Will Your Website Be GDPR Compliant?

• General Data Protection Regulation,
• GDPR,
• EU Data Compliance

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is set to come into effect on May 25, 2018. While many business owners may consider it an additional legal burden, it can be seen as an opportunity to increase the trust your customers have in you and to refresh your email marketing lists.

This article outlines some of the main ideas and requirements of GDPR, including measures you should take toward making your website compliant.

Please note: This article does not constitute legal advice.

Why GDPR?

The General Data Protection Regulation (GDPR) will replace the Data Protection Directive (DPD) of 1995. To give you an idea of how outdated the DPD is, at the time it came into being we were accessing the internet via dial-up, the first recognisable social media site was two years into the future and blogging would not appear for another four years. In the intervening 23 years we have seen the creation of Friendster, Bebo, Facebook, Twitter and many other popular sites that handle personal data.

We have also seen the growth of data being stored and used with the aim of improving user experiences online and in marketing. But there has also been a growth in data breaches and privacy violations. Customers and subscribers have become wary as they have seen businesses and organisations mistreat and mishandle personal data.

In response to this, the GDPR was created to replace the current EU directive to bring national data protection laws into a single framework and increase the protection of personal data.

What is GDPR?

The GDPR is legislation that takes the lessons learned from the last 23 years and adds new definitions and requirements to reflect the changes in technology. It aims to make businesses and organisations regard data as a valuable asset and demands that every business, organisation, and individual that gathers personal data become more diligent about the data they collect, how they collect it, and what they do with it.

It is intended to provide more transparency for consumers so they understand how their personal data will be used and to give people new rights to access the information that is kept about them.

In the UK, as with the current Data Protection Act, the Information Commissioner's Office (ICO) will act as the lead supervisory authority for the GDPR.

GDPR Myths

Although we are less than a few weeks away from the implementation of GDPR there are still some grey areas, misunderstandings, and myths about the regulation.

Here are some of the more common myths:

• It doesn't apply to me.
  The GDPR applies to the processing of personal data by all organisations located in the 28 EU member states and to all organisations located outside the EU that process personal data of individuals in the EU, where such processing relates to the offering of goods and services to individuals in the EU or the monitoring of their behaviour taking place in the EU e.g. via tracking technology. If you are located in the EU while reading this, it almost certainly applies to you.


• It doesn't matter because Brexit means we won't be part of Europe.
  Brexit will not affect this. We will still have to follow this legislation.


• It's just another box ticking exercise.
  The Information Commissioner has said this is not about legislative box ticking or putting measures in place and forgetting about them. The GDPR is about accountability within businesses and organisations on an ongoing basis.


• My business is too small to be included.
  Individuals, organisations, and businesses that are either controlling or processing personal data will be impacted by GDPR. It applies to all businesses, organisations, and sectors, regardless of their size, number of employees, or financial turnover. One person using personal data in the ways described is as beholden to these rules as a large corporation.


• Small businesses are going to go under because, unlike large companies, they don't have the resources for this.
  The ICO has stated they expect everyone subject to the GDPR to put into place comprehensive but proportionate governance measures. Proportionate means small businesses will not be expected to implement measures that multinational companies will have to.


• Everything has to be in place by 25th May 2018.
  The Information Commissioner has said the 25th is when GDPR comes into force, but it is not a deadline even though in theory that means we have to be compliant by that date.
  However the ICO has already started their consumer education campaign, so it is expecting to receive more data related complaints from consumers after 25th May as they become more aware of their new data protection rights. Soon your customers may start asking what you are doing with their data. If you cannot give them assurances that you are working towards compliance you may risk losing customers or damaging the trust they have in you. If they believe you are misusing their data they can complain to the ICO which could launch an investigation which may put a strain on the time and resources of a small business.


