CM Home Forums CrossMember Announcements GDPR – Preparation for 25 May 2018

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
  • #533

    Now that the Vehicle Register is live, we’re turning our attention towards readiness for GDPR, the General Data Protection Regulation coming in to force on 25 May 2018. Crossmember already complies with a lot of the regulation, but privacy and security is a constant review/update cycle to continuously improve. Now that the bulk of the development is complete (with privacy/security built into the design), it is time to perform the first of those reviews and tighten up further.

    Already live as of tonight is an update to the password management for authorised users (club members are separately authenticated by email).
    Authorised users are supplied with a password when they are created, now, they must create a new password on first login – to avoid any potential for a security breach in delivering the first email/password.
    STRONG passwords are enforced by Crossmember and are also required to be changed every 9 months.

    Work currently underway is to adhere to the GDPR requirement for consent. This is much more than simply having a check-box for consent. There will be a configurable option to allow the club administrator to update the club privacy statement without needing website knowledge. The privacy statement can be easily arranged in a layered/accordion style layout to make it easier for smaller screens. Popup/Tooltip style boxes display when clicking on input fields to explain to the new member WHY the club needs the information.

    On top of this, it is also a requirement to keep a record of what statements the member actually consented to – so that if necessary, the member can re-consent in the future!

    Once this is completed, it will go live ….. And then we’ll be working on the requirements regarding ‘data transfer’ and the transfer of data outside of the EU – We’ll keep you updated as work progresses.



    GDPR Data Privacy and Consent
    Today the GDPR Consent functionality has gone live. We have implemented two types of information that is described by the Information Commissioner’s Office (ICO) as ‘Just in time’ and ‘Layered’. The Just in time method involves informing people of why their data is required at the point of data entry. This is particularly efficient as it gives the new member information about the field they are about to complete, and therefore consent. The Layered approach is where we can elaborate a bit more on detail. First the Layered approach:

    Layered Approach
    Here is a screenshot of the Demo Club version:
    GDPR Consent Form
    As you can hopefully see, it is laid out in an ‘accordion’ style (layered) – click the heading and it opens up to reveal the text. This makes the form more compact which is especially useful on mobile devices.

    If Consent is not given (the box is not ticked) then they cannot join the club, because we’re only asking for the data that is required in order to run the Club effectively and efficiently.

    The Club configuration screen on the Setup Page allows the Club to have their own consent form and allows them to have as many or as few ‘accordion’ headers as you like. The important thing is to ensure that you tell people what you’re going to do with their data, who can see it, how long you keep it for, and where to get more information.

    The Consent form is given to all new joiners to the Club, and because you can’t assume that consent lasts forever, it is given to each renewing member too – just remember to also make your paper copies of your membership forms contain the same statements.

    If the Consent Statement is changed, a new version is created, the version number of the Consent statement that a member gives their consent to is stored in the member’s record so that we always know what each member agreed to.

    Just In Time
    A Just in time notice is what ICO call a message appearing to a user as they enter their details. It appears ‘Just in time’ to inform the user and enable them to make an informed decision and to give their consent freely.

    Here’s an example, again from the Demo Club where a user has just clicked on the Email Address field ready to type their email address:
    Email address just in time notice
    Clicking in the input field makes the message pop up, clicking anywhere outside of the field makes it go away.

    All the best,


    In your statement “If Consent is not given (the box is not ticked) then they cannot join the club”, the ICO website states “Avoid making consent to processing a precondition of a service.” Surely a new member should be able to join with only name and address these being of ‘legitimate interest’ to provide a service, but able to opt out of providing any other data?

    Our current Club GDPR Consent form also requires consent for the use and publication of photos of individuals. The FBHVC’s guidelines state “If the photograph isolates a subject where they can be easily identified, a consent form is required”. Would it be possible to include this consent as opt in/out on the list of options?

    Very impressed with what I have seen so far.



    Hi David,
    Very interesting thank you.
    I’ll have a good think about your comments for future improvements.


Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.