In this blog, we provide an overview of the proposed changes and guidance on what you need to do to ensure your website is GDPR compliant. Please ensure you also read the disclaimer at the bottom of this blog.
Vaccoda GDPR Compliance service
We offer a compliance service to assist businesses in becoming GDPR compliant with their websites. This service will support businesses to ensure that web-related systems, processes and content is fully GDPR compliant. If you are interested in finding out more about our GDPR compliance service, please click here.
What’s the reason for GDPR?
It’s taken more than 3 years of discussion but now the framework for the EU General Data Protection Regulations has been agreed and, in less than a year, Europe’s data protection rules will undergo their biggest overhaul in 20 years. This is mostly due to the huge increase in the amount of personal data that is captured and stored and this meant that the old protection rules were no longer relevant to today’s digital world.
Due to the need to ensure consistency around data protection, GDPR will be introduced to strengthen and align data protection laws for individuals across the European Union, as well as address the export of personal data outside the EU and will also replace/update the current 1998 Data Protection Act along with the 1995 Data Protection Directive.
Isn’t my data already protected?
Yes, it is. At present, each member state within the EU is governed by the existing 1995 Data Protection Directive and each has its own national laws. Here in the UK, we are currently covered by the 1998 Data Protection Act (DPA), which sets out how your personal data can/can’t be used by businesses, government and other organisations.
The objectives of GDPR are to address how personal data has been created and can be used and to give individuals back the control over their personal data held on file and impose stricter rules on companies handling personal data. When GDPR comes into force, this will unify previous and other data protection regulations throughout the EU.
But what happens when we leave the EU? Are we still governed by GDPR then?
The Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of GDPR and as such UK businesses and organisations will still need to ensure they are GDPR compliant by 25th May 2018.
How will I be affected as a business owner or charity?
GDPR is focused around the handling of personal data. Essentially, what this means is: if your business or charity is currently handling personal data, you are likely to be classified as a ‘Controller’ or ‘Processor’ of personal data, and it is highly likely that you would, therefore, be subject to the Data Protection Act (DPA). If this is the case, then it is also likely that you will be subject to GDPR, as described by the Information Commissioner’s Office.
What is a ‘Data Controller’ and a ‘Data Processor’, and how is ‘Data Processing’ defined?
As defined on the ICO website a ‘Data Controller’ is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
A ‘Data Processor’ is any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Data processing, in relation to information or data, means obtaining, recording or holding that data or carrying out any operation or set of operations on that data, including:
- Organisation, adaptation or alteration of the data.
- Retrieval, consultation or use of the data.
- Disclosure of the data by transmission, dissemination or otherwise making available.
- Alignment, combination, blocking, erasure or destruction of the data.
Individuals access to their data
With the introduction of GDPR comes new obligations on companies and organisations that collect personal data. Under GDPR rules, individuals will have much easier access to the personal data that companies and organisations hold about them. At present, a Subject Access Request (SAR) can be made subject to payment of a £10 charge to receive a record of the data held. Under GDPR this fee is being scrapped (for the most part) and a copy of personal information must generally be given free of charge.
The ICO has stated, however, that businesses and organisations can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. Additionally, a reasonable fee may also be charged to comply with requests for further copies of the same information: however, this does not mean that businesses can charge for all subsequent access requests, and the fee must be based on the administrative cost of providing the information.
Under GDPR, when someone asks a business or organisation for a record of their personal data being held, this information must be provided within 30 days. All individuals will have the right to receive confirmation that a business or organisation holds information about them, as well as any other additional information. In other areas, big technology and digital media organisations will be obligated to give users more control over their data, this being especially relevant to social media platforms.
On the other side of the coin, the ICO also states that “individuals have the right not to be subject to a decision” when it is based on automated processing. If it produces a legal effect or a similarly significant effect on the individual, the individual concerned must be given an explanation of the decision and a way to challenge it.
Right to erasure/right to be forgotten
The GDPR legislation will also give individuals the ability to request that a company or organisation deletes personal data without undue delay where there is no compelling reason for its continued processing. And if a business or organisation has disclosed your data to any third-party, they must also inform all third-parties about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
There are also exceptions to this and the right to erasure can be refused if the data held needs to be retained in order to comply with a legal obligation, for public health purposes or for reasons of public interest.
Non-compliance fines
Along with the introduction of GDPR comes significantly enhanced powers for regulators to fine businesses for non-compliance.
