A Guide to GDPR
The ‘General Data Protection Regulations’ came into effect in May 2018, replacing the Data Protection Act (1998).
GDPR is legislation written to protect EU citizens from privacy and data breaches in a world that is vastly different to when the Data Protection Act was initially established.
The legislation:
Specifies what is 'personal data'
Regulates what can be done with 'personal data'
Define the roles and responsibilities of 'controller' and 'processors'
Answers the question of what is considered 'consent'
The legislation defines personal data as identifiable information that is linked back to an individual or that can be linked back to an individual by another organisation, irrespective of who they are. This identifiable information can be processed under certain circumstances:
Under Article 6(1)(a): For the processing of personal data to be legal this must have the consent of the data subject, or;
Under Article 6(1)(f): It must be “Necessary for the purposes of legitimate interests pursued by the controller…
Article 5(1)(b) says personal data should be: ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…’
This means you should be clear about what data you intend to collect, and why. This must be properly documented and signposted to your visitors as they enter your website.
From a CANDDi perspective, it is important to note that Campaign and Digital Intelligence Limited is a data processor. No personal data is shared, or synced between client accounts. Any data processed is the property of the Client and remains as such.
GDPR defines the roles of the ’data controller’ and ‘data processor’ as follows:
Controller: ‘means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.'
Processor: ‘means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’
It is the Controllers’ responsibility to assure data processing is compliant with the law, but Processors should provide sufficient guarantee they will meet the requirements and protect data subject rights.
Under GDPR, the idea of ‘consent’ has changed from a system of ‘opt-out’ to ‘opt-in’. Consent is defined in Article 4(11) as 'any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her'.
Article 7 then sets out further conditions for consent, regarding the clarity, transparency and prominence of notices, as well as the ability to alter consent at any time.
This means visitors to your website should encounter a notice to consent to their data being gathered, and they are able to alter this consent later on. Most businesses do this through a cookie pop-up.
GDPR Glossary:
Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Personal Data: Any information relating to an identified or identifiable natural person
First Party Cookies: A small amount of text stored in the user's computer that is created by the website the user is visiting.
Third Party Cookies: A cookie that is stored on the user’s computer by a Web site from a domain other than the one a user is visiting
Bulk Email Marketing: The sending of emails en masse, usually via an email marketing platform
CANDDi Capture: A ‘pop up’ enquiry form, similar to an on-site contact us form
Cookie Policy: The section of a website detailing the types of cookies that are in use.
IP Address: A numerical label assigned to each device connected to a computer network
Additional Sources:
https://www.cookielaw.org/blog/2016/5/13/the-gdpr-cookie-consent-and-customer-centric-privacy/
https://www.econsultancy.com/blog/69303-gdpr-for-marketers-five-examples-of-legitimate-interests
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
EU General Data Protection Regulation
https://www.slaughterandmay.com/media/2535723/processing-of-personal-data-consent-and-legitimate-interests-under-the-gdpr.pdf
*Nb. For the purpose of this FAQ series ‘CANDDi’ will be used in reference to the software and ‘Campaign and Digital Intelligence Limited’ for the Company.
Have more questions? Contact us at hello@canddi.com or 0161 414 1080
GDPR is legislation written to protect EU citizens from privacy and data breaches in a world that is vastly different to when the Data Protection Act was initially established.
The legislation:
Specifies what is 'personal data'
Regulates what can be done with 'personal data'
Define the roles and responsibilities of 'controller' and 'processors'
Answers the question of what is considered 'consent'
The legislation defines personal data as identifiable information that is linked back to an individual or that can be linked back to an individual by another organisation, irrespective of who they are. This identifiable information can be processed under certain circumstances:
Under Article 6(1)(a): For the processing of personal data to be legal this must have the consent of the data subject, or;
Under Article 6(1)(f): It must be “Necessary for the purposes of legitimate interests pursued by the controller…
Article 5(1)(b) says personal data should be: ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…’
This means you should be clear about what data you intend to collect, and why. This must be properly documented and signposted to your visitors as they enter your website.
From a CANDDi perspective, it is important to note that Campaign and Digital Intelligence Limited is a data processor. No personal data is shared, or synced between client accounts. Any data processed is the property of the Client and remains as such.
GDPR defines the roles of the ’data controller’ and ‘data processor’ as follows:
Controller: ‘means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.'
Processor: ‘means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’
It is the Controllers’ responsibility to assure data processing is compliant with the law, but Processors should provide sufficient guarantee they will meet the requirements and protect data subject rights.
Under GDPR, the idea of ‘consent’ has changed from a system of ‘opt-out’ to ‘opt-in’. Consent is defined in Article 4(11) as 'any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her'.
Article 7 then sets out further conditions for consent, regarding the clarity, transparency and prominence of notices, as well as the ability to alter consent at any time.
This means visitors to your website should encounter a notice to consent to their data being gathered, and they are able to alter this consent later on. Most businesses do this through a cookie pop-up.
GDPR Glossary:
Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Personal Data: Any information relating to an identified or identifiable natural person
First Party Cookies: A small amount of text stored in the user's computer that is created by the website the user is visiting.
Third Party Cookies: A cookie that is stored on the user’s computer by a Web site from a domain other than the one a user is visiting
Bulk Email Marketing: The sending of emails en masse, usually via an email marketing platform
CANDDi Capture: A ‘pop up’ enquiry form, similar to an on-site contact us form
Cookie Policy: The section of a website detailing the types of cookies that are in use.
IP Address: A numerical label assigned to each device connected to a computer network
Additional Sources:
https://www.cookielaw.org/blog/2016/5/13/the-gdpr-cookie-consent-and-customer-centric-privacy/
https://www.econsultancy.com/blog/69303-gdpr-for-marketers-five-examples-of-legitimate-interests
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
EU General Data Protection Regulation
https://www.slaughterandmay.com/media/2535723/processing-of-personal-data-consent-and-legitimate-interests-under-the-gdpr.pdf
*Nb. For the purpose of this FAQ series ‘CANDDi’ will be used in reference to the software and ‘Campaign and Digital Intelligence Limited’ for the Company.
Have more questions? Contact us at hello@canddi.com or 0161 414 1080
Updated on: 04/02/2020
Thank you!