From May 2018 the new General Data Protection Regulation (GDPR) will determine how your business does business. And that includes making sure your website is GDPR ready too.
Your business will need to manage, administer and protect personal data, no matter what sector it is in.
To help you prepare (and to help us prepare too) we have developed a GDPR checklist based on the latest information that’s available. We have also made a GDPR Infographic for you to download; use it to your heart’s content. Share it, print it, email it. Heck, use it to base your own checklist off! Just make sure you implement it. Because the monetary fines for not being GDPR regulated is not a fine that you want to pay.
How Does This Affect Your Website?
You’ve probably heard all about cookies, but did you know they could represent a major breach from a legal point of view, when considering GDPR?
Cookies are small files that are automatically left on computers as the web is being browsed. Normally these are harmless bits of text that are locally stored and can be easily viewed and deleted.
However, these cookies can give an in-depth insight into the activity of the user and their preferences. This means their identity can be identified without their consent.
As data technologies grow more and more sophisticated, the user’s privacy is increasingly compromised. Although cookies don’t usually originate from the websites the user has visited, third parties can track the users for marketing purposes.
And although not all cookies can be used to identify the users, normally those that are most useful to the owners of the website will be subject to GDPR. Cookies used for analytics, advertising and functional services, such as survey and chat tools, are all examples of cookies that can identify users.
Below is information on how to make your website and your business GDPR compliant:
Legitimate interests refers to the limitations that a company has when it comes to processing personal data. This may imply a benefit inherent in processing for that company itself or perhaps for wider society. It’s important to ensure that the legitimate interests ‘must be real and not too vague’. The Data Protection Network state that “an ‘interest’ can be considered as ‘legitimate’, as long as the controller can pursue this interest in a way that complies with data protection and other laws”.
Check that the legitimate interests is the most appropriate lawful basis for processing.
Ensure you have explained how or why you need an individual’s personal data when you collect it.
Ensure that individuals are well informed of what you plan to do with their data when you collect it.
Always give individuals the option to refuse marketing and that it’s explicitly stated and easy to exercise that right.
Only collect the minimum data necessary and delete records after use – You can keep data needed for a suppression file and you need a valid reason to process an individual’s personal data using your legal legitimate interests.
So How Does This Affect Websites?
Direct marketing is recognised as a legitimate interest in GDPR recital 47. For example, an individual may have bought a product from a business so that business can market similar products to the customer.
Some interests are likely to be legitimate because they are ‘strictly necessary’ for corporate governance or related legal compliance issues, particularly where there is no legal obligation to comply with, but the processing is essential to ensure the controller meets external or internal governance obligations. Whether you rely on consent or legitimate interests for your marketing, you need to do similar things to make sure you are GDPR compliant:
- Be clear with individuals about why you need their data at the point of collection.
- Always use clear and concise language appropriate for your target audience.
- Give individuals control over their data. They should be able to decide whether to share their personal data with you or not.
- Under the GDPR principle accountability you should be able to demonstrate that you are compliant. This means recording the legal grounds for processing an individual’s personal data.
For an in depth account of what exactly legitimate interests in regards to GDPR is and how to work out if your company is compliant, check out the Data Protection Network’s Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation.
Asking For Consent
Consent is a lawful basis for processing and can legitimise use of special category data, restricted processing, automated decision-making and overseas transfers of data.
With the new regulations, this is not sufficient and does not comply with the consent rules.
Relying on inappropriate or invalid consent could destroy trust and harm your reputation. Plus, it may leave you open to large fines.
If existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing” – The Information Commissioners Office.
Asking For Consent Checkboxes
- Check that consent is the most appropriate lawful basis for processing.
- Check that consent was asked for prominently and separately from your terms and conditions.
- Ensure individuals are asked to positively opt-in.
- Make sure that pre-ticked boxes are not used, nor are any other type of consent by default.
- Only use clear, plain and easy to understand language.
- Explain why data is wanted and what you’re going to do with it.
- Provide specific options to consent and to the different types of data processing that are carried out.
- Highlight named organisations and third parties that data may be shared with. This may be a requirement in the ICO’s consent guidance so think about how you would manage it.
- Explain how individuals can withdraw their consent.
- Explain how an individual can refuse to consent without detriment.
- Ensure that it’s made clear that consent is not a precondition of your service.
- Ensure that if online services are offered to children, that you only ask for consent if you have age verification and parental consent measures in place.
- Keep a record of when and how you got consent from the individual
- Likewise, keep a record of exactly what they were told at the time. For example, if you have more than 250 employees, detailed records of the processing undertaken need to be kept. Smaller businesses are exempt unless the processing carried out carries a high privacy risk or involves sensitive data.
The Records Must Cover
- Name and contact details of the controller and their data protection officer
- Purposes of processing
- Classes of data
- Details of recipients’ data
- Overseas transfers
- Data retention periods (where possible)
- Security measures in place.
- Make sure that consent is regularly reviewed ensure that the relationship, the processing and the purposes have not changed since consent was given.
- Ensure that you have the means to refresh consent at appropriate intervals, including any parental consent.
- Using privacy dashboards or other preference-management tools is good practice.
