Your website and GDPR

Everyone knows what the GDPR is by now and that it is in full effect. GDPR is already having a huge impact on website design

Everyone knows what the GDPR is by now and that it is in full effect. GDPR is already having a huge impact on website design

Which will have a ripple effect on how your website integrates with all your other digital activities.  This includes email marketing, data forms that feed into your database systems for bookings, billings and e-commerce along with the social media links to Facebook, Instagram etc.

The golden threads that tie everything together under the GDPR, are firstly the ‘beefed up’ concept of consent and, secondly, the principles of accountability and transparency.

If you listen to any speech that Elizabeth Denham, the Information Commissioner has given recently, these themes are pivotal:

  • “The GDPR and Beyond: Privacy, Transparency and the Law” (23 March 2018 at the Alan Turing Institute).
  • “Trust, Transparency and Just-in-Time FOI: Sustainable Governance and Openness in the Digital Age” (22 March – Annual Jenkinson Lecture).

At DMA Data Protection 2018, which I attended myself on 23rd February, she said:

“Our policy emphasises, of course, the ICO’s commitment to lead implementation and oversight of the GDPR and other data protection reforms. It sets out our commitment to exploring innovative and technologically agile ways of protecting privacy, strengthening transparency and accountability and protecting the public in a digital world.”

So, the takeaway from all of this (in relation to websites) is that consent must be:

  • Freely given
  • Specific
  • Informed

This means that all organisations need to provide more transparency when they are processing personal data via websites.

It’s important to note that it’s your legal responsibility to ensure that your website and/or any data collection or marketing activities that it may handle, complies with GDPR.

That’s not to say that your web company won’t be involved too. However, if the ICO comes knocking because something has gone wrong, you won’t be able to ignore it and just pass them over to them.  They will be a data processor in most cases (and therefore still legally responsible for GDPR compliance within the scope of what they are doing for you), but as the website and organisation owner, you are the data controller.

Remember that under GDPR responsibility is never outsourced, only multiplied!

The first step to ensuring that your website is ‘GDPR ready’ is to conduct a full audit of the site to cover the key areas. This article is not exhaustive but it covers ten key areas that you must review and discuss with your web team.

We will start with the most straightforward changes then move on to the more complex ones.

1. Active Opt-in on any form that collects data.

Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You will need to check ALL your forms to ensure this is the case.

Remember the rule is ‘no pre-checked boxes. Be careful about negatives too – saying “if you don’t want to receive our stuff” check the box is not GDPR compliant either!

The GDPR demands a clear, affirmative action for opt-in consent.

2. Unbundled Opt-In

Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up for a service unless it is necessary for that service.

3. Granular Opt-In

Users should be able to provide separate consent for different types of processing.

The Information Commissioner’s Office (ICO) has kindly provided a sample privacy notice that you can use on your website for a Granular Opt-in. It is concise, transparent, and easily accessible.

4. Easy to Opt-Out

It must be just as easy to remove consent as it was to grant it, and individuals always need to know they have the right to withdraw their consent.

In terms of your users’ web experience, this means unsubscribing could consist of selectively withdrawing consent to specific streams of communication or stopping them altogether.

5. Named Parties for Consent

Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations. They need to actually be named. So, for example, ABC Financial Services, ABC Retail, ABC Insurance.

6. Privacy Notices – the basics

This is one of the most important considerations to ensure that your website is GDPR compliant.

If your website collects data then you need to explain, at the point of data collection, what users can expect will happen to their data. We all know that privacy policies equal pain!

A paper by McDonald and Cranor estimates that if the average person read every privacy policy for every website they visited in a year, that reading time would amount to some 244 hours!

In 2010, Facebook’s privacy policy was longer the US Constitution!

It’s this madness that the GDPR is attempting to tackle – privacy policies may still be long and unwieldy documents, but users must be made aware of the relevant facts in an easy-to-read notice at the point of consent when their data is collected.

The GDPR demands clarity through a privacy notice in Articles 12, 13 and 14. The key points to remember are that your privacy notices should be:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

This means that a hyperlink to your insanely long privacy policy during registration is not going to do the trick!
As the ICO puts it when discussing the GDPR,

“Being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going Ask yourself the following questions when drafting a privacy notice:

  1. What information is being collected?
  2. Who is collecting it?
  3. How is it collected?
  4. Why is it being collected?
  5. How will it be used?
  6. Who will it be shared with?
  7. What will be the effect of this on the individuals concerned?
  8. Is the intended use likely to cause individuals to object or complain?

