The law is changing on 25th May 2018, when new European-wide legislation called the “General Data Protection Regulation” (or GDPR) comes into force. This will have implications for every website and it’s important website owners comply with these new rules.

We’re writing this article to give website owners some practical advice on interpreting the new legislation. We have been fortunate to hear first-hand from several experts on the subject in the past few months, so we’ve included some of their recommendations below.

However, it’s important to point out that we’re not lawyers ourselves, and so we can’t give out legal advice (obviously!), so this article is purely designed as an informal, simplified overview. We of course want to support you as best we can, but if you need definitive legal advice, please talk to a lawyer!

Also, remember GDPR and data protection legislation covers all aspects of your business, so your website is only one part of the jigsaw!

Don’t panic! 

Firstly, we’re aware that many legal firms and other web design companies have been using GDPR for profiteering purposes and scaremongering website owners, and that’s something we feel is wrong (like the example pictured here!).

Many website owners will recall the panic around the “cookie law” when it was introduced a few years ago, with people scrambling to deface their websites with huge popup cookie notices, because that was seen as the easiest or only way to respond!

Bear in mind that some of GDPR’s requirements, such as allowing users to see the personal data you hold on them, is already part of the UK’s law (the Data Protection Act 1998).

Some people have been given ludicrous advice. Take the example given by the BBC website that MPs’ staff were frantically deleting all their previous work!

The government body, the Information Commissioner’s Office (ICO), has said their intention is to educate businesses and website owners, rather than handing out immediate fines. They say that issuing fines is their last resort. Look at the facts and during 2016/2017 the ICO concluded over 17,000 cases, but only sixteen resulted in a fine.

And according to surveys, many businesses feel under prepared for GDPR, so don’t feel like you’re alone!

But don’t get me wrong… GDPR is mandatory and it’s the law, so don’t think you can ignore it!

GDPR promotes good practice. If you’re privileged enough to use or store other people’s personal data, then do the right thing and treat it with care.

So what does GDPR mean in practice? Let’s take a look…

Website contact forms 

If your website has a contact form (and most do!), then you’re processing personal data (e.g. somebody’s name, email address, phone number, etc).

What you do with this information matters. Let’s say you have a new customer make an enquiry via your website. It’s legitimate you receive their details for the purposes of responding to the message.

But you shouldn’t use their details for any other purposes, such as adding them to your mailing list, unless the user has explicitly asked to be added to your newsletter.

We listened to legal expert Danny Dagan last year, who delivered a presentation called “Privacy by design”. Danny asked whether you actually need all the data that’s collected? For instance, do you really need somebody’s date of birth, or their postal address? Always collect just the minimal amount of data that’s necessary.

Also, one of the principals of data protection is that you shouldn’t hold personal data for longer than it’s required.

Advice for Primary Image customers:

For most Primary Image customers, you’ll find contact form submissions stored on your website under the “Forms” area in the back-end (see this support article). This feature ensures that if, for some reason, your email provider has a problem (e.g. Gmail/Office 365 sends your contact form messages to the spam folder), you’ll always find a backup of your contact form entries saved on your website. That’s a legitimate excuse for storing personal data, however you don’t necessarily need to store this data for months or years.

Some GDPR commentators are suggesting contact forms shouldn’t save anything at all, but we feel this is a genuinely useful and practical feature. What you may decide to do, however, is delete those saved entries yourself every so often. That means personal information isn’t stored on your website for longer than it’s required.

If we built your website, in most cases you can delete contact form entries yourself, either individually, or in bulk (see our support article).

If you’re a Primary Image customer and can’t see or access this area, please get in touch with us and we’ll advise you further. Some websites, especially if you’ve transferred an existing website (built by another web designer) to Primary Image, may have a different contact form module installed.

Or if you want to disable contact form data from being stored on your website completely, please let us know.

Remember, contact forms normally send messages to your email account, so that means personal data is stored in your email inbox too. Therefore, you may need to consider what other data protection steps you need to take.

Events booking systems

Some of our customers use an events booking system, where users can register their attendance. Clearly, in order to process a user’s booking, some personal data is required from them, such as their name, email address, etc. That is a legitimate business need.

The same principals apply as for contact forms (see above), so for example you must not use attendance info for future marketing purposes, unless the user has consented to this.

You may decide to delete past attendance information every so often, depending on what you see is appropriate and justified. You can delete bookings data yourself within the events module.

Newsletters and mailing lists

Danny Dagan’s talk on “Privacy by Design”, which Primary Image attended last year.

Under GDPR legislation, users must explicitly opt-in to receiving your communications.

