A typical web form that collects personal data such as identity and location information.
GDPR
Save the Date. May 25th 2018..
GDPR is coming into force from this date and it's important to be aware of a few important facts to help you organise the necessary policies and procedures to adhere to the incoming legislation.
Before you start, you may with to visit the official Government ICO section on GDPR
So...you might be asking, what is GDPR all about? Well GDPR is coming into play to better protect the information that is held of individuals by the companies that procure them. It is centered around the principles of transparency and consent. All companies will need to comply and GDPR stretches far beyond the existence of a website and right into your business practices as a whole.
Principally, you should be assessing your entire business and asking yourselves the following:
1. What personal information are we collecting about our customers and employees (and potential employees).
2. What are we using this personal information for and is it justified.
3. Where and how are we storing this data.
4. How long are we retaining this information for.
Note that GDPR only concerns itself with data that is able to identify an individual and not a company. This includes personal emails (and not generic emails such as accounts@)
GDPR will inevitably mean changes in how you operate parts of your business and to improve transparency and integrity of the data you keep. Beyond these changes it also means that you have to have a clear and transparent policy on all of the above and potentially appoint a Data Protection Officer if required.
How Does This Affect My Website ?
Your website is likely one of many channels in which you collect, store and possibly transmit data held about an individual. Most of what you collect and store will be covered by your legitimate business interests insomuch as processing an order, fulfilling a contract or legitimate email marketing practices. It is still important to be clear on what you're collect and storing, as ultimately you are classed as a Data Controller.
How Do I Make Myself Compliant
Step 1 - Identify your web forms
You will likely know all of the areas that you collect data from. You will need to produce a list of all forms on your website, these will include contact forms, product enquiry forms, quote forms, shopping basket forms, mailing list sign up forms and more. Basically anywhere where a user has to (or potentially) enter personal information that you will be in receipt of.
Step 2 - Identify consent
If it is clear what the purpose of the form is for and that you don't collect, store and use the data for anything beyond the purpose of that, then you will not require explicit consent. If however you collect data and then process it for marketing or monitoring purposes (or any other purpose beyond it's own means) then you need to allow the customer to explicitly consent to this.
For example, if you have a checkout on an e-commerce website and you collect a persons details to fulfil an order and nothing more than your legitimate business interests and obligations mean you do not have to take consent from this. However, if you intend to use the details beyond it's initial purpose then you must gain explicit (opt-in) consent. No longer is acceptable either to be opted-in by default or use double negatives to trick a user into consent. An example of an opt-in section in your basket pages.
Step 3 - Get Consent
If you've identified areas on your website where this is required then you must contact us to program these consent boxes in for you. The development required will depend on the number and complexity of the consent boxes (and if they require validation or not).
Step 4 - Write a Policy
Crucially, it is essential that you write a policy for your website AND your business. We have had our own policy written by solicitors and we strongly advise that you follow the same path or find legitimate or approved GDPR policy templates and fill them in accordingly.
Step 5 - Include us in your policy
You are classed a Data Controller and Wida Group Limited (us) are classed as a Data Processor on your behalf - in the same way that Sage may help process your PayRoll or Natwest may help process your banking. With this in mind, you should include the following snippet in your own policy about third party processing.
How is your personal data collected?
We use different methods to collect data from and about you including through:
Direct interactions
- You may give us your Identity and Contact Data by filling in forms on our website or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
- apply for or purchase our products or services online;
- subscribe to newsletters;
- request marketing to be sent to you;
- give us some feedback or any other communications by way of submission by our website forms
Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.
Disclosures of your personal data
We may have to share your personal data with the parties set out below
Wida Group Limited [acting as a Data Processor and based in the United Kingdom] who provide website hosting services.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Step 6 - Include a Cookie Policy
You should have a separate cookie policy on your website already but for those that don't (yet), you can use this policy (this includes the use of Google Analytics but NOT other 3rd Party Tracking that you may have requested to use such as Hub Spot etc).
Don't Forget...
We hope you found this useful. Remember that this information is supplied from a non-legal basis and is supplied in good faith of our understanding of the GDPR regulations. You should always consult legal advice and don't forget that GDPR is NOT about your website, it is about your business.
If you require any further information, please refer to the ICO website