GDPR and how it will affect your website

Important information on upcoming GDPR changes

We apologise in advance for the length of this post, but we feel the following information is important for our clients.

Please do take a few minutes to read through this post thoroughly and don’t hesitate to reach out to us direct if you wish to discuss further.

Background:

There are upcoming changes in European law in the next few months that will affect your website – including any tracking information collected by you or via any third-party service you use and this extends to every company in the world that has clients within Europe.

This is the biggest legal change in the Internet age, and affects everyone who has an online presence or stores digital records of their customers – so basically everyone then! ;-)

As your website uses tracking cookies, has online contact forms and linked to Social Media – and most likely you keep emails and client records on a computer or mobile –  it is an absolute legal requirement that you are aware of and familiar with the implications, and responsible for implementing all changes.

Key things you will need to address on your website to be GDPR compliant:

1. Every request for user data (including cookies) must now be mandatory opt-in by stating consent / legitimate interest.
2. Ensure there is a cookie opt-in pop-up form on the website linked to your updated privacy policy.
3. Ensure that all your online forms have a strict opt-in policy – which must be categorised for specific areas of interest.
4. Ensure that the user has granular opt-in option to state how they wish to be contacted (phone/email/post/text/etc.) as well as mailing list.
5. Ensure the user is given a completely separate check box to say they are agreeing with your terms and conditions on all forms.
6. Assume your online privacy policy document will need to be updated – and must list every named third-party tracking software separately.
7. Ensure the website terms and conditions/privacy policy explicitly reflect the collection, transmission and storage of any personal data.
8. Ensure that all requests for any personal data explicitly state how the data will be used, how the data is stored and for exactly how long.
9. The user must be given simple and clear ways of changing the frequency or opting-out entirely of any marketing communication.
10. Assume that all data in your organisation that is currently stored will need to be made secure and need fresh consent for any marketing.

We are aware there are likely going to need to be some amendments on your website. Please do not overlook the significance of this change – both in time and effort of implementation and the implications if you do not due to the extensive potential fines being presented.

So what is GDPR?

On May 25, 2018 the General Data Protection Regulation (GDPR) comes into force (Regulation (EU) 2016/679).

• The GDPR is a European Union (EU) privacy law that will supersede the Data Protection Act 1995 (Directive 95/46/EC) and it regulates how any organisation treats or uses the personal data of EU citizens.
• It was developed by the European parliament and the new regulation is designed to simplify and unify data protection laws across all countries in the EU, and to offer better protection for individual EU citizens.
• It is the most significant initiative on data protection in 20 years and has major implications for any organisation in the world and applies to any organisation which holds or processes information about residents of the EU, including organisations located outside of the EU or based elsewhere – for example, companies in the United States or China.
• In the UK, the rules will also still apply following Brexit, with the government planning to introduce a data protection bill which will closely mirror the GDPR regulations.
• Under the new legislation, any business that processes data unlawfully risks being hit with a substantial financial penalty – one far higher than anything previously faced. The maximum fine being £20,000,000, or 4% of worldwide annual turnover, depending which is higher.

Personal Data

Any organisation must keep record of and monitor personal data processing activities

The directive is aimed at anything classed as “Personal Data” – which is any piece of data that, used alone or with other data, could identify a person – broken down into the two following categories.

• Identifying information – This includes any information that can be used to identify a person (either directly or indirectly), including name, user name, identification number, email address, bank details and an IP address, etc.
• Sensitive personal information – This includes genetic data, or information around health, sex life, sexual orientation, religious & political views, mental, physiological, economic, cultural or social identities. Basically, anything that could put someone at risk of unlawful discrimination.
• To give people control over how their data is used and to protect “fundamental rights and freedoms of natural persons”, the legislation sets out strict requirements on data handling procedures, transparency, documentation and user consent.
• As data controller, any organisation must keep record of and monitor personal data processing activities. This includes personal data handled within the organisation, but also by third parties – so called data processors.

About Consent

All consents must be recorded as evidence that consent has been given

If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you’ll need to comply with the GDPR.

• You need to have a legal basis, like consent, to process an EU citizen’s personal data. Under the GDPR, you may use another legal basis for processing personal data, but we expect the majority of clients will rely on consent. This consent must be explicit and verifiable and not implied through use (like visiting a website or sending an enquiry form).
• For consent to be used as the lawful basis, individuals must give their explicit consent (not assumed through a pre-ticked box, etc) and positively opt-in for their data to be held and used – with the option for them to change their mind and update their preferences at any time in a simple, easy way.
• Verifiable consent requires a written record of when and how someone agreed to let you process their personal data.
• All websites use cookies for analytics, advertising and functional services, such as surveys and chat tools that collect IP addresses and are time stamped.
• All email forms, regardless of opt-in method, collect the email address, IP address, and timestamp associated with everyone who submits an online form.
• For this reason, data collected prior to your adoption of a specific GDPR- informed data policy may have to be discarded.
• Individuals also now have the “right of data portability”, the “right of data access” along with the “right to be forgotten” and can withdraw their consent whenever they want. In such case the data controller must delete the individual’s personal data if it’s no longer necessary to the purpose for which it was collected.
• In case of a data breach, the company must be able to notify data protection authorities and affected individuals within 72 hours.
• Furthermore, GDPR imposes an obligation on public authorities, organisations with more than 250 employees and companies processing sensitive personal data at a large scale to employ or train a data protection officer (DPO). The DPO must take measures to ensure GDPR compliance throughout the organisation.

What does the GDPR mean for my website?

• If your website is serving individuals from the EU and you – or embedded third party services like Google and Facebook – are processing any kind of personal data, you need to obtain prior consent from the visitor.
• To obtain valid consent, you need to describe the extent and purpose of your data processing in plain language to the visitor, prior to processing any personal data.
• This information must be available to the visitor at all times, e.g. as part of your privacy policy. You must also make available an easy way for the visitor to change or withdraw consent.
• It is required by the GDPR as you must document cookies and online tracking at anytime and you must be able to show that documentation to both your users and the EU.
• All consents must be logged as proof and all tracking of personal data, also by embedded third party services, must be documented, hereunder to which countries data is transmitted.

What does the GDPR mean for my marketing?

• Your website is being tracked by Google Analytics and you may also be using other Social Media services which are all termed as third-party services.
• The data they hold and process must also be GDPR compliant.
• If you are collecting email addresses for a marketing list and using a third-party service such as MailChimp, this too must be GDPR compliant.
• For any existing lists, these will need to be cleaned prior to when the GDPR comes into force and we recommend all mail shots between now and the enforcement date are fully cleaned by asking recipients to actively opt-in to continue to receive emails from you after the enforcement date.
• All emails should have an unsubscribe button, and working with a company like MailChimp will ensure that the data is being collected, time stamped and tracked – and will aid in you ability to clean all mail lists accordingly.
• Any search and display advertising needs to be logged and highlighted with the ability for users to refuse any tracking in accordance with the GDPR.
• For specific information relating to any third-party marketing service compliance, you should double-check with the provider direct.

What can Kaleidoko offer?

• To satisfy the requirements, we are recommending a new dynamic Cookie Declaration and Privacy Policy that can be installed and tailored to your website and then form part of your monthly maintenance contract. An example can be seen at https://kaleidoko.com/privacy/ and you will see it is broken into three parts; (1) privacy policy; (2) a live dynamic list of current cookies we are collecting; and (3) a list of the companies we engage with that the user can check.
• For online forms, we are recommending new additional opt-in items to be added to your web forms. An example can be seen at https://kaleidoko.com/contact/ that will be broken into three areas; (1) Accepting that we can transmit data and how specifically we may contact them; (2) that they have read our privacy policy; and (3) that they can opt-in to our mailing list.
• We are happy to offer our Privacy Policy as a guideline template, and can work with you to make minor adjustments that maybe suitable – but we are NOT legal advisors – and so we suggest you take appropriate action with regards to any legal advice and must sign off those agreed changes before we implement.
• Regards online tracking of any display advertising, the chargeable CookieBot cookie implementation software we are recommending will highlight all places these are being tracked and will display in your dynamic Cookie Declaration. You will need to further list those providers also.
• Regards mailing lists, we make strong suggestions that any email company you work with is GDPR compliant – such as the chargeable MailChimp solution – and make efforts in the interim period to clean up your data by ensuring every mass email sent out has the correct unsubscribe button, and further asks people to opt-in to continue to receive information after the deadline. For those who do not, they must be removed.
• Regards your own internal data warehousing, we suggest you highlight which software you are using in your privacy policy and make steps to ensure that your data is secure either on your own premises, or by ensuring companies you work with are equally secure.

What are the key differences between GDPR and the Data Protection Act 1995?

• Companies will be held far more responsible for the data they hold and process
• Fines for breaching GDPR and the misuse of personal data have been drastically increased. The maximum fine under GDPR is now either £20 million or 4% of worldwide turnover, depending which is higher
• If an individual can potentially be identified by a pseudonym, username or other unique handle, then their data will now be protected under the updated regulations
• Sensitive personal data now includes genetic and biometric data
• Consent was previously defined as “the data subject has given consent to the processing of data”. Under the new regulations, this now means “the data subject has given consent to the processing of data for one or more specific purposes”
• GDPR also brings in additional protection for children’s personal data, particularly for commercial internet services such as social networks. They will now require a parent/ guardian’s consent to process data of a child under 16 years old (although this may be lowered to 13 in the UK). This consent must be recorded, verifiable and written in a language that children will understand.

Further information:

• Check out the EU-infopage on the reform of the data protection laws.
• See also their infographic Data Protection – Better rules for small business
• The full GDPR regulation can be found at: https://ico.org.uk