jonwallacedesign - digital design studio
Navigation

The GDPR is coming

You will without doubt now, have heard of the GDPR and be aware that it is coming into effect on the 25th of May. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.

The GDPR is coming

Its time to take action to be GDPR compliant

The new General Data Protection Regulation (GDPR) legislation comes into effect from 25 May 2018. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.

Within this GDPR guidance page we have outlined some of the key areas in which it has been highlighted it would make sense to act to move towards GDPR compliance. The ICO (Information Commissioners office) have produced some more in-depth information on all aspects of the GDPR here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ - A copy of their handy 12 steps to GDPR compliance can be downloaded and viewed here.

In simple terms, the GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. Compliance will require organisations to review their approach to governance and how they manage data protection as a corporate issue. One aspect of this might be to review the contracts and other arrangements you have in place when sharing data with other organisations.

Under the new GDPR legislation - the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles."

Some parts of the GDPR will have more of an impact on some organisations than on others, so it would be useful to map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process.

jonwallacedesign are here to help implement solutions to assist you in becoming compliant, however as we are not GDPR consultants or providing legal advice, we do encourage ALL of our clients to get legal advice specific to your business. jonwallacedesign Ltd accepts no responsibility or liability for the accuracy of the information presented. Please seek your own legal advice.

Key areas to consider to help make your website GDPR compliant

This simple 10 point list is a well-recognised good starting point to review your website with relation to what changes you might want to consider to move towards GDPR compliance.

1. Data collection: Active Opt-In

On all the forms within your website, whenever you collect customer data – any options for consent must not be pre-selected. Customers need to actively opt-in to confirm consent for things like having read the terms and conditions, agreeing to be added to a mailing list etc.

2. Data collection: Unbundled Opt-In

If you request acceptance of things like terms and conditions and consent to statements within forms – these must no longer be bundled together. The consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data clearly and as above point 1 – unchecked by default.

3. Data collection: Granular Opt-In

As above if you have consent options used in forms on your website – These should be amended to allow users to be able to provide separate consent for different types of processing e.g. Please send me marketing messages via: 1.Email 2.Post, 3.SMS.

4. Easy to Withdraw Permission or Opt-Out systems

Your website must provide a simple and easy way for customers to opt out.

How this relates to your website, might be to allow members/website users/mailing list subscribers to select which types of content (e.g. News, New Products, Sales etc) they are interested in receiving marketing emails on, or the format in which these marketing messages should be delivered – e.g. Email, Post, Text etc. Additionally, it might be that they need the option to change the frequency in which marketing messages are sent to them, or set to be stopped all together.

5. Data collection: Named Parties

On your website forms – you must identify any 3rd parties you may share the users data with and ask for the users consent to share this data.

6. Privacy Notice / Policies and Terms and Conditions

You will very likely need to update your website Privacy Notices and your website Terms and Conditions as a result of the new GDPR legislation.

The Information Commissioner’s Office (ICO) has provided a sample privacy notice, which many websites are using as the basis on which to work from as below – It’s short and simple and very transparent:

Here at [organisation name] we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us.

However, from time to time we would like to contact you with details of other [specify products]/ [offers]/[services]/[competitions] we provide. If you consent to us contacting you for this purpose please tick to say how you would like us to contact you:

Post     Email     Telephone     

Text message     Automated call 

We would also like to pass your details onto other [name of company/companies who you will pass information to]/[well defined category of companies], so that they can contact you by post with details of [specify products]/ [offers]/[services]/[competitions] that they provide. If you consent to us passing on your details for that purpose please tick to confirm:

I agree 

The above example requests user interaction which might actually be better sought on a possible specific GDPR email campaign you might wish to consider sending to your users/subscribers to check their consent and to notify them of the changes you are making to become GDPR compliant, or on your data capture forms.

With reference to your Privacy Policy page, in particular you will need to make it very clear and obvious what user information you are collecting and why, and what you will do with the information once you have received it, how long you will retain this information both on your website and also by your office systems for example. Additionally you will likely need to detail in your privacy and cookies policies any applications (like Google Analytics) that you are using to track user interaction (see points 8-10 below) as well as 3rd party services like any social sharing tools, documenting the cookies they might use to provide these services.

The ICO actually have a very well created and easy to understand Privacy Notice page on their website which might proof useful to follow / take a lead from > https://ico.org.uk/global/privacy-notice/

The ICO also have documented in depth some guidance on how best to present how you manage users personal data here in your privacy notices / policies page >  https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/

7.Online Payments

For e-commerce businesses, you are probably using a payment gateway for financial transactions however it is highly likely that your own website will be collecting your customer's personal data before passing the details onto the payment gateway.

