As we enter 2018, you’re probably already aware that UK law around data protection is changing with the introduction of the General Data Protection Regulations (GDPR), and of the upcoming deadline for compliance of 25th May.
There are hefty fines written in law for organisations in breach of GDPR. Those of you longer in the tooth may recall the introduction of the cookie law and the subsequent race to add cookie popups to websites. Due to an apparent general lack of enforcement and the ICO stating that implicit consent is acceptable, we’ve typically advocated for less intrusive privacy and cookie notifications.
The GDPR changes matters - it’s a much more detailed and specific set of legislation.
In our opinion, although the fines are potentially substantial, we’re unlikely to see enforcement in the early days after the deadline except for significant non-compliance or breaches. That said, the GDPR should be taken seriously as there’s mounting awareness amongst consumers, and we think it’s consumer-driven complaints or issues which are likely to cause problems for retailers.
Virtually all of our client websites collect or use customer data in some fashion, so we’ve put together a brief guide to the things you need to think about.
The GDPR rules are intended to give individuals much greater control over how their personal data is collected and used. The regulations are broad in scope and are likely to necessitate some changes to your internal practices and certainly a minimum of new documentation to hold on record at your company.
Our focus at Absolute is on building websites - the good news is that GDPR implementation on your site should be fairly straightforward when it comes to the practicalities.
The ICO supply a wealth of helpful information, from which a good starting point is their 12 steps document.
The steps outlined in the pdf are by no means exhaustive but are a good basis for beginning your compliance process.
For your website, we’re particularly concerned with:
3. Communicating privacy information
4. Individual’s rights
If your site captures personal data, you need to check that you are acting in respect of the individual’s rights. For example, how often and by what means do you delete personal data once your need to hold it has passed, or if the individual requests deletion?
5. Subject access requests
Similarly you may be asked to hand over copies of any personal data you hold for an individual - do you have a process and format for doing so?
6. Lawful basis for processing data
Whilst implicit or automatic opt-ins have always been frowned upon, the GDPR will make explicit, specific consent required. For example, asking customers to sign up to your newsletter requires that you inform them for what purpose you’ll contact them, and you can’t simply have a pre-ticked checkbox.
You might also need to refresh consent if the way it was obtained doesn’t meet GDPR standards. We’ve already seen plenty of organisations contacting customers to ask for them to re-opt-in.
You still need to take action for all 12 points on the ICO’s pdf, but we feel the above are the most relevant to your website. The remainder are elements you need to consider and document internally.
In our opinion one of the trickiest parts of the GDPR is the terms used, and how they relate to your operations.
Here are three examples:
Data controller or data processor?
If you collect and then use personal data, or pass data to a 3rd party to be used, or indeed make any decisions about how/when/why personal data is to be collected, you are a data controller in terms of the GDPR.
If you process data on behalf of a data controller, but you don’t collect that data or decide on how it is used, you are a data processor.
If you collect customer information through your website, It’s most likely that you’re a data controller. If you use 3rd parties such as google analytics, they are data processors for your data.
What counts as personal data?
In short, any information relating to an individual person which is not fully anonymised. If you collect any form of identifier such as a name, email, internet handle (e.g. twitter tag), or even location data such as an IP address or a postal address, you are collecting personal data. Any additional data you collect, which is in some fashion related to the identifying data, is also then classed as personal data.
For example, if your website asks for your visitor’s shirt size, and also collects their IP address in a fashion which can be linked to their shirt size, you are collecting personal data. If you ask for the shirt size but don’t associate that with anything other than their current web session, we believe it wouldn’t be covered by the GDPR.
There’s a sub-category of personal data, known as sensitive personal data - this is very unlikely to apply to your website as it covers for example genetic data.
As there’s such a lot to take in, we’d recommend getting in touch with Absolute for a website GDPR audit.
We’ll help you check that you’re covering all the bases, and where necessary to adjust your site to fall in line with the regulations. We can also help you consider your internal processes and documentation.
It might seem daunting but in most cases we think the work needed for compliance will be straightforward and reasonable in scope.
Remember there are only a few months to get ready, so let’s get cracking!