This guide is a short, practical approach to GDPR and what this means to Data Privacy and your business online.
Everyone’s heard of GDPR, the new EU data privacy law that comes into force on 25th May 2018. There’s a lot of unnecessary scaremongering going on at present about what this means, how much work it is to be compliant and the fines companies may be liable for. This guide is a short, practical approach to help guide our clients on how to meet current best practises in data privacy.
We have also written some more detailed articles on a few specific aspects of data privacy:
NOTE: Please note this is our current interpretation of EU Data Privacy law and how it affects your website and digital strategy. We’ll update this article to reflect any clarifications after 25 May. Normal legal disclaimer: we’re not lawyers, so if you need legal advice please talk to a lawyer.
The key principle behind all this is to collect personal user data responsibly and in a transparent manner. This is a good thing. As has been highlighted by recent news, it’s something a lot of big companies don’t take seriously. It’s time for that to change. Better data privacy also increases user trust which means you’re more likely to do more business with your users on the web.
The GPDR is an evolution of existing EU data privacy law. It is an attempt to bring this up to date and fit for purpose in the 21st century. Regardless of the final outcome of Brexit, the UK Government has committed to GDPR so this law applies in the UK.
The law applies to any businesses that offer services to European and UK users anywhere in the world. As far as the internet goes, that means any website or digital service that has EU or UK customers.
Both parties are responsible for the correct handling of user data. If users have any issues with data privacy these would normally be directed at the site owner (the controller) though both parties may have to work together to respond to such requests.
By taking data privacy seriously and building this into your business processes now and in the future.
GDPR covers both internal business processes and how you deal with user data on your website. The focus of this article is on your website and how you deal with user data. You also need to consider how you process user data in your business.
Pretty much anything you can link to an individual. The law defines this as identifiers such as a “name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” (Article 4, Definitions).
So in practical terms things like name, email address, address. It also covers identifier information such as a user ID, IP address, cookie session identifier, geo-location, and any other method you can think of to track an individual.
The new law gives users certain rights over their data and controls how organisations can collect that data. These rights are:
There are six lawful basis to collect user data under GDPR. However, in the context of websites the following three usually apply.
You need to ask for consent clearly and explain what you are going to use user data for. Simply having a checkbox stating we want to send you marketing materials, or a checkbox saying “we’ll share your data with trusted suppliers” is no longer OK!
You should not make consent a precondition of a service. For example, these are examples of what you shouldn’t do:
This legal basis appears to give more flexibility to how it is used. The GDPR law includes examples such as IT security (e.g. to stop cyber attacks), client data and direct marketing as examples of legitimate interest.
Almost all websites track the user’s IP address as part of the web server access log. Logs are usually kept for one month and can be considered legitimate interest to help IT security.
The legitimate interest test is a little complex, but in simple terms it should only be used where there the data processing is legitimate, necessary, and does not conflict the user’s rights or freedoms. You are required to make a risk-based assessment each time you use this lawful basis. Find out more about legitimate interests.
Read about how GDPR affects email marketing.
Read our guide on cookies and GDPR.
Under GDPR a serious data breach that results in a risk to people’s rights and freedoms must be reported to the Information Commissioner’s Office (ICO), the UK authority for Data Protection, with 72 hours. ICO gives the example of a customer database being stolen could enable identity theft, so needs to be reported. Whereas a staff telephone list is not a serious risk and would not be.
If a processor is made aware of a data breach then they must notify the controller promptly. The controller must then report any serious data breach to ICO within 72 hours.
In the context of a website managed or hosted by Studio 24, if Studio 24 (the processor) is made aware of a data breach we will make the client (the controller) aware as soon as possible.
You can find out more about what constitutes a serious data breach and how to report it on ICO’s guide to Personal data breaches.
Also see: Report a data breach at ICO
The law is regulated in the UK by the Information Commissioner’s Office (ICO). If any user makes a complaint, or ICO investigates you fall foul of data privacy law, then you can expect to be contacted by ICO who should work with you to fix any issues.
Automatic high fines are very unlikely to happen in practice, however much some people are shouting about this. ICO have said they prefer guiding, advising and educating organisations to meet data protection law.
However, if you don’t start to take data privacy seriously you should expect to get a knock on the door.
If you haven’t already we recommend you:
If you need help auditing how personal data is collected and used on your website, and how to improve this to help meet GDPR, please do get in touch.