Simply put, if an organisation or business doesn’t process data in accordance with the General Data Protection Regulation in any way, it can be fined – and the fines are huge, to say the least.
Elizabeth Denham, the UK’s Information Commissioner wrote about fines in one of her blogs in August 2017.
She states:
“This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point, and that concerns me.
It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law, but it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.
The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
So, while GDPR will carry significant fines, the ICO is clear on their stance and that they will adopt a more supportive approach overall to help and assist businesses with their GDPR compliance. The full blog by Elizabeth Denham, “GDPR – sorting the fact from the fiction”, can be read here.
A snapshot of the proposed changes
At the time of writing and publishing this blog, the below changes are those that have been proposed under the new GDPR legislation. Please note, that the following information could be subject to change as the Government finalises the legislation and passes the Data Protection Bill through the House of Commons and the House of Lords before it becomes law.
International reach
Any company based outside of the EU but which targets customers that are within the EU will also be required to operate within the General Data Protection Regulation.
Consent
The consent to process a person’s data must be a freely given, specific, informed and unambiguous indication by that person. Likewise, it must be made easy for people to exercise their right to withdraw consent for the ongoing processing of their data.
Demonstrating compliance and privacy of data
GDPR places considerable emphasis on the need for Data Controllers to be able to demonstrate data compliance. This will include the requirement to maintain certain documentation, undertake privacy impact assessments and reporting to identify privacy risks and is designed to reduce the risks of harm to individuals through the misuse of their personal information. It can also help you to design more efficient and effective processes for handling personal data.
Notifying authorities of a data breach
Data Controllers are responsible for notifying the data protection authorities of a data breach without any undue delay, preferably within 24 hours and no later than 72 hours after first becoming aware of it.
Non-compliance
Under the new GDPR legislation, data protection authorities can impose substantial fines in the event of non-compliance with GDPR. Depending on the infringement, a fine to a maximum of €20 million, or up to 4% of the total worldwide annual turnover can be imposed. These fines can be imposed on both the Data Controller and the Data Processor.
The role of a Data Processor
Data Processors (who process personal data on behalf of a Data Controller) will be obliged to comply with data protection requirements which previously only applied to Data Controllers (who decide why and how personal data is processed), and in certain circumstances, Data Processors will now have to designate a Data Protection Officer if needed.
Streamlining the process
The new GDPR legislation will apply to all EU states and will remove the need to implement national level legislation. The ‘One Stop Shop’ mechanism provides one set of rules, as businesses will not need to comply with various authorities, therefore streamlining the process and this will equate to a considerable saving financially.
Removal of notification obligation
One notable change under GDPR is the removal of the notification obligation in most circumstances. This decision was made to save time and money. Previously, Data Controllers had to notify Data Protection Authorities of any data processing activity. However, GDPR will require Data Controllers to implement new procedures for extensive data processing by utilising new technology.
The right to be forgotten
This directive has been put into place for individuals to manage the use of their personal data by businesses. If an individual withdraws their consent to storing or using their personal data by a business, Data Controllers are under obligation to erase the individual’s data without undue delay. Additionally, the organisation is obligated to take appropriate steps to inform and request that any third parties that may hold copies of, or links to the data must delete it.
For further information on GDPR
The above information is written to act as a guide only, and these changes may be subject to change. Further details on GDPR can be found on the Information Commissioners Office website and the EU GDPR website, so please check them out.
You can also read a really helpful 12-step guide to help you prepare for GDPR by clicking here.
GDPR compliance for websites
Many businesses within the creative sector, such as website design companies and similar business types/creatives, mustn’t overlook the need to ensure they are GDPR-compliant when requesting information from customers online.
This doesn’t just apply to website designers; any business that has a website online needs to be aware of their obligation to make their website GDPR compliant and implement changes/updates where needed.
Something else to consider is the matter of being compliant to current standards, and what changes GDPR will bring. If your website is fully compliant with the current DPA, there will still be some additional compliance that will need to be implemented onto your website in order to comply with GDPR.
Essentially, many of the GDPR requirements are similar to those that exist within the DPA. However, some requirements are new and others have been improved.
What this means to website design companies (and any business or organisation that has a website) is if you collect customer data by way of a newsletter signup, customer enquiry/feedback/contact form and store this somewhere in a database or similar, you will be defined as a ‘Data Controller’.
This means the way you request this information, the consent was given by your customers and the process you have in place in order for your customers to gain access to the personal data you hold about them will come under scrutiny. The security of your website is of equal importance too.
Who is responsible?
You may think that the responsibility of making sure your website is GDPR compliant is down to the web design or hosting company – this is in fact wrong.
As the website is an asset of your company and falls under the ownership of the business, the business owner will be defined as the ‘Data Controller’ and will be held directly accountable for ensuring that the website, and any tools it uses to collect, store and process data, track movements or otherwise, inclusive of any third-party tools, is fully GDPR compliant.
In what ways might my website not be GDPR compliant?
There are some factors to take into account when auditing your website for GDPR compliance as follows:
Stating the case
GDPR requires you to state the lawful basis for collecting personal data, the data retention period and that individuals have a right to complain to the ICO if they feel you are holding their personal data in a non-compliant way. This information is best detailed on your Privacy Policy, and should clearly and concisely state why you collect customer data, how it is stored internally, and how this data is used.
Tip: Creating a Data Flow Audit of Personally Identifiable Information (PII) is the best way to map the movement of individuals personal data from the website to internal systems, such as the website database and customer management/invoicing programmes.
Provision to supply and delete data
The next step is to ensure you have procedures in place that detail how you supply personal data easily upon request but also how you go about permanently erasing personal data should an individual request the right to erasure. As already explained further up, this is done without charge to the individual and should be undertaken without undue delay.
Tip: If you use multiple internal systems to store parts of or all your customer data, it would be wise to consolidate these systems into a more streamlined process so data is kept in fewer places. Likewise, if you allow for customer sign-up/login on your website (like an e-commerce store, or a membership area) you should give the option for customers to either permanently delete their account, or make it easy for them to contact you to request permeant account removal.
Portability of data
The right to data portability allows users to obtain and reuse their personal data for their own purposes across different services. This would allow the individual to move, copy or transfer personal data easily from one IT environment to another.
Tip: You should think about the ease with which your customers can download account information from your website. The ICO states: “You must provide the personal data in a structured, commonly used and machine-readable form. Open formats include CSV files. Machine-readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data. The information must be provided free of charge”. Read more on the portability of data here.
Automated processing
The GDPR will safeguard individuals against the risk that a potentially damaging decision is taken autonomously and without human intervention.
Tip: If your website includes any automated processing operations, you may need to update your procedures to comply with GDPR requirements. Read more about automated decision making and profiling here.
Breach of data
Under new GDPR rules, any company that suspects there has been any sort of breach of data is obliged to report this to the ICO and in some cases, to the individual(s) concerned too. If the breach is likely to result in a risk to the rights and freedom of individuals then the relevant supervisory authority must be informed and should not be left unaddressed as it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Tip: Make sure you fully secure your website by SSL and ensure you review your website security procedures on a regular basis, ensuring everything is kept up-to-date to avoid any potential hacking and subsequent data breach.
Privacy by Design
‘Privacy by Design’ focuses on the inclusion of privacy and data protection in the early stages of any project, and throughout the lifecycle of the project thereafter. Often this area has been overlooked or ignored, leading to retrospective solutions to try and fix or, at worst, bodge the issue, rather than creating a core solution in the first place.
Privacy Impact Assessments (PIA) are an integral part of Privacy by Design. A PIA is there to help you design and implement more effective processes for handling personal data, and also acts as a tool to help identify the privacy risks of your projects. More details on Privacy by Design and Privacy Impact Assessments can be read here.
Tip: Consider Privacy by Design, supported by Privacy Impact Assessments at every stage of development (from a web development perspective) – it is more cost effective to integrate Privacy by Design at the start, rather than implementing afterwards. For businesses that have websites already built, consider your current online privacy policies, and consider the bigger picture across your business or organisation, and how you can integrate core privacy considerations into existing project management and risk management methodologies and policies.
Third party data processors
In addition to clearly informing your customers why you are collecting their data (for the purpose of newsletter signup, customer enquiry/feedback/contact form submission and so on) you should also inform your website users of any third party data processors that you use to capture and process personal data on your behalf, such as MailChimp or similar (for newsletters/subscriptions), Google Analytics (for the purpose of website tracking) or any other third-party data processor – and also state why you are using them and for what purpose.
Do you have a WordPress website? Are you WordPress GDPR ready?
Many websites nowadays are built using WordPress, and to ensure you are WordPress GDPR compliant, think about the components that make up the website – this includes the ‘website side’ of things that your customers see, and the ‘technical side’ which would include things like plugins, custom functionality and anything else used for the collection, processing and storage of data.
