You’ve probably heard enough about GDPR by now. You’re getting emails every day telling you about updates to privacy policies from companies big and small. The deadline for GDPR is closing in fast so it’s time to ensure you’re compliant.
If you haven’t started preparing for the General Data Protection Regulation (GDPR), there is good news, you still have time!
GDPR, short for General Data Protection Regulation, is a new EU regulation on data protection and privacy for all individuals within the European Union.
Anyone who collects and processes personal data (defined as a data controller under GDPR) will be required to comply with the new regulation regardless of where they are based in the world. For this law to apply, they just have to offer their products and/or services to EU residents or be established in the EU.
The GDPR comes into effect on 25th May 2018. The main goal of introducing this law is to give individuals complete control over their data and strengthen the rights they have. While this may sound simple, the law itself is highly complex with many of the articles requiring companies to document and provide evidence of compliance.
The new regulations will set out rules for collection, use and storage of personal data. The regulation will achieve this by giving all individuals eight specific rights regarding their personal data, set principles for protecting this personal data which will include a security by design approach alongside reporting of data breaches and also specifying requirements for accountability (your responsibility to demonstrate that you comply).
You may not even realise it but every time someone visits your website, chances are, it’s collecting a lot of data from that individual. The GDPR doesn’t just affect websites that are EU focused, it applies to any website that could serve customers in the EU or track behavioural data related to them and their visit. The regulations state that just having a website that’s accessible by people within the EU doesn’t make you subject to the new regulations. However, if your intention is to provide products and services to people in the EU or to track their online behaviour (advertising etc), that does make you subject to these new regulations.
In many cases, you may not even know what data your website is collecting from your visitors every time they land on your site – this data often includes cookies and IP addresses. On the other hand, there will be data that you are more aware of such as contact forms, newsletter subscriptions and e-commerce transactions.
From the website point of view, the first step to take in working towards GDPR compliance is understanding how your business or organisation obtains personal data through the website. Personal data is anything that can identify an individual so on your website this could include names, email addresses, contact numbers, IP addresses and many other types of data.
When someone lands on your website, you need to be making it very clear to them and being as transparent as possible when explaining the data you obtain and how it will be processed. You need to identify the information you are gathering, gaining granular consent for opt-ins and enabling the visitor to view the information you have obtained as well as being able to remove this information from your database if they ask you to.
To assist with getting your website compliant under the new regulation, we have put together ten key points which need to be considered for your website to ensure that you are fully aware of the data your website collects, how it is stored and how it is processed.
Once you have identified the data you are obtaining through your website, the next step will be to produce a privacy policy for your website. This document needs to be written very clearly and cover the following points:
One of the main purposes of introducing GDPR is to enhance the privacy of data. When people are providing data online, they want to know that doing so is safe and that the transfer of the data is safe.
In brief, SSL is the technology which gives the green padlock you see in your browser when visiting a website. If an organisation doesn’t have one, Google is starting to flag sites as being unsecure and making users aware of this before they even access the site so they won’t give any of their personal details away on an unsecure environment. You can read more about SSL certificates here.
Any form on your website must no longer contain any pre-ticked boxes. Under GDPR, all consent must be freely given therefore a pre-ticked box is not giving this option and is actually implying consent.
When providing consent, this should be granular whereby they can consent to different types of processing instead of having one box for everything. For example, if you deliver marketing by post, email and phone, you should provide three individual tick boxes allowing the user to choose between the three instead of providing a single tick box that says you consent to receiving marketing by all three methods.
If you require consent to transfer data to a third party, this would be another tick box. If multiple third parties are involved, multiple tick boxes will be required.
Ever took a minute to realise just how easy it is to provide your data online? Scary, right! Under GDPR, one of the requirements is that individuals can withdraw their consent at any time. For example, if you send out email marketing, it is required that you provide a clear link in the footer of every email allowing the subscriber to withdraw their consent to receiving emails. Once submitted, you must stop emailing them as you no longer have this consent.
As outlined in The Privacy and Electronics Communication Regulation of 2011, the law requires website owners to advertise the use of cookies on the site and requires the acceptance of such cookies. The use of cookies should be outlined in your privacy policy alongside what the information will be used for. It is worth stating that users can also opt-out of cookie tracking in their browser privacy settings.
When using third-party software such as Google Analytics, you will need to make this clear in your privacy policy also.
There are many tech providers that offer tracking codes which you embed on your website which can provide you with identifiable information about your visitors. This is different to the anonymous data that can be found within Google Analytics. Where tracking IP addresses, you need to make this clear within your privacy policy as an IP address is classed as personal data under GDPR. For example, if you allow visitors to comment on blog posts, chances are, that is storing the user’s IP address within the database somewhere.
If you plan on using collected email addresses to build lists for social media advertising, you will need to make users aware of this. Consent should be provided in the form of a granular tick box as well as offering the option to opt-out of such marketing.
This works by using cookies in the browser to track a user’s online activity. If this tracking is being used on your website, you will need to make users aware of this in your privacy policy.
If you run an e-commerce website, chances are you’re taking payments online via the website using a payment gateway such as PayPal, Stripe, SagePay, WorldPay etc.
Although you may be using a third-party payment gateway, your website may be collecting personal data before these details are passed on to the payment provider. If this is the case, an SSL certificate is required to ensure that this data is encrypted properly.
If your website then stores this personal data after the information has been passed to the payment provider, you will need to outline this in your privacy policy and make changes to your website processes to remove any personal information after a reasonable period, also known as the retention period.
GDPR doesn’t state a specific number of days in which you can store this data, it is down to the organisation to make a judgement on what they justify being reasonable and necessary.
Under the GDPR, it is required that certain types of data breaches are reported to the Information Commissioner’s Office (ICO) who are the Data Protection Authority (DPA) for the UK.
Where the breach is likely to result in a risk to the rights and freedoms of individuals, they must be reported to the ICO within 72 hours. Examples of this could include damage to reputation, financial loss or loss of confidentiality.
ICO Guide to the General Data Protection Regulation (GDPR)
*** Please note that the above content should not be considered legal advice. Always consult with a lawyer regarding your specific situation and/or take the time to conduct further research yourself.
