You may have started to see a marked increase in blog posts, articles and general chatter about GDPR in recent months. Although the details have been known about for ages, it comes in to force in a May, and in best ‘Millennium Bug’ tradition, many businesses are only now starting to worry about it.

What is the GDPR anyway?

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

The GDPR will supersede the current UK laws on data protection, which are enforced by the Information Commissioner’s Office (ICO). It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.

But we’re leaving the European Union, I hear you cry! Blue passports, independence from Brussels, rule Britannia! Well, sorry, but that doesn’t matter, because EU laws and regulations will be incorporated in to UK law, and, equally important to our non-European clients, even if data controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU residents. There is little doubt these regulations are with us for the long-term, EU member or not.

When does the GDPR come in to force?

It will apply in all EU member states (which still includes the UK, for now), from 25th May 2018.

Fascinating fact: Technically, the GDPR came in to force on 24th May 2016, but it’s only from 25th May 2018 that the adjustment period ends and the law applies.

Who does the GDPR apply to?

‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.

Are you a data controller or processor?

If your website, built for you by Bookswarm or anyone else, does any of the following things, then you almost certainly are:

  • E-commerce website which takes orders and stores customer data
  • Website with user registration functionality
  • Website which has forms through which users can submit information – this could be a contact or enquiry form, a content upload mechanism, etc.
  • Website with a mailing list signup mechanism

Obviously there are loads of other, non-website-related circumstances under which you could be a data controller or processor (customer databases, CRM, client lists, mailing lists, and so on) but we are going to focus on the website aspects here.

So what does GDPR require us to do?

It’s the data controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.

Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.

One of the following justifications must apply in order to lawfully process data:

  1. If the subject has consented to their data being processed
  2. To comply with a contract or legal obligation
  3. To protect an interest that is “essential for the life of” the subject
  4. If processing the data is in the public interest
  5. If doing so is in the controller’s legitimate interest – such as preventing fraud

In the website scenarios we mentioned above, the first two on that list (in bold) are the key ones for most of our clients:

  1. “If the subject has consented to their data being processed” relates to opting-in to a mailing list or online system, including registering an account
  2. “To comply with a contract or legal obligation” is the most relevant to e-commerce – if a customer has placed an order, they have entered in to a contract with you which you can’t complete without processing their data

In many cases, both of those justifications may operate together. A customer creating an account on an e-commerce website is consenting to their data being processed (setting up an account so they can place orders more quickly next time) and entering in to a contract or legal obligation (placing an order they want you to fulfil).

What does consent look like?

Consent must be an active, affirmative action by the data subject – passive acceptance (asking people to opt out, or opting them in by default) will not be permissible. Fortunately, Bookswarm have been discouraging our clients from this practice since we started trading!

“Silence, pre-ticked boxes or inactivity should not … constitute consent” (Recital 32)

Active, affirmative action could be:

  • Explicit. Ticking a box which says “I agree to the processing of my personal data by X for the purposes of Y and Z”
  • An affirmative act. Not explicit but done in the clear expectation of how the information would be used, e.g. user enters their e-mail address into an e-mail field marked “optional”, with a short disclaimer underneath reading “Enter your e-mail address to receive information about products and services we think will interest you”

Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. This is really important – it means if you can’t provide a record of exactly where and when a user gave their consent, then you could be held in breach. Fortunately, the form builder plugin we use (GravityForms) and e-mail marketing providers like MailChimp both capture detailed information about when forms are filled in and users sign up.

What counts as personal data under the GDPR?

The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information (PII).

When can people access the data stored by a data controller?

People can ask for access at “reasonable intervals”, and controllers must generally respond within one month. The GDPR requires that controllers and processors must be transparent about how they collect data, what they do with it, and how they process it, and must be clear (using plain language) in explaining these things to people.

People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Where possible, data controllers should provide secure, direct access for people to review what information a controller stores about them.

They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.

Individuals also have the right to demand that their data is deleted if it’s no longer necessary to the purpose for which it was collected. This is known as the ‘right to be forgotten’. Under this rule, they can also demand that their data is erased if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed.

What happens if there’s a data breach?

