Is Your Website GDPR Compliant?

General Data Protection Regulations

The GDPR becomes law in every part of the EU (including the UK whatever happens with Brexit) on the 25 May 2018.

It is intended to protect the personal data of every EU citizen and will apply to those outside the EU who do business with anyone in the EU.

Not only will it affect your business or organisation it will affect your website.

Whatever type of website you have…Blog, ecommerce, business, news, membership, info etc you know that it is mandatory to have a Privacy Policy and in the main this deals with cookies.

But if you have a Contact Form on your site or if you allow comments to your articles then you are collecting personal data. You are therefore subject to the GDPR.

And you are still caught by the GDPR if you have an ecommerce site even if the payment is made via a third party site such as PayPal for when a payment is processed you are given the name, address and email of the purchaser for delivery and accounting purposes.

These regulations are all about the protection of personal data and must be processed according to the six data protection principles:

 
  • Processed lawfully, fairly and transparently.
  • Collected only for specific legitimate purposes.
  • Adequate, relevant and limited to what is necessary.
  • Must be accurate and kept up to date.
  • Stored only as long as is necessary.
  • Ensure appropriate security, integrity and confidentiality.
 

Personal Data means any data that can be used to identify a living human person. It includes

  • Name
  • Address
  • Email address
  • Photo
  • IP address
  • Location data
  • Online behaviour (cookies)
  • Profiling and analytics data

 

And there are special rules, prohibitions and exemptions for these subjects:

  • Race
  • Religion
  • Political opinions
  • Trade union membership
  • Sexual orientation
  • Health information
  • Biometric data
  • Genetic data

So an email address of say Joe.Smith @gmail.com can identify that individual as it names him. The regulations will apply.

Likewise as there is no distinction between consumer data and business data an email address of Joe.Smith@xyz.com will identify that individual in that organisation. The regulations will apply.

But a generic email address such as info@xyz.com is not covered by the regulations as no person could be identified. Likewise admin, sales, enquiries etc

Whereas the regulations apply to data stored electronically they also apply to data on paper intended as part of a filing system but that is another huge topic and is not the subject of this article.

Here we only focus on what must be changed on your website namely the privacy policy, contact forms and optins.

What Goes Into A Privacy Policy

First of all you cant call it a policy any more. It is to be your Privacy Notice.

And the starting point of a privacy notice should be to tell people:

  • who you are;
  • what you are going to do with their information; and
  • who it will be shared with.

These are the basics upon which all privacy notices should be built. Writing them and displaying them is another matter.

They must be provided in a concise, transparent and easily accessible form (in your main navigation), using clear and plain language.

Where To Start

To help you decide what you need to include you should map out how your information flows through your organisation and how you process it, recognising that you might be doing several types of processing. You should work out:

  • what information you hold that constitutes personal data; e.g.name, address, phone number, email address
  • what you do with the personal data you process; e.g. complete an order, answer a question, deliver something, direct marketing
  • what you actually need to carry out these processes ; i.e. don’t ask for an address or phone number if you are not going to ring or write
  • whether you are collecting the information you need;
  • whether you are creating derived or inferred data about people, for example by profiling them; e.g. are you asking their gender, location, opinions
  • whether you will be likely to do other things with it in the future: e.g. if you are going to send them offers, newsletters etc
  • how long you are going to keep the personal data

Then try drafting it out and see if it is easy to read and it covers everything. It may take a few attempts and asking someone else to read it will help. If they understand it then most others will as well.

Consent By Default Is No Consent

You need to consider how you will gain and record individuals’ consent, if required.

There is a fundamental difference between telling a person how you’re going to use their personal information and them agreeing to such use.

Although in many cases it is enough to be transparent (e.g telling them about cookies) and rely on a lawful basis other than consent (e.g you need their home address to deliver the goods they have bought from you), in others a positive indication of an individual’s agreement will be needed (e.g.optins and direct marketing).

When relying on consent, your method of obtaining it should:

  • be displayed clearly and prominently;
  • ask individuals to positively opt-in, in line with good practice; and
  • give them sufficient information to make a choice. If your consent mechanism consists solely of an “I agree” box with no supporting information then users are unlikely to be fully informed and the consent cannot be considered valid.

In addition if you are processing information for a range of purposes you should:

  • explain the different ways you will use their information; and
  • provide a clear and simple way for them to indicate they agree to different types of processing. In other words, people should not be forced to agree to several types of processing simply because your privacy notice only includes an option to agree or disagree to all. People may wish to consent to their information being used for one purpose but not another.

Think of using something like this:

 
 

And just as you need to obtain and record their consent you must also provide a means for them requesting that their data be removed. Its called "the Right To Be Forgotten" See ours here



Secure The Personal Data You Collect

Remember that we are only talking about your website here. So is it secure i.e. does it have the green padlock in the address bar?

When a visitor completes a form on your site they input personal data but when it is transmitted then it can be intercepted.

Moving from an http site to an https site is explained here or by clicking the image

Soon all browsers will pop up a “This site is not secure” warning on every http site when a visitor tries to land on the site.

Thus by remaining http you will be discouraging people from giving you personal data which rather defeats the whole object of getting them there.

What Next

From this you will see that there is “no one size fits all” solution as every business or website will have different intentions and practices.

And we have changed our privacy notice to encompass what is explained here. To help you we have put up a page showing the old and new policy so that you can see the differences easily.

There were not very many as a review (as suggested above) made us focus on and identify what data we actually collected and what we did with it.Most of it is statistical data from plugins (google analytics, wordfence etc) showing number of visitors and behaviour.

This site does not sell goods, has no optins and does not harvest emails to build a list. It does however have a number of Contact Forms. If you go round the site you will see how they have changed by having a notice added…..or just look at the one below.

If you copy and paste ours then you do so at your own risk as no warranty is given that it is going to work. Until there is case law about what is acceptable and what is not then it is all a bit of crystal ball gazing.

But having something at least shows that you tried.

If you need help, guidance or to have it done for you then GO HERE

Pretty sure Google will have all sorts of plans to deal with the GDPR as they are covered by it big time. They collect enormous amounts of data about all of us.

So it is likely that their bots will be keeping a lookout for sites with a privacy notice that complies with GDPR and will reward/punish/ignore as only Google knows.

And if you have any questions then use the form below and I will try to answer them for you.

You will see that the form is next to a video (Google loves videos in posts) from a very helpful lady. She touches on some points I have not dealt with expressly so it is worth watching. It lasts about 10 mins.

To sum up you need to rethink and update your privacy policy (now a privacy notice!), update your forms and get the green padlock.

Thanks for reading.

Ask A Question re GDPR

Ask A Question re GDPR

Your personal information is only requested so that we may reply to your message. Please review our Privacy Notice to see what data is collected.

First

Related Posts for you to read

  • Learning About The InternetLearning About The Internet I started my internet journey in the summer of 2011. It took me about 3 months to build my first website as there was just so much to learn.First I had to get a domain and then have it […]
  • New Or Rebuilt SiteNew Or Rebuilt Site Protect And Help Your Site Having sorted the domain name and the hosting you have now installed WordPress and chosen a theme. You should then think about doing backend stuff and what […]