It is not acceptable to add people to your mailing list without their permission. That’s called spamming!

To avoid any disputes, you should maintain a record of when and how users confirmed they want to receive your marketing emails. Your newsletter software, such as MailChimp, will normally include this sort of feature.

It’s no longer acceptable to ask users to untick boxes if they don’t want to receive certain marketing. This will be seen as a violation of the GDPR rules. Users have to always opt-in themselves, without boxes being pre-ticked.

You may have received lots of GDPR-related emails lately, asking if you want to continue receiving a company’s email newsletter. They’re probably doing this because they don’t have a record of who opted-in to receive their emails, and who they added without explicit permission. If you’re sure everyone on your mailing list did opt-in, then that’s ok!

E-commerce / membership websites

If you run an e-commerce or membership site, where users login and enter their personal data, then there’s more requirements under GDPR legislation that you must implement.

Firstly, see the section above about contact forms, as the same principals apply here too. For example, only ask for personal data that’s actually useful and needed.

Some of the key GDPR considerations include:

  • You must, if requested, allow users to access a full copy of the data you hold about them. Though remember, this doesn’t just include your website, but any information held about them on your computer or other systems too! This is called “right of access”.
  • Users can request you correct any of their personal details if it’s not accurate. This is called the “right of rectification”.
  • You must allow users to export their data, called the “right of data portability”. So, for example, if you have an Instagram account, Instagram have a tool that allows you to download all the photos you’ve uploaded to their service into a zip file. It means users can easily take away their data if they choose to.
  • You must allow users to fully delete their personal information that’s held on your website. This is called the “right to erasure”. However, you are allowed to keep certain data, for example details of online sales are needed for your own tax records, etc, so that’s a legitimate reason for keeping some of the data.

Clearly some of this can be very tricky to implment! Consider, for example, that some customer data might not just be held on your website, but also stored in your cloud accounting system, or on a third-party newsletter system (such as MailChimp), or in spreadsheets held on your computer.

There’s two ways you can handle this on your website:

1) An automated self-service system for users:

If you have a WordPress website, a new version released last Thursday (version 4.9.6) introduces some features to help with GDPR requests. However, a lot of WordPress software modules (called “plugins”) are yet to use this new mechanism, because it’s so new. Therefore, it’s usefulness is currently limited. Though as time goes on, it’s likely more and more software modules will build GDPR-related tools into their systems.

For example, the WooCommerce shopping cart software, which many of our customers use for selling products online, has outlined a major update that will incorporate new GDPR features. However, at the time of writing this blog, the update (called WooCommerce 3.4) hasn’t been released yet (and we understand it’ll be released two days prior to GDPR coming into force!). The same goes for the events booking system, used by some of our clients, and its creators have also promised new GDPR-related features, but (at the time of writing this article) it’s not been released yet.

It’s also fair to say that automating these processes will of course require some setup work and testing steps to be carried out, because this isn’t a simple system that website owners will just want to switch on and hope it works ok! For example, if user data is deleted, does it cause any errors or unexpected consequences on your website? You’ll also want to make sure that if somebody is asking for a copy of all their personal data, you need to verify this is a legitimate request from them, and not a hoax request.

Whilst website owners may be looking for a ready-made “GDPR” solution, it’s important to recognise every website is different and there is a level of complexity in automating these processes.

2) A manual approach:

For smaller websites, taking a manual approach may be more appropriate, rather than seeking technical solutions. Under GDPR rules, you have one month in which to respond to a user’s request.

The Information Commissioner’s Office also has guidance on where you may be justified to charge a reasonable admin fee, or where you can justify needing a longer period of time to respond to a user’s request.

There’s other considerations too, such as if your users have to agree to terms and conditions, then they must explicitly agree to this, normally by ticking a box themselves to say they’ve understood and agreed.

If your users can create an online profile on your website, which is visible to other website visitors (e.g. if you have an online discussion forum, users may share their full name, town/city, etc), then it’s important your users are aware of what information they’re sharing publicly and they consent to this.

Keeping personal data secure

You should take all reasonable steps to ensure personal data is held securely at all times. This is a big subject, but examples could include:

  • Ensure your website runs on a secure HTTPS connection, so user’s details are encrypted when they fill out login or contact forms on your site.
  • Ensure your website software is kept up-to-date with security patches (which we handle for most of our clients as part of our maintenance packages).
  • Use a strong password for your own login, so it’s harder for hackers to access admin areas.
  • You shouldn’t be storing UK / European users’ data on web servers outside of the European Union, unless it meets certain safeguards. (For Primary Image customers, our web hosting is based in the UK!).