• The fines are going to put me out of business.
  The increased sanctions are designed to demonstrate how seriously the European Commission and the ICO are taking the issue of data protection. Fines are rising from the current maximum of £500,000 to up to £20 million or up to 4% of global turnover in the previous 12 months (whichever is higher). However, the chance of a small business facing this type of fine is exceptionally small. Statements from the ICO seem to imply that if you can show that you have taken steps and are working towards compliance this will greatly reduce the chance of being fined.


• We have to abandon everyone on our subscriber list.
  If you already have consent that is compliant with GDPR requirements you do not have to get fresh consent from people on your list. However, because the new requirements are more specific than before it's likely that most businesses will need fresh consent from people on their list. If your list is made up of current customers then you do not need to ask them to re-consent. The same applies to any email address that is not a personal address e.g. info@, sales@, support@ are not personal so do not require re-consent.


• This will not benefit my business at all.
  Although it will demand extra work this is an opportunity to look at existing databases, clean them out and make them leaner and consequently make your marketing more targeted. After you have become GDPR compliant you may have a smaller list, but your messages are likely to have improved open rates and greater engagement. This is also an opportunity to improve your brand and customer relationships by showing how you respect the privacy of your prospects and customers.

This Time It's Personal

The GDPR applies to personal data. For the purposes of this legislation personal data is defined as "any information relating to an identified or identifiable natural person." This can be one piece of information or multiple data points combined.

The definition means e.g.:

• Names
• Telephone numbers
• Email addresses

In fact anything that can be related to an identifiable person is regarded as personal data. As previoulsy mentioned general email addresses like info@, sales@, and enquiries@ do not necessarily identify a person so are not considered personal data.

In addition to personal data there is also sensitive personal data which includes information about a person's:

• Racial or ethnic origin
• Health data
• Religious or philosophical beliefs
• Political opinions
• Trade union membership
• Sex life or sexual orientation
• Past or spent criminal convictions

In addition to this list the GDPR covers a new category of personal data known as 'online identifiers'. This includes data like:

• IP addresses
• Mobile device IDs
• User account IDs

and any other form of system-generated data which identifies a person.

Controllers and Processors

The GDPR also identifies two types of entities that handle personal data: data controllers and data processors.

A data controller is a person or entity, such as a business, which decides what data is collected, how it is used, and whom it is shared with. It is the data controller that must exercise control over the processing and carry data protection responsibility for it.

The data processor is any entity other than the data controller who processes the data on their behalf.

Processing is defined as any operation or set of operations performed on personal data or sets of personal data either manually or by automation. This includes collecting, recording and storing the data e.g. entering data from people's business cards into a spreadsheet is processing.

It's The Age of Consent

You must have legal grounds for collecting and processing data. There are six available lawful bases for processing data (Consent, Contract, Legal Obligation, Vital Interests, Public Task and Legitimate Interest). Which basis is most appropriate to use will depend on your purpose and relationship with the individual.

• Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation. Check your consent practices and your existing consents. Refresh your consents if they don't meet the GDPR standard.
• Contract can be used if you need to process someone's personal data to fulfil your contractual obligations to them; or because they have asked you to do something before entering into a contract e.g. provide a quote.
• Legal Obligation should be used if you need to process personal data to comply with a common law or statutory obligation e.g. for your accounts or tax return.
• Vital Interests would be relied on e.g. if you needed to process the personal data to protect someone's life.
• Public Task should be used if you need to process personal data 'in the exercise of official authority'. This covers public functions and powers that are set out in law; or to perform a specific task in the public interest that is set out in law.
• Legitimate Interest is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing e.g. for sending your current customers marketing material, news or information relevant to products or services you have sold them in the past.

Three Rights

People will also have a right to transparency, information, and erasure of their data.

Transparency means you give the individual a clear explanation of how you will store their personal data and what you will do with it. You should only collect data that is necessary to your business. Don't ask about hobbies or marital status if you have no use for that information.

Having a right to information means that if an individual asks for the information held about them, the organisation or business will have to produce this information within one month and can no longer charge for providing this. If the information is particularly difficult to gather you can be allowed an extra month to produce it.

The right to erasure means data controllers and processors have to delete personal data and any related links if it is no longer accurate or relevant to the business e.g. if you have collected names and email addresses for the purpose of sending out newsletters and then subsequently decide not to issue the newsletter anymore, you no longer need this information and it should be deleted.

You can keep data to comply with legal obligations. That means the GDPR is not a problem if you are obliged to keep tax data or employee data for a certain period. The GDPR does not specify any length of time that you need to retain data or any time by which you need to delete data. You will have to decide what is appropriate in each situation.

Data Breaches

The new regulations require companies to notify the ICO of a data breach within 72 hrs of becoming aware of such a breach.

A breach is not just loss of data. It includes the unintended destruction of data, altering data without permission, ransomware attack and other scenarios.

However, you don't have to report every type of breach e.g. if the breach is unlikely to result in a risk to an individuals rights and freedoms then it doesn't need to be reported. However, breaches that present a high risk to an individuals rights and freedoms (e.g. risk of identity theft or fraud) must be reported to the ICO and the individuals affected as soon as possible. All breaches and your evaluation of them have to be documented even if not reported, so you need to be clear about the different types of breach and how to respond to them.

In the event of a breach, the ICO are more likely to work with you than against you if you can demonstrate you have achieved or are working towards compliance. You can expect a more robust approach if you do not report the breach.

In the event of a data breach in addition to a possible fine from the ICO, customers can claim compensation and there is also the potential for class actions. Even if no fine is imposed the ICO can issue warnings, reprimands and temporary suspension of data processing. Possibly even worse will be any damage to the business's brand and reputation.

Making Your Site Compliant

Here are 9 components you may have on your website that should be reviewed:

1. Opt-In Forms
   One way to get consent to use data is via forms. If you have a form that is purely e.g. to subscribe to a newsletter then there is no need to have an opt-in box as the very act of filling in the form to subscribe to receive newsletters acts as the opt-in. Just remember that for all your forms you should a) if possible, confirm through double opt-in that the email address being entered in the form belongs to the person signing up and b) provide a link to your Privacy Notice to let your site visitor know how you will be processing their data. Forms that invite users to contact you and sign up for marketing will need an opt-in box (this applies to any form where consent for more than one thing is being asked for). Pre-ticked boxes do not constitute consent. There must be an active opt-in rather than an opt-out e.g. do not ask someone to tick a box that says 'I do not want to receive updates from you.' There should be a positive statement like 'I do want to receive updates from you.'


2. Granular Opt-In
   Website visitors should be able to provide separate consent for different types of processing e.g. if you offer a subscription to a newsletter and bundle it with passing on data to third parties you will have to ask for specific permission for each type of processing. This can be in the form of one tick box for receiving the newsletter and a separate tick box for giving consent to sharing data with third parties.


3. Easy to Opt-Out
   Your web visitors must be clearly informed they have the right to withdraw their consent and withdrawing consent must be an easy process. This means including an unsubscribe link in your initial contact email and every email you send thereafter. The link could lead to a page where the subscriber can unsubscribe.


4. Privacy Notice
   Your Privacy Notice will need to clearly state how and why you are collecting data. You will also need to clearly explain what you will do with the personal information you receive, and how long you will retain this information both on your website and in any offline systems. If you are asking visitors to opt-in to a service it will no longer be acceptable to have a link to your Privacy Notice in the footer of your website. The Notice or a link to it must also be positioned at an appropriate place on the opt-in webpage. It's also important to include a link to your Cookie Policy.


5. Cookie Policy
   Your Cookie Policy will need to detail any applications you are using to track user interaction. Many websites use Google Analytics to track user behaviour. Google Analytics collects IP addresses which could be used to identify the user unless settings are set to anonymise the IP address. gtag('config', '<GA_TRACKING_ID>', { 'anonymize_ip': true }); or ga('set', 'anonymizeIp', true);, depending on the version of GA you are using. If you have other third party software on your website take a close look at what it does and what it tracks. Some applications track users in ways they may not expect and for which they have not granted consent. As an example, if you have social sharing buttons on your website that allows visitors to share your content on their accounts, the application is probably collecting data on your visitors. If you use a Facebook pixel to track your visitors and retarget them with Facebook ads the software will be planting cookies on your visitors' devices. If you have embedded YouTube or Vimeo videos on your website, they will be placing cookies on your users' devices. Note: even with YouTube's 'Privacy-enhanced mode' turned on YouTube will store cookies if the video is played! If you want to be sure of your position check that the suppliers of each application on your website state that they are GDPR compliant. Please note: the GDPR does not directly affect existing cookie laws, even though cookies can collect personal data. The current laws are under review so expect changes in the next year when we expect "implied consent" will no longer be acceptable and you will need to allow your site visitor to choose which cookies they will allow, with the exception of cookies that are "strictly necessary" i.e. your site will not work without them e.g. in your site's shopping cart a cookie is required to remember a user and retain their basket content. When the new laws on cookies come in you will also need to document and store consent to the use of cookies.


6. Online Payments
   If your website is collecting and storing personal data before passing the details on to a payment gateway you will need to ensure any personal information is encrypted when it is sent and deleted after a reasonable period. As the GDPR does not specify the number of days you will need to decide what can be justified as reasonable and necessary. You'll also need to check your payment gateway e.g. PayPal, WorldPay is GDPR compliant too.


7. Other Services You Use
   In addition to the above, you'll need to check associated services are compliant or have a reasonable plan to become compliant. This may include services like your web host who is hosting your website; email services like MailChimp, Aweber etc. which you may be using for marketing and cloud-based data storage services like Amazon S3, Dropbox etc. which may play a role in backing up your site.


8. Consent to Named Third Parties
   Your web forms must clearly identify each party for which the consent is being granted. If consent is being asked for any third-party organisations, these must be named. In your Privacy Notice you will also need to mention any third parties that handle data for you.


9. Secure Socket Layer (SSL) (https)
   If you have website forms which are sending personal information across the web then you'll also need to make your site/forms secure via Secure Socket Layer (SSL). Google has been encouraging sites to make the move to https for some time, now GDPR will require it.

Please note that the impact of GDPR may permeate your entire business, and the above focuses only on elements of your website.

More information

This article is not a comprehensive account of everything resulting from GDPR. You need to do your own further research and if necessary take legal advice, ideally from a qualified lawyer with a data protection speciality.

• For a general overview of GDPR take a look at the ICO webpages on data protection reform: Guide to Data Protection Regulation.
• If you are unsure of what you should be doing to reach GDPR compliance take a look at: Preparing for GDPR - 12 Steps.
• You can also find two useful checklists at: Getting Ready for GDPR.
• To comply with GDPR we're using Suzanne Dibble's GDPR checklist and GDPR compliance pack (affiliate links).

Addendum

The following (reported) data breaches have occured since GDPR came into effect.

#1 MyHeritage suffered a data breach that resulted in the compromise of email addresses and hashed passwords of all 92,283,889 of its users. On Monday 4 June 2018, the company's Chief Information Security Officer Omer Deutsch revealed the MyHeritage site had suffered a data breach. The actual breach is thought to have happened on Oct 26, 2017.

#2 Reddit discovered a data breach compromising usernames, passwords and email addresses of groups of users on 19 June. The hackers broke in using compromised employee accounts that were protected using SMS two-factor authentication. Two data sets have been accessed by hackers, including one from 2007 containing account details and all public and private posts between 2005 and May 2007. The second data store included logs and databases linked to Reddit's daily digest emails, which was accessed between 3 and 17 June this year. The data includes usernames and email addresses linked to those accounts.

#3 Ticketmaster UK has said customers names, addresses, email addresses, telephone numbers, payment details and Ticketmaster login details were stolen in a computer hack. It identified the breach on Saturday, 23 June.

#4 Timehop discovered an attack at 2:04am US Eastern Time (7:04am BST) on July 4. 21 million users names, email address and some phone numbers were breached as well as encryption keys.