On the 25th May 2018 the EU General Data Protection Regulation (GDPR) comes into force. The question is: is your website GDPR ready? If not you could be fined up to 4% of your annual global turnover or €20 Million, whichever is greater!
What is GDPR?
The General Data Protection Regulation is long over due legislation that will ensure that personal data privacy protection catches up with the advances in technology that have become such an intrinsic and pervasive part of our daily lives. Its purpose is to:
protect all EU citizens from privacy and data breaches in an increasingly data-driven world
The GDPR is about protecting personal data. Personal data is regarded as
information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
The GDPR has added a number of key points onto existing privacy protection legislation ( Data Protection Directive 95/46/EC ). The most significant changes are:
- Increased territorial scope – i.e. it does not matter where your business is but where your customers are. If they are in the EU then they are covered by this legislation
- Businesses can be fined, whether you are a processor or controller of the information
- Conditions for consent have been strengthened – it has to be explicit in many cases and the request for consent must be transparent
GDPR will effect both “Controllers” and “Processors” of data. Your company is most likely a “Controller”, that means that your:
determines the purposes and means of the processing of personal data
This means that whether you are collecting the data yourselves or not, if you are the instigator of the data collection and you are determining who you share the data with and how they are going to use it you are the “Controller”.
A Processor is the entity that:
processes personal data on behalf of the controller
So for example collect your data when you register a domain, which we have to do in order to provide this service, we are the “Controller”. But companies like ICANN and Nominet who manage some of the TLD domain registration systems are “Processors”. If you are an e-commerce website then you will be the controller collecting order information, making you the controller, and you then pass this information on to perhaps a shipping company or a marketing company who can process the data.
Of the above changes, the thing that is going to most effect website owners and the development of your website is the last, Consent.Ask about making your website GDPR compliant
What is consent and how does it effect your website development?
The GDPR as stated above, has strengthened legislation around the idea of Consent being given to Controllers and Processors to deal with their personal data. However the GDPR distinguishes between two types of data, personal non-sensitive data and sensitive data.
For sensitive data explicit consent is required, an affirmative action that specifically indicates the users consent. An example of this would be ticking a box next to a clearly worded sentence indicating what the consent is for.
For non-sensitive data unambiguous consent is all that is required. Unambiguous consent would be an action that by being carried out implies consent, i.e. “please enter your email address to receive our newsletter”.
The other aspect of consent is that parental consent will be required for individuals under the age of 16. Also, different member sates of the EU are able to legislate for their own age limit, although this cannot be lower than 13.
The other points of note about how consent needs to be handled are that:
- The terms of consent needs to be unbundled with general terms and conditions so that visitors and clearly see what they are consenting to.
- As far as possible consent needs to be granular, that is consent should be sort for different aspects of your data handling
- Consent needs to be easy to withdraw.
In order to determine how this is going to effect your website services you will need to determine how you are collecting data from users. By far the most common method is via Cookies.
Cookies are small text files placed on a user’s computer hard drive by a website. They are often used for storing information about whether you are logged in or what is in your shopping cart. They are also used for tracking visitor behaviour by website owners to help identify problems and enhance services.
This type of information is generally anonymous, that is it is not personally identifiable. This type of data can be treated differently from personal data due to it’s anonymity, unless information is also collected, like an IP address, and passed on to a processor so that individuals can be tracked and identified. Cookies can store any type of data so ensure you check what data your are embedding in your cookies.
Your cookies policy should list all the processors of the cookie data as well as the cookies used by them with links to the processors own policy, and if possible, a means to opt in and out of individual cookies although this is not currently required.
So in many instances your website, and indeed your business will be collecting personal data:
- Email address
- Social security number
- Location data
- IP address
It may even be collecting sensitive personal data like (for example):
- Health status
- Sexual orientation
- Religious beliefs
- Political beliefs
Personally identifiable data needs to be handled differently. This is where a change in your websites data collection and consent procedures are likely to be required.
What do you need to do to make your website GDPR compliant?
Well the first thing to do is to carry out an audit of all the information that you collect. You should also include cookies in this. Once this is done you will need to identify all the Processors, all the people that you are sharing this data with. You may need to bring in your web developers to answer some of these questions as well as marketing and service and product provisioners. It is likely to be more than you think.
Once you have your list you need to determine catogorise this into anonymous data, personal data and sensitive personal data. Personal and sensitive personal data are going to require the development of an consent gathering process. You will need to determine:
at which point in the information gathering process consent will need to be obtained and whether it can be ambiguous or needs to be explicit
- How you are going to keep a record of that consent
- How people will be able to remove consent
- How users can request a copy of the personal information that you hold
- How users will be able to delete their personal information that you hold
In most instances it is likely that your website is already up to date. The main difference may be that all those check boxes that you have on checkout, for example, need to be clearly worded and consent cannot be assigned already, i.e. visitors need to select to opt in NOT select to opt out. Also information with regards to what the vistors are consenting to needs to be separate from your general terms and conditions. Lastly, you should look at how you can split up different aspects of your consent process, for example if you can split it between personal and sensitive personal information and provide opt ins for both of these categories separately.
This is going to require, ultimately, web developers in order to provide the appropriate granular consent functionality and the ability to store that consent and the nature of the consent to a single collection event.
Where this is going to fall down is where there is a heavy reliance upon 3rd party website solutions. For example you may be reliant on a 3rd party newsletter plugin currently. The question is: is that plugin going to be GDPR compliant and also is it sufficiently compliant for your website’s needs?
If you have doubts about your website’s ability to meet the new requirements for GDPR compliance please get in touch. We can discuss possible solutions once we have audited your website.Ask about making your website GDPR compliant
Lastly: Do you need to worry about GDPR because of Brexit?
The answer to the is YES. Brexit makes no difference to GDPR as your need for compliance is determined by the location of your clients. Also the UK Government has confirmed it’s commitment to bring GDPR legislation into UK law.