Ah, GDPR. My least favourite four letter word.
As you’d expect, this is been a big part of our internal chats between our team, lawyers and the online community in general.
First things first…
This is not legal advice. You will almost definitely need to consult a lawyer to determine what you need to do to be GDPR compliant, and to determine if the GDPR even applies to you.
What is the GDPR?
It applies to everyone a little differently – there’s no “one size fits all” solution to what you need to do to be compliant.
Here, I’m going to focus on your use of Content Snare, the steps we’re taking and the the steps you’ll need to take.
Content Snare and GDPR
There’s two parts to this. When you sign up for Content Snare we collect some of your personal details. For this, we are the data controller.
The second piece is if you use Content Snare to collect personal data from your clients. For this, you are the data controller, and Content Snare is the data processor.
Your Personal Data
At the time of writing, the personal data we collect from you is a name and email. This information also gets sent to third parties who are also taking steps to become GDPR compliant. These are all listed out in the new DPA.
Right now, these third parties are used for app hosting, support, understanding how people are using the app (this data is anonymised), for billing/invoicing and referral tracking.
Before the GDPR goes live, we’ll also be adding a consent checkbox for marketing emails on signup to the app.
Your Client’s Data
As a content and information collection tool, you may wish to use Content Snare to collect just about anything from your clients.
Now, it gets a bit more complicated when you are requesting personal data from your clients.
First, you need to understand what personal and sensitive data is as defined by the GDPR. You should check the GDPR itself for this.
In a nutshell, personal data can be anything that can be used to identify a person. So emails, names, IP addresses and much more.
Sensitive data may include data about health, racial or ethnic origin, political opinions, religious beliefs, sexual orientation or criminal history.
We’ve updated the Terms of Service to forbid the collection of all sensitive data.
To collect personal data from your clients, you will need to agree to the Data Processing Agreement.
Consent for collecting personal data
If you are collecting personal data from clients, you’ll need to ask for consent to process their data. Note that even just storage is a form of processing.
If you are collecting website info, you might ask for a phone number, email address and other contact info. Whether or not this will end up on a public website, it is still personal data and should be treated as such.
You need to keep records and proof that your client gave you consent.
If you are using Content Snare to ask for consent, you could set up a section at the beginning of a request that looks something like this.
In short – it’s their name, a checkbox with your required GDPR wording and a date. Once the client has “completed” the info, you can “approve” it which means the date cannot be changed. If your client wants to withdraw consent, they can do so by contacting you directly. You should provide instructions on how to do this.
Eventually, Content Snare will have an audit trail to show when fields are changed, and by who. At this point, the date field will not be necessary as it will show in the logs.
Finally, if you are collecting personal data and sharing requests using a link (not requiring a login), it would be a good idea to protect it with a PIN. You can set this when sharing your request.
Consent for email follow ups
This is something you will need to consult a lawyer on for your particular circumstances.
If you are building websites, it is arguable that email reminders to your clients are a “legitimate concern” of yours and are in the best interests of your clients (so that you can complete their website).
I would recommend completing a “legitimate interests assessment” and store this away in case you ever need documentation to show during an audit.
If the follow ups do not form a legitimate concern and you need to get consent, you can add a checkbox to get consent. Only after that is selected should you enable follow ups for that request.