Political parties are not the only bodies overstepping GDPR boundaries – organisations the length and breadth of the country would fail to meet the required ePrivacy standards if put to the test. Such is the contention of experts at Baycloud, data protection specialists, who say reports on the misuse of electoral data is just the tip of the iceberg in terms of non-compliance across all industries. The experts say they believe a significant percentage of non-compliance cases are a result of a genuine lack of knowledge around GDPR and ePrivacy and a dearth of know-how as to how to put the correct structures in place to ensure a business complies with what is required of them by the Data Protection Commissioner and European regulators.
Baycloud’s Founder Mike O’Neill spoke of the importance of ensuring businesses are supported in data protection, which will ultimately ensure better protections for public privacy,
“It makes sense for companies to use their public facing websites to build trust, and this means not only being transparent about personal data, but also ensuring their website visitors have full control and a clear choice. Our mission is to make this as easy and automated as possible for companies to become fully compliant with privacy laws”.
Baycloud say the issues raised by the Data Protection Commissioner Helen Dixon recently in relation to the capture of data by political parties through social media is only one signal of the more widespread non-compliant practices of businesses and organisations when it comes to the collection of personal data.
Gail Chalmin of Chalmin Data Protection and consultant to Baycloud said,
“As the DPC publishes its draft Regulator Strategy and as Schrems enforcement moves across the EU, we can expect a robust follow through on the assertions they made and a clamp down on any organisation that does not meet the compliance standards that have been put in place.”
Baycloud warn that Irish organisations are leaving themselves hugely exposed to fines and penalties from Data Protection regulators both here and at a European level.
Mike O’Neill explained,
“It is incumbent on those who interact with clients, customers and/or the general public to arm themselves with the power to understand their data networks and therefore enable their customers to freely give informed and specific consent”.
Baycloud is challenging the public to use its free tool to check the websites they access most often and take note at the levels of non-compliance. The check will also give an insight into the use of tracking analytics that can identify individual users, as well as the countries in which sites process their personal information.
Liam Coyle, head of iSeek.ie and consultant to Baycloud said, “I think people would be shocked to learn how many organisations do not meet the standards required of them. Anecdotal evidence has suggested to us that the complexity of GDPR requirements and a misunderstanding of obligations around cookies and ePrivacy etc., is hampering businesses from maintaining the necessary standards – rather than an outright disregard of regulation. But the reality is that, in most cases, legislation surrounding cookies is much less complex than it seems, which is why Baycloud’s services are designed so that organisations can automate their compliance solutions across multiple domains, enabling companies to maintain their focus and attention on their core business activities – without having to worry about GDPR.”
The Baycloud cookie consent management platform was the first to market in 2010 and since then has helped organisations ranging in scale from SMEs to blue chip global consumer goods companies to ensure they are GDPR compliant.
Baycloud have published a top ten steps/checklist that, they advise, all businesses with an online presence to consider:
- Use the new online resource to first help you determine the data protection/ePrivacy status of your website.
- Prepare evidence of and know your own data processing, including your website cookies, and the requests transmitted to or from third parties.
- Remember that consent from the end users must be obtained before placing or using non- exempted cookies on the end users’ end terminal.
- Ensure that this consent meets the requirements of the GDPR.
- Note that pre-checked boxes do not satisfy consent requirements under directive 95, e-Privacy, and GDPR.
- Be sure to inform users of the duration of the cookie, what it is being used for and whether third parties will have access to the data.
- It is also worth noting that the applicability of Article 5(3) of the e-Privacy directive is wider than just cookies. In fact, it applies to ‘storing of information or the gaining of access to information already stored, in the terminal equipment of an end user’ if this is not ‘strictly necessary’ in order for the ‘provider of an information society Service’ explicitly requested by the end user.
- Engage with the experts to simplify your website compliance programme.
- Do not forget about Transparency Notices for compliance with Art12.13 and 14 of the GDPR with a view to enforcing data protection compliance across your website.
- Have a carefully drafted Privacy Notice which will build trust for your business partners and customers alike.
Five of the most common mistakes on business websites when it comes to cookies:
- Deploying a generic cookie notice with only an “accept all” button for cookies, and no ability to continue to use the site when the user has not agreed.
- Connecting 3rd party services to their websites, such as Facebook or Instagram feeds, whilst not taking into account their impact on data protection and cookies.
- Prioritising systems like Google Analytics ahead of their visitors’ data protection rights and their website’s compliance with data protection legislation.