Cookies Compliance: Best Practices
Find out the best cookie compliance strategies to make sure you are compliant with cookies regulations from EU ePrivacy act, GDPR, CCPA and more
The GDPR has given the individual back decision making power over their data. Organisations are now obliged to fulfill certain rights of the consumer. These rights are:
Below is a short guide to these rights along with how you can use the Dataships tool to not only fulfill these rights, but to automate this process saving your organisation valuable time, helping you avoid fines and most importantly build healthy data relationships with your users!
Articles 13 and 14 of the GDPR specify what individuals have the right to be informed about. We call this ‘privacy information’. You should provide your users will the following information:
You should provide the privacy information in a concise; transparent; intelligible; easily accessible; manner using clear and plain language.
You should regularly review and, where necessary, update your privacy information. If you plan to use personal data for a new purpose, you must update our privacy information and communicate the changes to individuals before starting any new processing.
When providing our privacy information to individuals, you should strive to use a combination of appropriate techniques, such as using a layered approach; dashboards; just-in-time notices; icons; and mobile and smart device functionalities.
The Dataships Privacy Centre allows you to house all your compliance materials in one place. This includes detailed information for the user from the outset on your company's privacy practices. By having a dedicated resource for privacy you are immediately communicating to the user that privacy is a priority for your company and lays a great foundation to build a healthy dataship with the individual.
A subject access request can be made verbally or in writing, including on social media, as long as it is clear that the individual is asking for their own personal data. You cannot charge the individual for your response to their request.
An individual may make the request through a third party or through an online portal as long as you are satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority.
If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
If an individual asks, you can provide a verbal response to their SAR, provided that you have confirmed their identity by other means. You should keep a record of the date they made the request, the date you responded, details of who provided the information and what information you provided.
Dataships allows you to integrate all the tools you are currently using in your business. Using our bespoke APIs, users can then view where you hold personal data on them and fulfill their data subject rights. You are giving the user access to their information and encouraging them to manage their data relationship with you. This transparency is a great way to build trust with your users.
Under Article 16 of the UK GDPR individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed. You may not charge a fee and you have one month to respond to the request.
The right to rectification can be leveraged to your company’s advantage. By bringing together all the data you hold on your users in one place and offering your users an easy-to-use tool to let them rectify their data you are encouraging them to keep their data up to date. By using the Data Access Gateway you can make this process simple for the user. Any data they change will be changed in the relevant data source meaning when you next reach out to them with an email, call or campaign, the up-to-date data will already be reflected. In addition, this ensures that any internal analysis you are conducting is using the most up to date information
Under Article 17 of the UK GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.
Individuals have the right to have their personal data erased if:
There are two main scenarios where you must tell other organisations about the erasure request. Where:
You must also endeavor to delete personal data from backup systems. If any backup data cannot be immediately overwritten, you must put this data ‘beyond use’ and ensure it is not used for any reason.
At Dataships, we encourage companies to integrate all the tools that you are using into our tool. This can be third party tools such as salesforce, Hubspot or Zendesk or your own SQL, firebase or other databases. This allows companies to have a clean, structured data environment and makes responding to request easy. Furthermore, we encourage companies to make all the personal data they hold on users available to them. This has a host of benefits including automating erasure requests. When a user requests to delete their data it will also be automatically deleted from all the data sources if is found in within your organisation.
This means you don’t have to spend hours or days searching for the data and can be safe in the knowledge that the erasure request has been fulfilled. And don’t worry, you can build in rules, so you are in charge of what data is deleted and in what timeframe. But remember – unless you need the data to fulfill a legal obligation why would you want to keep it? You’re striving towards having healthy data relationships with your users and you want to hold data on those users that want you to have it!
Article 18 of the UK GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.
There are a number of different methods you can employ to restrict the processing, such as:
It is particularly important that you consider how you store personal data that you no longer need to process but the individual has requested you restrict (effectively requesting that you do not erase the data).
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
As a controller you must supply any personal data that the data subject has provided to you. This may include:
It doesn’t include any additional data that you have created based on the data an individual has provided to you. However, however note that if this ‘inferred’ or ‘derived’ data is personal data, you still need to provide it to an individual if they make a subject access request.
This right only applies to personal data. Therefore, any data that you have anonymized or pseudonymized is excluded from scope.
To fulfill this request properly you must:
At Dataships, we encourage companies to integrate all the tools that you are using into our tool. Through the Dataships Data Access Gateway, users can then view and manage the personal data that you hold on them. This includes our ‘data portability’ tool. By using this, your users can download all the data you hold on them across all your tools in a CSV format. This fulfills your obligation to them and allows your users to automate this request – giving you peace of mind and allowing you to focus on your business.
Article 21 of the UK GDPR gives individuals the right to object to the processing of their personal data at any time. This effectively allows individuals to stop or prevent you from processing their personal data. Some examples of where an individual may object to processing include:
You must inform the individual about the right to object at the point of first communication with them.
If you found this article useful subscribe to your mailing list below to receive more free resources on to help you build healthy Data Relationships with your users:
Find out the best cookie compliance strategies to make sure you are compliant with cookies regulations from EU ePrivacy act, GDPR, CCPA and more
Your website's compliance should be formed of three key parts: Privacy Policy, Cookies Compliance, fulfillment of Data Subject Rights
The lawful bases are set out in Article 6 of the GDPR. Consent, Contract, Legal obligation, Vital Interests, Public Task, Legitimate Interests.