The GDPR becomes law in every part of the EU (including the UK whatever happens with Brexit) on the 25 May 2018.
It is intended to protect the personal data of every EU citizen and will apply to those outside the EU who do business with anyone in the EU.
Not only will it affect your business or organisation it will affect your website.
But if you have a Contact Form on your site or if you allow comments to your articles then you are collecting personal data. You are therefore subject to the GDPR.
And you are still caught by the GDPR if you have an ecommerce site even if the payment is made via a third party site such as PayPal for when a payment is processed you are given the name, address and email of the purchaser for delivery and accounting purposes.
These regulations are all about the protection of personal data and must be processed according to the six data protection principles:
Personal Data means any data that can be used to identify a living human person. It includes
And there are special rules, prohibitions and exemptions for these subjects:
So an email address of say Joe.Smith @gmail.com can identify that individual as it names him. The regulations will apply.
Likewise as there is no distinction between consumer data and business data an email address of Joe.Smith@xyz.com will identify that individual in that organisation. The regulations will apply.
But a generic email address such as firstname.lastname@example.org is not covered by the regulations as no person could be identified. Likewise admin, sales, enquiries etc
Whereas the regulations apply to data stored electronically they also apply to data on paper intended as part of a filing system but that is another huge topic and is not the subject of this article.
First of all you cant call it a policy any more. It is to be your Privacy Notice.
And the starting point of a privacy notice should be to tell people:
These are the basics upon which all privacy notices should be built. Writing them and displaying them is another matter.
They must be provided in a concise, transparent and easily accessible form (in your main navigation), using clear and plain language.
To help you decide what you need to include you should map out how your information flows through your organisation and how you process it, recognising that you might be doing several types of processing. You should work out:
Then try drafting it out and see if it is easy to read and it covers everything. It may take a few attempts and asking someone else to read it will help. If they understand it then most others will as well.
You need to consider how you will gain and record individuals’ consent, if required.
There is a fundamental difference between telling a person how you’re going to use their personal information and them agreeing to such use.
Although in many cases it is enough to be transparent (e.g telling them about cookies) and rely on a lawful basis other than consent (e.g you need their home address to deliver the goods they have bought from you), in others a positive indication of an individual’s agreement will be needed (e.g.optins and direct marketing).
When relying on consent, your method of obtaining it should:
In addition if you are processing information for a range of purposes you should:
Think of using something like this:
And just as you need to obtain and record their consent you must also provide a means for them requesting that their data be removed. Its called "the Right To Be Forgotten" See ours here
Remember that we are only talking about your website here. So is it secure i.e. does it have the green padlock in the address bar?
When a visitor completes a form on your site they input personal data but when it is transmitted then it can be intercepted.
Moving from an http site to an https site is explained here or by clicking the image
Soon all browsers will pop up a “This site is not secure” warning on every http site when a visitor tries to land on the site.
Thus by remaining http you will be discouraging people from giving you personal data which rather defeats the whole object of getting them there.
From this you will see that there is “no one size fits all” solution as every business or website will have different intentions and practices.
And we have changed our privacy notice to encompass what is explained here. To help you we have put up a page showing the old and new policy so that you can see the differences easily.
There were not very many as a review (as suggested above) made us focus on and identify what data we actually collected and what we did with it.Most of it is statistical data from plugins (google analytics, wordfence etc) showing number of visitors and behaviour.
This site does not sell goods, has no optins and does not harvest emails to build a list. It does however have a number of Contact Forms. If you go round the site you will see how they have changed by having a notice added…..or just look at the one below.
If you copy and paste ours then you do so at your own risk as no warranty is given that it is going to work. Until there is case law about what is acceptable and what is not then it is all a bit of crystal ball gazing.
But having something at least shows that you tried.
Pretty sure Google will have all sorts of plans to deal with the GDPR as they are covered by it big time. They collect enormous amounts of data about all of us.
So it is likely that their bots will be keeping a lookout for sites with a privacy notice that complies with GDPR and will reward/punish/ignore as only Google knows.
And if you have any questions then use the form below and I will try to answer them for you.
You will see that the form is next to a video (Google loves videos in posts) from a very helpful lady. She touches on some points I have not dealt with expressly so it is worth watching. It lasts about 10 mins.
Thanks for reading.