, protecting your reputation, and protecting your future.
Practical Steps For Website GDPR Compliance
As far as your website is concerned, the following should be addressed/implemented to comply with GDPR:
Ensure your website’s software is GDPR compliant (WordPress, your website’s theme and all plugins). It’s your responsibility to ensure that every plugin can export/provide/delete the user data it collects.
Limit the data you collect and store via form submissions & obtain the users consent to store your data (i.e. via your enquiry form and booking form)
Ensure your mailing list is tidied up and your eMarketing software is GDPR compliant
Want To Find Out More about GDPR?
For further information, I’ve found the following websites particularly informative: