You will without doubt now, have heard of the GDPR and be aware that it is coming into effect on the 25th of May. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.
The new General Data Protection Regulation (GDPR) legislation comes into effect from 25 May 2018. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.
Within this GDPR guidance page we have outlined some of the key areas in which it has been highlighted it would make sense to act to move towards GDPR compliance. The ICO (Information Commissioners office) have produced some more in-depth information on all aspects of the GDPR here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ - A copy of their handy 12 steps to GDPR compliance can be downloaded and viewed here.
In simple terms, the GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. Compliance will require organisations to review their approach to governance and how they manage data protection as a corporate issue. One aspect of this might be to review the contracts and other arrangements you have in place when sharing data with other organisations.
Under the new GDPR legislation - the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:
Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles."
Some parts of the GDPR will have more of an impact on some organisations than on others, so it would be useful to map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process.
jonwallacedesign are here to help implement solutions to assist you in becoming compliant, however as we are not GDPR consultants or providing legal advice, we do encourage ALL of our clients to get legal advice specific to your business. jonwallacedesign Ltd accepts no responsibility or liability for the accuracy of the information presented. Please seek your own legal advice.
This simple 10 point list is a well-recognised good starting point to review your website with relation to what changes you might want to consider to move towards GDPR compliance.
On all the forms within your website, whenever you collect customer data – any options for consent must not be pre-selected. Customers need to actively opt-in to confirm consent for things like having read the terms and conditions, agreeing to be added to a mailing list etc.
If you request acceptance of things like terms and conditions and consent to statements within forms – these must no longer be bundled together. The consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data clearly and as above point 1 – unchecked by default.
As above if you have consent options used in forms on your website – These should be amended to allow users to be able to provide separate consent for different types of processing e.g. Please send me marketing messages via: 1.Email 2.Post, 3.SMS.
Your website must provide a simple and easy way for customers to opt out.
How this relates to your website, might be to allow members/website users/mailing list subscribers to select which types of content (e.g. News, New Products, Sales etc) they are interested in receiving marketing emails on, or the format in which these marketing messages should be delivered – e.g. Email, Post, Text etc. Additionally, it might be that they need the option to change the frequency in which marketing messages are sent to them, or set to be stopped all together.
On your website forms – you must identify any 3rd parties you may share the users data with and ask for the users consent to share this data.
You will very likely need to update your website Privacy Notices and your website Terms and Conditions as a result of the new GDPR legislation.
The Information Commissioner’s Office (ICO) has provided a sample privacy notice, which many websites are using as the basis on which to work from as below – It’s short and simple and very transparent:
Here at [organisation name] we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us.
However, from time to time we would like to contact you with details of other [specify products]/ [offers]/[services]/[competitions] we provide. If you consent to us contacting you for this purpose please tick to say how you would like us to contact you:
Post ☐ Email ☐ Telephone ☐
Text message ☐ Automated call ☐
We would also like to pass your details onto other [name of company/companies who you will pass information to]/[well defined category of companies], so that they can contact you by post with details of [specify products]/ [offers]/[services]/[competitions] that they provide. If you consent to us passing on your details for that purpose please tick to confirm:
I agree ☐
The above example requests user interaction which might actually be better sought on a possible specific GDPR email campaign you might wish to consider sending to your users/subscribers to check their consent and to notify them of the changes you are making to become GDPR compliant, or on your data capture forms.
The ICO actually have a very well created and easy to understand Privacy Notice page on their website which might proof useful to follow / take a lead from > https://ico.org.uk/global/privacy-notice/
The ICO also have documented in depth some guidance on how best to present how you manage users personal data here in your privacy notices / policies page > https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/
For e-commerce businesses, you are probably using a payment gateway for financial transactions however it is highly likely that your own website will be collecting your customer's personal data before passing the details onto the payment gateway.
If this is the case, your website is storing these personal details after the information has been passed to the payment gateway. To be GDPR compliant it has been suggested that you should modify your systems to remove any personal information collected after a reasonable period, for example, 60 to 90 days. (The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.)
If your website uses marketing automation software or user identification/lead tracking software then you really need to hold some specific discussions with your suppliers (and lawyers) as these are need to be reviewed to make sure they are GDPR compliant in relation to your usage of them. There appears to be a rather grey area with regard to the new laws and CRM platforms, which identify users and automatically re-market your products and services to individuals. These applications track users in ways they would not expect and for which they have not granted consent. For example, it is tracking an individual's behaviour each time they return to your website, or view a specific page on your site. However, the suppliers/providers of these applications assure everyone that they are GDPR compliant. But if the software is doing something illegal, then it is your business’ responsibility as the Data Controller. The real question is to identify the GDPR compliance risks in using this kind of software, and to mitigate your risks as a business owner. As a result, you need to review your contract with these software providers carefully. Any 3rd party call tracking applications should also be carefully considered.
If your website plugs in to Mailchimp or Campaign Monitor for mailing list collection / automated services, then you will also want to consider the GDPR and how you are using these services with reference your website users/subscribers. It is advisable to make sure you state at the point of data collection, where the data will be stored and the services you will use.
Likewise, any social media sharing tools / widgets used on your website should be reviewed for their compliance with GDPR.
Google seems to have dealt with the GDPR issues head on and seems to be compliant with regard to their core suite of products (Analytics, Adwords, Retargeting, YouTube, etc) – more detail on this can be found here - https://privacy.google.com/businesses/compliance/
Your website will use Google Analytics to track user behaviour and Google Analytics has always been an anonymous tracking system. Google Analytics has historically collected IP addresses of website users - these are not connected to any 'personal data' - however, we can now anonymize the IP address, so it is partialy obscured (known as IP masking) - See more here > https://support.google.com/analytics/answer/2763052?hl=en&ref_topic=2919631 and here > https://support.google.com/analytics/answer/2905384?hl=en&ref_topic=2919631. Google Analytics does not collect any “personal data”, so we think it is GDPR compliant (even more so with the IP anonymize setting implemented), and the same goes for Adwords tags - however, you may well want to investigate this further and alter how your website is set up to use Google Analytics based on any legal advice sought.
With regards to Google Tag Manager; it is a system that allows you to add in different 3rd party tracking applications, so your focus should be on what 3rd party tracking applications are you using and are they GDPR compliant? Also, ensure you have a contract in place with the individuals that have access to your Tag Manager (eg: your digital marketing agency) to ensure they understand their legal responsibilities as a data processor on your behalf as data controller.
The GDPR is not just set out for websites to comply. Your entire business needs to become GDPR compliant. You might want to consider…
We believe that moving towards a transparent level of information relating to how and why you are collecting user data – should help position you and your website in a better place in relation to the GDPR. Please consider:
Please note the content above is intended as guidance based on our understanding of the new GDPR legislation and how it might affect you as a client of jonwallacedesign who has a website. It is important to note that jonwallacedesign are not GDPR consultants or legal advisors, so any suggestions here are based on our current understanding of how the GDPR may affect you / your website / your website users. To be certain you are complying with the new regulations, we would advise gaining professional legal advice. jonwallacedesign Ltd accepts no responsibility or liability for the accuracy of the information presented. Please seek your own legal advice.