It’s the controller’s responsibility to inform its data protection authority of any data breach that risks people’s rights and freedoms within 72 hours of becoming aware of it. The UK authority is the Information Commissioner’s Office. Those who fail to meet the 72-hour deadline could face a penalty of up to 2% of their annual worldwide revenue, or €10 million, whichever is higher. They also have to inform affected customers within the 72-hour deadline.

What happens if there’s a failure to observe the rules?

If you don’t follow the basic principles for processing data, such as consent, ignore individuals’ rights over their data, or transfer data to another country, the fines are even worse. Your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is greater.

What about cookies and other tracking data?

As you probably already know, websites use cookies to track returning visitors and collect usage information. It seems likely that visiting a website with a browser set to accept cookies will be taken as affirmative consent to place those cookies on the user’s device. In other words, there is an assumption that if you didn’t want cookies being placed on your device, you would make the appropriate changes to stop them from being set. That’s good news – and it also means that those annoying cookie consent pop-ups will no longer be needed.

OK, you’ve scared the pants off me. How should we make sure we’re compliant?

Here’s a checklist of things you need to do to make sure your website is GDPR-ready:

  • Ensure your website has a Privacy Policy, written in plain English
  • Ensure that the Privacy Policy explicitly identified all the ways in which the data controller may use the data gathered (on that basis it’s better to ask for permission for the broadest possible range of uses)
  • Include a simple ‘opt-out’ form on any site which gathers user data, allowing the user to freely withdraw their consent. In broad terms this would be a very simple form – name, e-mail address – allowing a user to contact you and request opt-out or removal. What you do with that information depends on what you are doing with the data – it could be as simple as manually unsubscribing them from a mailing list, or it could be more complicated (removing them from in-house databases, deleting all of their e-mails). Here’s our removal request form
  • Ensure your existing mailing lists are compliant. That means being able to say exactly how and when each user signed up, and that they have consented to be on the list. If your existing list contains any users who you added manually (because they were existing customers, or any other form of implied consent), or you can’t say how and when people gave permission, you should no longer use that list!
  • Review all forms and other data collection points on your website to ensure they are compliant. It should be clear what purpose users are providing their data for. Existing forms may need to be re-worded or tweaked to make permissions more explicit

Here at Bookswarm we are having to ‘bin’ our old mailing list. That’s because, as well as people who opted in via a form on this website, we also added the e-mail addresses of existing customers ourselves. That used to be allowed, but it’s not permitted under GDPR. As a result, we are starting a new list and contacting all the people on the old list (BEFORE 25th May, of course!) encouraging them to join it. If your list has any implied opt-ins on it, or any data you can’t vouch for, you should do the same.

What should be in our privacy policy?

We’re not lawyers, and can’t write this for you, sadly. Privacy policies have for may years been a box that many website owners have reluctantly ticked without really engaging with the detail. However under GDPR, the stakes are raised, and you should ensure you have a compliant privacy policy that you understand and follow in practice.

This handy privacy policy generator could be very useful – we used it to make our Privacy Policy – and there are other plenty of other tools and templates available too.

I need help!

Don’t worry, Bookswarm is here for you. We are offering a special GDPR website audit to all our customers. This includes checking off the key points identified above, and implementing changes if necessary:

  • Add or update Privacy Policy page, and add it to the footer or menu – you will need to supply the policy, but we can tell you what technical information you will require to make sure it’s accurate
  • Add a simple ‘Data removal request’ form, on its own page, and link to it from an appropriate location on the site e.g. from the footer, as well as from the privacy policy itself
  • Check all web forms and ensure they have active and affirmative opt-ins where necessary
  • Advise you on whether your existing mailing list is compliant based on what you tell us about it, and if necessary connect your website to a new, GDPR-compliant mailing list (we recommend MailChimp but other options are available)

All that for the bargain price of £75 (ex VAT). Special rates can be worked out for clients with complex needs or multiple websites. Drop us a line using our quick contact form, or send us an e-mail.

It’s important for us to say that based on the way we build our websites, and the admin access that all clients have, these jobs are all things you can do yourself if you want to. However, we recognise that some clients may not have the time to tackle this, or feel confident about what’s involved, which is why we’re offering this service.

Good luck getting to grips with the joys of GDPR, and may the data gods smile on your endeavours.