The first step would be to undertake a full security audit of the website to identify any potential risks. This audit should, in general, show how data is being collected, processed and stored on your server(s) and a plan of steps that you must take in order to comply with the GDPR legislation. A good plugin to help you perform a security audit on your website is the Security Audit Log plugin, however, there may be others that you prefer to use.
Some of the ways a standard WordPress website might collect user data includes:
- User registrations
- Comments on blogs/posts
- Enquiry/contact form submissions
- Website analytics and traffic monitoring logs
- Any other logging tools/applications
- Security tools
- Plugins
We have discussed data breach above and the steps that need to be taken in the event of a breach happening, however in a WordPress scenario if you noticed a breach, you would need to take the necessary steps to notify anyone – not just different user levels (admins, editors, managers, and so on) but also customers in the case of WooCommerce and even those who comment on blog posts. You would also need to alert anyone who has personal data stored within a database, so, if you have contact forms that store customer enquiries to a database [as opposed to sending the enquiry via email] for example, you would also need to inform anyone who has submitted an enquiry to you.
A great tool to monitor web traffic and any malicious activity is the Wordfence plugin. We use this on all our customer websites, and if we are managing monthly technical updates for clients, we always install and configure Wordfence as well as other tools to protect the website.
Data collection, processing and storage
As discussed further up, there are three main aspects to this; the Right to Access, Right to Be Forgotten and Data Portability.
With WordPress websites, you will need to establish a detailed policy in relation to the personal data you are using and how this data is being processed and stored.
You will also need to have a setup in place that allows users to easily request a copy of their personal data. It’s important to also explain the steps involved in your Privacy policy or similar so users are clear on what they need to when asking for their data.
The key takeaway from this is to consider if it is necessary to store personal data within a database. For example, website contact forms could be set up to forward all enquiries directly to your secure email address instead of storing them on a web server. Doing it this way reduces the chances of any breach of data by way of personal data stored somewhere within a database.
Using plugins
WordPress websites generally use plugins – any plugins used will also need to comply with GDPR. Whilst you might think that the responsibility for compliance lies with the developer of the plugin, this is incorrect. As you are the website owner, it is your responsibility to ensure that all plugins your website uses that store personal data of any kind have the ability to export/provide/erase any user data collected.
In essence; each plugin you use (that store’s data of any kind) needs to establish a flow of data and be able to inform users about the processing of that data. The ability to allow the end-user of the plugin (such as a webmaster) to be able to demonstrate the compliance of the plugin will lie with plugin developers and the way(s) in which they modify their plugins to make them GDPR compliant.
Other considerations
Whilst it may not be immediately obvious, there is a range of other tools that can be used on a WordPress website that will also need to be GDPR compliant, such as marketing tools for monthly email newsletters and promotions for example. The sign-up process is generally done from an integrated form on the website which harvests a list of user email addresses. Depending on how you run a promotional email/newsletter, it’s possible that the email addresses may not have been obtained with explicit user consent.
One existing way was to have a ticked box that was selected by default which, under the new GDPR legislation would count as a violation and now requires webmasters to get users to explicitly consent to the use of their personal data [email address] in emailed newsletters or promotions. Additionally, buying email data would also constitute a GDPR violation, as none of the people within that list had given you explicit consent to receive emails from you.
In a nutshell
The long and short of WordPress GDPR compliance is as follows:
- Undertake a full audit of all the ways you collect website visitor data
- Look at how this data is processed and stored – is it secure?
- Implement new processes to ensure that users can easily access and control their data
- Avoid unnecessarily collecting user data
- If you are using any third-party tools, plugins and applications you need to ensure they are GDPR compliant – you are responsible for this.
Final thoughts and summary
Whilst the forthcoming GDPR legislation is extensive, approach the task of compliance in bite-size pieces. Taking the time to fully understand your obligations as a business and then acting upon a well-considered, planned roll-out of GDPR within your company or organisation will make the task a whole lot easier.
Disclaimer: This article on GDPR contains a summary, written in our own words, of the proposed changes that are due to come into effect in May 2018. The content within this article may be subject to change after the publication date of this article, and we strongly recommend that you refer to the Information Commissioner’s Office (https://ico.org.uk/) and the EU GDPR website (https://www.eugdpr.org/) for the most up-to-date information, and seek professional advice on GDPR compliance integration within your business.