- Make it easy for individuals to withdraw their consent at any time, and show them how to do so. And when consent is withdrawn, act quickly.
- Don’t penalise individuals who want to withdraw their consent.
Check out Credit to the Information Commissioner’s Office (ICO) GDPR consent guidance: www.ico.org.ukfor more information.
- Be clear with individuals why you are collecting their data.
- 2Use clear and concise language appropriate for your audience.
- You must give information at the point you collect data. It cannot be hidden in small print.
- Give individuals control over their personal data – they should be able to decide whether to share their personal data with you or not.
Collection Of Personal Data
When collecting personal data you will need to make sure individuals are aware of the following:
- The identity and contact details of your business.
- Contact details of the data protection officer, if you have one.
- The consent or legitimate interests necessary for data processing and why.
- If your business uses legitimate interests legal grounds to contact individuals, then this must be explained.
- Additionally, which third-party data may be passed onto.
- Other countries outside the EU the data may be processed.
- How long the data will be stored. But if that is not possible, then the criteria used to determine that period.
- Tell individuals about their right to have their personal data deleted or rectified, and to object to data processing in the future.
- The right to complain to the national data protection authority, which is the Information Commissioner’s Office (ICO) in the UK.
- If a statutory or contractual law requires an individual’s personal data information about automated decision making, including profiling.
- You should explain, “Meaningful information about the logic involved” in the profiling.
When collecting personal data through cookies, you should be mindful of the following:
- User consent is requested by means of a comprehensible banner, where the users can easily opt-in and out of the various types of cookies.
- The users can at any time access the consent setup and edit or withdraw their consent.
- Every twelve months, the consent is automatically renewed upon the user’s first visit to the website.
- The communication in the consent banner is user-friendly and no-nonsense, offering true transparency but at the same time avoiding information overload.
- The consent is requested prior to the setting of the cookies, except for the strictly necessary, and therefore, also legal ones.
- All consents are automatically collected through a secure connection and stored as strongly encrypted keys.
Third-party cookies are set up by another website, not the one that the user is on and is often used to collect certain information to carry out research into the user’s behaviour, demographics and targeted marketing.
When buying third party data, make sure you do your due diligence, as GDPR makes you accountable and responsible for making sure the personal data you use for marketing is compliant. To be sure, give third party data suppliers rigorous checks.
- Know how the list was compiled.
- Not work with or use any organisation that withholds this information.
- Know whether the consent was recently obtained/updated.
- Make sure that the third party can prove consent (see point 1).
- Ask whether data has been screened against the Telephone Preference Service and/or Mailing Preference Service. If not, you will need to screen the data.
- Make sure your organisation was specifically named when the data was collected. This may be a requirement in the ICO’s consent guidance so think about how you would manage it.
- See a sample of the data. Record this process so you have proof that you’ve carried out extensive due diligence of your third party data suppliers.
Other Types Of Cookies To Consider
Session cookies are temporary and expire once the user has left your website. They’re mainly used on eCommerce sites to hold items in baskets whilst the user is shopping online.
Permanent cookies stay on your user’s disk for a long time after the session has ended. By law, it should be deleted every 12 months at the very least, but a cookie has the potential to stay on there forever. These cookies hold data such as login details, contact information and account numbers.
First-party cookies are the cookies issued from the website the user has accessed. They remind the website about the user’s data and preferences.
Depending on their duration and on their origin, GDPR can affect them in different ways.
Profiling means evaluating personal data so you can make predictions about an individual or a group. This means that marketing communications can then be targeted and personalised for individuals or groups.
- Ensure that you tell people how and why you profile personal data but give people the chance to opt-out.
- Explain how you profile an individual’s personal data in your privacy notice/policy.
If You Process Personal Data Via Automated Decision Making
- Consent may need to be explicit – an informed opt-in, like a tick box, with clear copy explaining any consequences for individuals.
- Consider whether the profiling has legal or other ‘significant effects’ on individuals.
- You must ensure that the individual gives explicit consent.
- You need to undertake a privacy impact assessment to determine whether legitimate interest or consent is the most appropriate legal basis for your profiling activities.
To continue marketing to individuals on your website and on your database, you must make sure that data is GDPR compliant.
- Ensure that you have implemented the requirements mentioned in the consent, legitimate interests and information provision sections of this checklist.
- As long as the data used is GDPR compliant then the ICO will have confirmed that the data can be used after May 2018.
To Get Your Legacy Data GDPR Compliant
- Ensure that your company demonstrates to individuals the reasoning behind collecting their data.
- Likewise, ensure this is made clear using concise language appropriate for the target audience.
- In addition, be certain to give individuals the chance to object to the processing of their data.
- Companies should be able to demonstrate compliance with GDPR. With this in mind, there should be a record of legal grounds for processing an individual’s personal data.
- Demonstrate that individuals have been informed of what is being done with their data clearly and specifically, and why. Consequently, if this cannot be demonstrated, then it cannot be proved that the legacy list is compliant.
- Also, make sure to use direct mail to reconnect with individuals on the database.
- Finally, ensure that consent is renewed at least every two years once reconnection with the individual has been established.