Note, for the full detail on what information should be provided to the data subjects at the point of data collection, readers should check out article 13 of the GDPR

7. Privacy Good Practice – The Layered Approach

A layered approach can be useful as it allows you to provide the key privacy information immediately and have more detailed information available elsewhere for those that want it. This is used where there is not enough space to provide more detail or if you need to explain a particularly complicated information system to people.

It usually consists of a short notice containing the key information, such as the identity of the organisation and the way you will use the personal information. It may contain links that expand each section to its full version, or a single link to a second, longer notice which provides more detailed information. This can, in turn, contain links to further material that explains specific issues, such as the circumstances in which information may be disclosed to the police.

This approach comes with the added benefit of good website design – it looks neat, tidy and accessible.

NHS Choices does this really well.

8. Cookies and Tracking Software

You’ll need to include information about any software used on your website which can track and identify an individual in your privacy notice.

Most websites have Google Analytics as standard (it’s used by over 60% of all websites globally). This allows you to analyse the visitors to your site and where they come from, and determine how effective the website is being, along with spotting opportunities to improve it.

In its vanilla form, Google Analytics is GDPR friendly, but there are some finer points that might need to be checked out if you want to be 100% sure your website doesn’t need any changes made. If you have any form of paid advertising (e.g. Facebook Ads, Google AdWords) you’ll need to be tracking results on your website (e.g. using Facebook Pixels, Google Tag Manager). The way this is being used makes a difference, but you’ll almost certainly need to specifically declare it in your privacy notice, and you will need to provide a way for users to opt out

The requirement to notify users that a website uses cookies is changing with the new EU ePrivacy Regulation. It was meant to be introduced at the same time as GDPR but is now due to come into force later this year. If your website does more than simply provide information, you will need to analyse what you are currently doing which might be affected by this regulation. A tool which helps with this is Cookiebot, which is free for a single smaller website.

You need a pop-up on your site to state that cookies are used and your visitors need to agree to the use of the data as set out in the privacy and cookie policy.  The policy must state what cookies are used (both yours and third-party ones) and the visitor has to agree to the terms in order to fully use the site.

The use of the website must not be limited to those who accept the use of the cookies. The user must be given the option to use the site without the use of cookies and decline the use of cookies for their session. It must be explained to them the cookie notice that if they decline the cookies the site may lose some functionality.

9. Secure by Design and Default

Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.

“Privacy by design” has always been an implicit requirement of data protection that the ICO has consistently championed.

For websites, this can include:

Checking the location of the service, their GDPR policy and whether they are GDPR compliant or fall under Privacy Shield in the case of services based in the USA.

If you have an e-commerce website and use one of the popular payment gateways, such as PayPal, Sagepay, etc, you need to make sure that (as well as ensuring the processes are followed in line with the above points) the payment gateway privacy policies are checked and referenced in your own privacy policy. If they are UK (or European) based, they will need to be GDPR compliant, if US-based, Privacy Shield compliant.

Ensuring the site has an SSL certificate

This means a Secure Sockets Layer certificate – it’s the encryption code process that sits on the hosting space of your website and it will make the browser bar display a secure notice and sometimes go green and show a padlock symbol. The purpose is to securely encrypt all the details that are entered into any forms or fields on a website. They can be purchased and installed from £99 per year. A variety of SSL certificates are available, all encrypting the data to the same level (256 bit – 2048) but some have further protection and insurances. Popular ones are GeoTrust and VeriSign.

Encrypting and/or pseudonymising personal data collected on the site?

This one is trickier to resolve.

Most websites that have user accounts and store information about its users (like your Amazon account storing your name, address, date of birth etc.) store the data in an SQL database. This is a web-based database that the website invokes for queries and delivers your details when you sign in. In most instances, unless it is online banking, these details will not be stored in an encrypted format and so if the SQL file was accessed the content could be clearly read.

It’s very hard to both store and retrieve data in an encrypted way and this is why most sites don’t. However, as part of GDPR, ‘pseudonymisation’ means that websites will need to start moving towards the users being identified by a username only and that the rest of the data is encrypted so that there is no possible connection between the user and the stored details. You will need to speak to your website developer and host about planning this change as it will take time, planning and require a budget. One immediate solution is to encrypt the drive that the website is stored on.

Any other personal data?

Finally, your website may store personal information in other places. Users may leave a comment, or log in to a user account to pay for an item which means that an email address, name or IP address is most likely to be stored. This will also need to be in your privacy notice and you’ll need to think about how you’re keeping that information secure, especially anything stored within your website’s database.