Everyone’s heard of GDPR, the new EU data privacy law that comes into force on 25th May 2018. There’s a lot of unnecessary scaremongering going on at present about what this means, how much work it is to be compliant and the fines companies may be liable for. This guide is a short, practical approach to help guide our clients on how to meet current best practises in data privacy.
We have also written some more detailed articles on a few specific aspects of data privacy:
NOTE: Please note this is our current interpretation of EU Data Privacy law and how it affects your website and digital strategy. We’ll update this article to reflect any clarifications after 25 May. Normal legal disclaimer: we’re not lawyers, so if you need legal advice please talk to a lawyer.
Responsible Data Privacy
The key principle behind all this is to collect personal user data responsibly and in a transparent manner. This is a good thing. As has been highlighted by recent news, it’s something a lot of big companies don’t take seriously. It’s time for that to change. Better data privacy also increases user trust which means you’re more likely to do more business with your users on the web.
The GDPR principles include:
- Inform users – Tell users why you are collecting data and who this is shared with
- Limit what you collect – Limit data collection to what is necessary
- Accuracy – Take reasonable steps to keep user data accurate
- Limit data retention – Limit how long you keep data for
- Security – Process user data in a secure way and protect user data from unlawful processing
General Data Protection Regulation (GDPR)
The GPDR is an evolution of existing EU data privacy law. It is an attempt to bring this up to date and fit for purpose in the 21st century. Regardless of the final outcome of Brexit, the UK Government has committed to GDPR so this law applies in the UK.
Who does GDPR apply to?
The law applies to any businesses that offer services to European and UK users anywhere in the world. As far as the internet goes, that means any website or digital service that has EU or UK customers.
GDPR defines the responsible parties as:
- Controllers – the organisation who “determines the purposes and means of the processing of personal data.” In the context of a website, this is the website owner.
- Processors – the organisation who “processes personal data on behalf of the controller.” In the context of a website, this is any company responsible for processing data, this can include a digital agency (e.g. Studio 24), a hosting company (e.g. Amazon Web Services) or any service you use that processes your user data (e.g. MailChimp).
Both parties are responsible for the correct handling of user data. If users have any issues with data privacy these would normally be directed at the site owner (the controller) though both parties may have to work together to respond to such requests.
How can I be compliant?
By taking data privacy seriously and building this into your business processes now and in the future.
GDPR covers both internal business processes and how you deal with user data on your website. The focus of this article is on your website and how you deal with user data. You also need to consider how you process user data in your business.
What is personal data?
Pretty much anything you can link to an individual. The law defines this as identifiers such as a “name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” (Article 4, Definitions).
So in practical terms things like name, email address, address. It also covers identifier information such as a user ID, IP address, cookie session identifier, geo-location, and any other method you can think of to track an individual.
User rights
The new law gives users certain rights over their data and controls how organisations can collect that data. These rights are:
- Right to be informed – inform users about data collection at the point you collect it
- Right of access – allow users to request their own data
- Right to rectification – allow users to correct inaccurate data
- Right to erasure – allow users to have personal data removed, known as the ‘right to be forgotten’
- Right to restrict processing – allows users to request the restriction or halting the use of personal data
- Right to data portability – allows users to download or export their data to a new provider
- Right to object – allows users to object to data processing
- Rights related to automated decision making – rights around automated decision making and profiling
So, I want to collect user data. How can I do that?
There are six lawful basis to collect user data under GDPR. However, in the context of websites the following three usually apply.
- Consent – You need to offer users an informed choice and ask for opt-in consent. For example, opting into a marketing newsletter.
- Contract – You need to process user data to fulfil a contractual obligation to that user. For example, processing an order on an E-Commerce site. Your website terms and conditions would normally cover this use case so is more straightforward.
- Legitimate interests – You have a legitimate reason for processing user data (which can be commercial) that passes the legitimate interests test.
Asking for consent
You need to ask for consent clearly and explain what you are going to use user data for. Simply having a checkbox stating we want to send you marketing materials, or a checkbox saying “we’ll share your data with trusted suppliers” is no longer OK!
Make sure you:
- Don’t pre-tick consent boxes, users must give a positive opt-in
- Explain what user data is being stored
- Have granular controls so users can give consent for different things
- Explain what you’re going to do with that data
- If you intend to share data with 3rd parties, you need to name them
- Use clear language
- Link to your privacy policy page
Conditional consent is not OK
You should not make consent a precondition of a service. For example, these are examples of what you shouldn’t do:
- You have a form on your website to allow users to download resources and you force the user to consent to marketing materials to download the PDF resource
- You offer wifi in your office and you have a form to allow users to sign up which forces users to consent to marketing materials before they can access wifi
Instead, you should do this:
- If you have a form that offers one service (e.g. download a PDF resource) offer a checkbox to allow users to opt-in to marketing materials if they so wish
Legitimate interests
This legal basis appears to give more flexibility to how it is used. The GDPR law includes examples such as IT security (e.g. to stop cyber attacks), client data and direct marketing as examples of legitimate interest.
Almost all websites track the user’s IP address as part of the web server access log. Logs are usually kept for one month and can be considered legitimate interest to help IT security.
The legitimate interest test is a little complex, but in simple terms it should only be used where there the data processing is legitimate, necessary, and does not conflict the user’s rights or freedoms. You are required to make a risk-based assessment each time you use this lawful basis. Find out more about legitimate interests.
Email marketing
Read about how GDPR affects email marketing.
Cookies
Read our guide on cookies and GDPR.
Privacy policy
Read our guide to writing your own privacy policy.
Data Breaches
Under GDPR a serious data breach that results in a risk to people’s rights and freedoms must be reported to the Information Commissioner’s Office (ICO), the UK authority for Data Protection, with 72 hours. ICO gives the example of a customer database being stolen could enable identity theft, so needs to be reported. Whereas a staff telephone list is not a serious risk and would not be.
If a processor is made aware of a data breach then they must notify the controller promptly. The controller must then report any serious data breach to ICO within 72 hours.
In the context of a website managed or hosted by Studio 24, if Studio 24 (the processor) is made aware of a data breach we will make the client (the controller) aware as soon as possible.
You can find out more about what constitutes a serious data breach and how to report it on ICO’s guide to Personal data breaches.
Also see: Report a data breach at ICO
What happens if you don’t comply with GDPR?
The law is regulated in the UK by the Information Commissioner’s Office (ICO). If any user makes a complaint, or ICO investigates you fall foul of data privacy law, then you can expect to be contacted by ICO who should work with you to fix any issues.
Automatic high fines are very unlikely to happen in practice, however much some people are shouting about this. ICO have said they prefer guiding, advising and educating organisations to meet data protection law.
However, if you don’t start to take data privacy seriously you should expect to get a knock on the door.
Next steps
If you haven’t already we recommend you:
- Audit the personal data you collect (both on your website, and in your business)
- Ensure you have clear user consent for marketing emails
- Rewrite your Privacy policy
- Ensure you have a process in place for dealing with any privacy enquiries from users
If you need help auditing how personal data is collected and used on your website, and how to improve this to help meet GDPR, please do get in touch.