The General Data Protection Regulation (GDPR) comes into effect in 25 May 2018. It replaces the Data Protection Directive (implemented in the UK as the Data Protection Act 1998). This document addresses GDPR with the narrow focus of websites. For a broader discussion on the impact of GDPR on law firms, you might like to start with this article from the Law Society.
In essence the legislation is designed to protect citizens rights to privacy. To do this GDPR regulates:
- what is considered to be “personal data”;
- what can and can’t be done with personal data;
- how personal data must be protected;
- the rights of citizens to access their data (“subject access right”);
- the rights of citizens to have data removed (“right to be forgotten”);
- the rights of citizens to have inaccurate data corrected;
- the rights of citizens to obtain their data in a structured format (“data portability”).
GDPR applies to all organisations that handle or process data about EU citizens regardless of location. It applies just as much to Uber based in California as it does to BT based in London.
The legislation applies in different ways to different types of information:
- any information that is linked back to an individual;
- any information that could be linked back to an individual by some other organisation (even if you’ve not done the work to link it yourself);
- not just data about a person’s private life – “personal information” can also be information about their public or professional life;
- living individuals (GDPR does not apply to personal data about dead people).
- data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership;
- data concerning health or sex life and sexual orientation;
- genetic data or biometric data;
- data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU’s legislative competence).
- Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start (rather than them being bolted on as an after-thought or ignored altogether).
- Privacy by default simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service.
- Pseudonymous data is the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.
- Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
GDPR places some specific responsibilities on “Data Processors”, however, the vast majority of the responsibility is placed at the door of the “Data Controller”. The fact that a Data Controller might decide to outsource certain functions to a Data Processor does not mean that the Data Controller is not still liable; they are liable even when the breach is the direct result of the Data Processor. The same entity can be a “Data Controller” in respect of some processing activities and a “Data Processor” in respect of other processing activities:
- Data Controller is the body which alone or jointly with others makes decisions about processing activities (regardless of whether it actually carries out any processing operations).
- Data Processor is the body which processes personal data on behalf of a Data Controller
The reasoning on this issue is that all individuals should know what data is being collected about them and why, and should have to give their consent.
- Information has to be freely given and consent must be unambiguous and explicit.
- Requests for consent should be separate from other terms.
- Individuals must have a real right to say no.
- Data Controllers must be able to demonstrate consent.
- Parental consent is required if the individual is under 16 (13 in some EU countries).
- The maximum fine per breach is €20m or 4 per cent of global turnover, whichever is higher.
- GDPR is regulated in the UK by the Information Commissioners Office (ICO).
- You have to report breaches to the ICO (usually within 72 hours) but only if the breach “is likely to result in a risk to the rights and freedoms of individuals”.
- You have to report breaches to individual subjects (usually within 72 hours) but only if the breach represents a “high risk” to their rights and freedoms.
- Appointing someone as a “Data Protection Officer” is not a legal requirement but is expected for organisations with more than 250 people; doing so, even for smaller organisations, will help reduce the risk of prosecution.
The most obvious impact of GDPR on website design is that form submissions are almost always “personal data”, usually stored indefinitely by the website.
To be GDPR compliant without losing the benefit of being able to trend form-submission data:
- form data should be separated into “form-summary” (high-level information about the form) and “form-detail” (the contents of the form);
- form-detail-data should only be held for 60 days;
- form-summary-data should be made anonymous after 60 days (ie email address should be removed).
Note that the period of 60 days is not explicit in the GDPR legislation; it is your own judgement as to what can be defended as necessary and reasonable.
Forms that include an option inviting users to subscribe to a newsletter must default to “no” rather than “yes”; you will need to audit your site to be confident about this issue.
Note that there is no specific requirement to implement “double opt-in” (online registration followed by confirmation via an email link) but there is a requirement to be able to prove that the user agreed and to maintain an audit trail of their actions. A double opt-in process is well understood by users so is probably the best way to achieve this.
Many websites include payment gateways that allow clients to pay invoices and send money on account. The website may be collecting personal data such as name, address and invoice details before passing this information to the payment gateway. If that is the case the website will probably also be storing that information. You will need to modify the process to remove any personal data after 60 days (eg removal of email address and any other identifying information).
Some sites invite users to register in order to use advanced features such as extranets, collecting “personal data” including email address, username and password.
To be compliant the user must agree to Terms and Conditions that explicitly state what will happen with any personal information given during the registration process. A double opt-in process is recommended.
Many websites give the user a session-cookie in order to distinguish the user from other users. However, the user remains anonymous at all times. A session-cookie is not “personal data” provided it does not contain any information that can be used to identify the individual.
Some websites use third-party products such as CANDDi and Ruler Analytics. These products are used for the specific purpose of tracking users and alerting BD professionals when critical events happen (like a key-individual returning to the site … or a specific person viewing your Terms & Conditions page).
At first glance you might expect the operation of these products to be against the spirit and the law of GDPR since they track users in ways that most users would not expect. However, the providers of these tools seem confident that they can still be GDPR-compliant.
There is risk associated with using third-party software. If that software does something that is illegal then under GDPR it is the responsibility of the Data Controller (you) not the Data Processor (them). For this reason it is important to study your contract with those organisations very carefully.
The contract between the Data Controller (i.e. the firm/owner of the website) and the Data Processer (i.e. the website agency/builder) needs to be explicit on this issue – the contract should identify any third-party software explicitly so that the Data Controller understands their responsibilities in that respect.
Almost all websites are configured to use Google Analytics for the analysis of usage data. The system has always been anonymous; there is no “personal data” being collected and so no impact from GDPR.
Tag Manager is a product that enables a lot of powerful features – such as the ability to link in third-party software on particular pages. If Google Tag Manager is installed it becomes important to know who has access to it because those people have the ability to make drastic changes to your website.
The contract between the Data Controller (ie the firm/owner of the website) and the Data Processer (ie the website agency/builder) needs to be explicit; the contract should identify the people with access to Tag Manager explicitly so that the Data Controller understands their responsibilities in that respect.
In some situations GDPR gives users the right to access the personal data that is held about them, and the right for this information to be corrected or deleted.
Any request for data access or removal can probably be processed manually by the website agency/developer; there is no legal requirement for the user to be able to do this themselves.
- the legal basis for processing the data (lawfulness of processing is set out in Article 6);
- the period for which personal data will be stored;
- meaningful information about the logic involved, as well as the significance and consequences of such processing.
Note that to be compliant you will need to add information describing what you do with information once it has been passed to you from the website. For example, what happens to enquiry information once you receive it and how long is that information retained by your office systems (ie it’s not only information about the website).Tweet