Before you start amending your website, make sure you have a written down data policy. And by that we mean one you’ll actually follow, not just a tick-box excercise.
GDPR is not all about Consent, but it is a large part of it. That is, individuals have explicitly given you consent for you to store, process and user their Personal Identifiable Data in a certain way.
So having something which says ‘would you like to join our newsletter’ and the ‘Yes’ option is already ticked would not be opt-in consent and hence wouldn’t be acceptable, but not having it ticked would be. Also you need to save the ‘Consent Statement’, the exact wording.
Also it needs to be clear what the consent is for. For example you may need to know someone’s birthday for the purpose of determining they are over 18 years old – which should be said at the point of requesting that information but that doesn’t necessarily mean you have the right to email them a month before their birthday with an offer unless you added that too.
Email Newsletter Signup Example
If you have a form encouraging people to sign up for your newsletter, make it clear (i.e. idiot-proof) that’s what the form is for and that by clicking ‘Submit’ they are agreeing to receive newsletters.
As a tip, using words like ‘Regular’ helps to give clarity, but doesn’t commit you to ‘weekly’ or ‘monthly’ either.
Of course you should be using an email newsletter system like MailChimp which allows someone to unsubscribe immediately.
So forms need to have specific consent options as above, but the question really is ‘what happens next’? Do you store it online, get it emailed to you? What processing occurs?
That is, do you store it in a spreadsheet? Where? Who has access to it, and do they really need to? More specifically, for how long do you need this information. For the most part, the data you have unless you need to keep it for legal reasons shouldn’t be kept longer than necessary. Eg. every 6 months have a clean-out (and have this in your data policy).
For example, for an annual event you might have people sign up and request tickets, but after the event do you need to keep their data? If you have consent for you to email them about the event regularly then keep their email but you don’t necessarily need their seat allocations or postal address (which may have changed anyway).
Going forward each form should ideally have a consent statement that you store, so if someone asks ‘what data do you have about me’ you could say ‘well you signed up for Event on the 16th of May and we have your email and the statement “please send me details about this event”‘.