Everything I do in CANDDi is customer facing, from my sales role to customer research. In every single role, I come across GDPR questions from prospects and current clients alike. I'm anticipating that more people are going to be asking about this topic more often the closer we get to 25th May 2018. Hence, I've put together this blog that answers questions that are asked the most to put your mind at ease.
Questions I hear the most are: What should we do to be compliant with GDPR? What will you do to be compliant with GDPR? Am I going to be in trouble for using your service after May? What securities can you provide me with that your service will be legal under GDPR?
In this blog, I am going to cover the basics to provide you with an answer to all of these concerns with the aim that by the end of reading this blog post, you will have a better understanding of GDPR and what CANDDi is doing to carry on delivering its service.
Whilst this blog with refer to and use legal terms that are commonly found in similar posts on the internet, I will aim to write this in layman terms so that it is easily digestible and clear for anyone reading this post. Firstly, we need to start with clearly defining two main roles mentioned frequently with relation to GDPR - the data controller and the data processor.
Data controller - “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
Data Processor - “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
What does that mean in relation to GDPR?
Data controller is the owner of the data and decides what happens with it. Data processor acts on instructions of data controller. However, if data controller requests an illegal action to be executed with the data they own and data processor executes that action, both sides are liable and neither is excused.
How does this work with CANDDi?
CANDDi is positioning itself as a data processor. As such we will be processing data for data controllers. On CANDDi, no personal data is shared, or synced between client accounts. Any data processed is the property of the client and remains as such.
How will CANDDi process this data without breaching GDPR?
Aside from positioning ourselves as the data processor, CANDDi will continue using its cookies in compliance with GDPR. Currently, CANDDi uses two first-party cookies to be able to associate website activity with a device to link sessions and visits. Cookies are mentioned in GDPR only once - data collected with cookies is to be treated as personal data. This is where consent comes into play.
How do you get consent under GDPR?
In Article 6(1)(a), recital 23:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
In other words, the opt-in is not much dissimilar to the current position under EU Cookie Law, however, a clear option to withdraw one’s consent has to be present under GDPR. Meaning, if someone has opted into your database, they have to have a clear option to also remove themselves from the database immediately or at later date.
What is the best way to get consent?
In this way, CANDDi’s functionality will not be rendered illegal as of May 2018. It will not affect the service it provides. We are continuously making sure that we have practices in place to ensure that we are fully compliant with GDPR.
If you still have questions about GDPR and the effects it could have on CANDDi or your business as a result of using our service, do get in touch with us either via Twitter, email (firstname.lastname@example.org) or give us a call on 0161 414 1080. Your comfort with GDPR and CANDDi services is important to us.
Written with our in-house data specialist Edward Westbrook. Read his artcile from earlier March 2017 on this link.