If your business or organisation uses and stores “sensitive categories” of personal data, e.g. related to children, religion, healthcare, etc, then special restrictions apply and there may be stricter rules on how you use this data.

If you do have a serious security breach, where customers’ data has been exposed, you are now required to inform the Information Commissioner’s Office (ICO) within 72 hours and also inform your customers. The ICO have more guidance about personal data breaches.

Having a clear privacy policy

A talk at WordCamp London, on privacy notices.

If your website collects personal information, you should have a clearly visible link to your privacy policy.

Your privacy policy must be written in clear, concise and simple language. Under GDPR, it is no longer acceptable to write long legalese documents that only lawyers understand.

A last month’s WordCamp London conference, Heather Burns gave some advice on structuring a website privacy policy, which we’ve adapted and added to below:

  1. Who you are?
  2. What personal data do you collect? (e.g. details obtained via contact forms, newsletter signup boxes, analytics tracking, etc)
  3. Do you collect any “sensitive” data?
  4. Why are you collecting this data? (e.g. a legal or business need)
  5. Who the data is shared with? (e.g. third-parties such as Google, MailChimp, PayPal, etc)
  6. How long will you retain the data?
  7. How can people obtain a copy of the data you hold on them?
  8. And how can somebody make contact with you?

It’s especially important you display this privacy policy when users are about to share their personal data with you, such as on contact forms, or registration pages.

The ICO also gives this example below as a good privacy policy (click on it to open a larger copy):

Cookies

A cookie is a small text file, normally comprising just a few letters and numbers, downloaded onto a user’s web browser when they’re visiting a website. These cookies allow the website to track that same visitor when they move around the website, or when they return in the future.

For example, the BBC Weather website allows visitors to save their chosen location (e.g. Southend-on-Sea) and then show this same information when they visit the website again. This is an example of how cookies help personalise a website and store genuinely useful information.

Most websites, including WordPress websites, use cookies, for example:

  • If your website has a login area, it’ll save a cookie, so the website keeps the user logged-in.
  • If your visitors can leave comments on blogs and the form asks for their name, email address, etc, then this information may be saved in a cookie, so next time they leave a comment, this information is pre-filled automatically.
  • If you have a visitor stats system installed (e.g. Google Analytics, StatCounter, etc), these services use cookies to report how many times a visitor has returned to the website, what pages they’ve visited, etc.

It is good practice to explain to your users why you’re using these cookies. You may choose to explain that some cookies are essential to make your website work, whilst other cookies are non-essential (especially ones related to marketing activities).

It may no longer be sufficient to just display a popup banner saying “By using this website, you accept cookies“, as the user isn’t giving their valid consent. Some website owners are now installing more advanced cookie mechanisms, where users have tighter control over accepting or rejecting non-essential cookies.

Implementing GDPR in practice

Responsibly for GDPR compliance lies with the website owner, not your web designer or website host.

If you haven’t already, you should audit your own website and business processes, so you can identify what personal data is being collected and how it’s being used. If you search online for “GDPR audit” or “GDPR checklist“, you’ll find lots of handy resources.

Ensure you are familiar with everything that GDPR covers. Our article here is just a simplified overview, but the UK’s Information Commissioner’s Office (ICO) website has a Guide to the General Data Protection Regulation (GDPR), which contains much more useful information, including things we haven’t even covered here.

Then think about how you’ll implement the GDPR rules in practice, not just on your website, but in everything you do! For larger organisations, you may need to think about staff training, scheduling routine audits, and nominating somebody to be your data protection champion.

And privacy isn’t a one time task. It’s part of the ongoing maintenance for your business, so keep it under review.

Next steps…

If you have any further questions about GDPR and exactly what applies to your own business or website, we do recommend consulting a legal expert for advice (e.g. finding a lawyer that specialises in online/digital matters).

We can (if required), on a paid-basis, conduct a review of your website and suggest some possible changes necessary for GDPR-compliance, but please note this will be informal advice only (i.e. we are not legal professionals and can only offer advice to the best of our knowledge).

If you need us to do any specific GDPR-related work on your website, please get in touch and we’ll be happy to help.

 

Disclaimer: As we mentioned above, this article is only intended to be an informal guide to GDPR (and Primary Image is not qualified to give out legal advice!). You are advised to carry out your own research and seek your own professional legal advice to find out how GDPR applies to your business or organisation.

Mike

Mike
Creative Director

Mike is the founding director of Primary Image. He specialises in the WordPress website platform and speaks regularly at national web design conferences. Mike became a member (MCIPR) of the Chartered Institute of Public Relations in 2015. Outside of work, his interests include photography and politics.