Bedford BID temporarily removed a survey from their Love Bedford website last week, after the Bedford Independent raised concerns about how they were collecting data and that they may be in breach of General Data Protection Regulation (GDPR).
The survey, asking people about their reasons for visiting Bedford Town Centre and their views on things like the Riverside North development and what they dislike about the town, had a prize draw attached as an incentive for taking part.
While this in itself is not against GDPR legislation, anyone completing the survey was forced to enter an email address.
The Information Commissioner’s Office (ICO) warns this may be against GDPR legislation.
ICO guidelines state:
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
- You must ensure that you tell individuals about your processing in a way that is easily accessible and easy to understand. You must use clear and plain language.
This means that people should be allowed to complete the survey without adding their personal data if they do not want to enter the prize draw.
If they do want to enter the prize draw then the personal details must only be used to notify a winner and for no other reason.
While they denied being in breach of GDPR, the survey was taken down and reinstated a few hours later with a new process for completing the survey and entering the prize draw.
In a statement Christina Rowe, Director of Operations for Bedford BID, said: “I am advised that we are not collecting data unlawfully however, following the feedback, refinements have been made.
“We disabled the process for a very short period of time recording both the date and time.”
However, this is not the first time that the Bedford Independent has highlighted potential breaches of GDPR legislation to Bedford BID.
In August last year we highlighted a problem with the collection of data around their New York competition, where people had to sign up to their mailing list for entry into the competition.
After discussing this with the ICO, and a lawyer specialising in GDPR and commercial and technology work, we advised Bedford BID that GDPR prevents people being forced to sign up to email marketing as a condition for competition entry.
At the time Bedford BID stated they believed they were GDPR compliant but changed the competition entry requirements.
As GDPR had only been in place for a short time we decided not to report on this as a gesture of fairness and good faith.
General Data Protection Regulation (GDPR) is mutually agreed legislation across the EU and came into force on May 25, 2018, and was designed to modernise laws that protect the personal information of individuals.
Due to its extraterritorial effect, the UK will still need to comply with GDPR after Brexit.