If this is the case, your website is storing these personal details after the information has been passed to the payment gateway. To be GDPR compliant it has been suggested that you should modify your systems to remove any personal information collected after a reasonable period, for example, 60 to 90 days. (The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.)

8. Third Party Tracking Software

If your website uses marketing automation software or user identification/lead tracking software then you really need to hold some specific discussions with your suppliers (and lawyers) as these are need to be reviewed to make sure they are GDPR compliant in relation to your usage of them. There appears to be a rather grey area with regard to the new laws and CRM platforms, which identify users and automatically re-market your products and services to individuals. These applications track users in ways they would not expect and for which they have not granted consent.  For example, it is tracking an individual's behaviour each time they return to your website, or view a specific page on your site. However, the suppliers/providers of these applications assure everyone that they are GDPR compliant. But if the software is doing something illegal, then it is your business’ responsibility as the Data Controller. The real question is to identify the GDPR compliance risks in using this kind of software, and to mitigate your risks as a business owner. As a result, you need to review your contract with these software providers carefully. Any 3rd party call tracking applications should also be carefully considered.

If your website plugs in to Mailchimp or Campaign Monitor for mailing list collection / automated services, then you will also want to consider the GDPR and how you are using these services with reference your website users/subscribers. It is advisable to make sure you state at the point of data collection, where the data will be stored and the services you will use.

Likewise, any social media sharing tools / widgets used on your website should be reviewed for their compliance with GDPR.

9. Google Analytics, Adwords and Google Tag Manager

Google seems to have dealt with the GDPR issues head on and seems to be compliant with regard to their core suite of products (Analytics, Adwords, Retargeting, YouTube, etc) – more detail on this can be found here - https://privacy.google.com/businesses/compliance/

Your website will use Google Analytics to track user behaviour and Google Analytics has always been an anonymous tracking system. Google Analytics has historically collected IP addresses of website users - these are not connected to any 'personal data' - however, we can now anonymize the IP address, so it is partialy obscured (known as IP masking) - See more here > https://support.google.com/analytics/answer/2763052?hl=en&ref_topic=2919631 and here > https://support.google.com/analytics/answer/2905384?hl=en&ref_topic=2919631. Google Analytics does not collect any “personal data”, so we think it is GDPR compliant (even more so with the IP anonymize setting implemented), and the same goes for Adwords tags - however, you may well want to investigate this further and alter how your website is set up to use Google Analytics based on any legal advice sought.

With regards to Google Tag Manager; it is a system that allows you to add in different 3rd party tracking applications, so your focus should be on what 3rd party tracking applications are you using and are they GDPR compliant? Also, ensure you have a contract in place with the individuals that have access to your Tag Manager (eg: your digital marketing agency) to ensure they understand their legal responsibilities as a data processor on your behalf as data controller.

It’s not just your website… The GDPR is relevant for your entire business

The GDPR is not just set out for websites to comply. Your entire business needs to become GDPR compliant. You might want to consider…

  • Do you have lots of personal data stored in various places around the business?
  • Do you have a good understanding, and documented record of the data you hold?
  • Do you need to either gain or refresh consent for the data you hold?
  • Do you have a defined policy for how long you retain personal data, so you don’t retain it unnecessarily, and ensure it’s kept up to date?
  • Is your data being held securely, keeping in mind both technology and the human factors in data security?
  • Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?

In summary

We believe that moving towards a transparent level of information relating to how and why you are collecting user data – should help position you and your website in a better place in relation to the GDPR. Please consider:

  • What personal data you are collecting
  • Why you are collecting it
  • Who is collecting it (e.g. it could be a 3rd party on your website)
  • How is it being collected
  • How is the data collected being stored
  • How is the data collected being used
  • Who will the data collected be shared with

Please note the content above is intended as guidance based on our understanding of the new GDPR legislation and how it might affect you as a client of jonwallacedesign who has a website. It is important to note that jonwallacedesign are not GDPR consultants or legal advisors, so any suggestions here are based on our current understanding of how the GDPR may affect you / your website / your website users. To be certain you are complying with the new regulations, we would advise gaining professional legal advice. jonwallacedesign Ltd accepts no responsibility or liability for the accuracy of the information presented. Please seek your own legal advice.

 

All content copyright © 2008-2019 jonwallacedesign Ltd.

jonwallacedesign Ltd, trading as jonwallacedesign (Company No. 07323714), incorporated in England and Wales. VAT no: GB 996 5694 36

Please note this website uses cookies. To find out more please follow this link. Website Sitemap