GDPR (General Data Protection Regulation) - Small Business Website Design & Management | BlackWebs

GDPR (General Data Protection Regulation)

25 May 2018
What is GDPR?

The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive of 1995. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.

According to the Data Protection Act, data is seen as any information that is being processed in response to instructions given for a specific purpose. In practice, this means any data that relates to information about individuals. Excluded from this is anonymised and statistical information, i.e. data that could not be used to identify an individual. However, if a business decides to anonymise their data themselves, this does not relinquish them of responsibility for protecting that data.

The act also makes sure consumers are protected even after a business goes into bankruptcy or insolvency. In such a case, the consumer should have as many rights as when a company is still in business. One thing that may still be unclear is who is responsible for enforcing this protection. If your business becomes insolvent, then it is also your responsibility to guarantee your consumer’s data is protected. That being said, if a limited company goes into administration and the administrators decide to sell the data, in this case, the responsibility for individual’s data security is the administrator’s prior and during any data sale. Once the sale has been completed, the responsibility naturally shifts to the purchasing party.

Will you be effected by GDPR?

One of the first steps in preparing for GDPR is to understand what personal data your business holds and what you use it for, keeping in mind that your employee data, not only customer data, is also covered by the regulation.

Smaller businesses (with less than 250 staff) have some exceptions but are not exempt. That said, the ICO has produced a wealth of useful information, guides, self-assessment tools and a help-line specifically for smaller organisations, see below.

Also, remember that GDPR applies to any organisation processing the personal data of any EU citizen. Even online retailers in America or China are affected if they deal with EU customers.

Data Controller vs Data Processor

With regards to the processing of payments you (the website owner) will be the Data Controller.  The Payment provide (Sagepay/Paypal) will be the Data Processor. You control the lawful basis/reason for processing the data irrespective of which third party companies you use to process the data.

GDPR expects you to declare why the consumer data is necessary for the service/product, what it will beused for, how long you’ll keep it and who it will be shared with in a privacy notice so that the consumer can make an informed decision prior to providing the data to you.

Do we need to appoint a Data Protection Officer?

Under the GDPR, you must appoint a DPO if:

  • you are a public authority (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking);
    or
  • your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

Ecommerce Specific

EU legislation aims to keep the consumer as well informed as possible. Before completing a purchase, a consumer has to be informed of their right to cancel the order within 14 days of the purchase being made. This, as well as other information, is required to be sent to the customer, usually via email. E-commerce sites are also expected to provide the buyer with a comprehensive breakdown of all costs incl. delivery, before they confirm the purchase. The laws also specify that the button clicked for completing an order also includes a written acknowledgement of a payment being made. Failure to do this or any of the laws can be prosecuted as a criminal offence.

Newsletter Re-consenting

Strengthened consent requirements are the core of the new regulation. If you collect or manage any EU citizen’s data, you must:

  1. Request the explicit consent of every user before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other text.
  2. Have a clear and accessible privacy policy that informs users how collected data will be stored and used.
  3. Have a means for users to request access and view the data you have collected on them.
  4. Provide users with a way to withdraw consent and purge personal data collected on them; i.e. the “Right to Be Forgotten”.
Cookies

The operator of a website needs to ensure that visitors know that they are on a site where cookies are being used. The information collected should also not be used for any purpose that might be seen as intrusive or inappropriate. It is worth noting that if cookies are necessary for providing goods and services, websites are not required to offer this service to anyone who rejects the use of cookies. As a business website operator, you should be as transparent as possible towards your customers. Do not just tell them what data you want but also why you want this data. Some websites opt instead to tell users what they won’t use the data for. This is not recommended, however, as it may lead to even less clarity. Information on the privacy policy should be easily accessible and ideally made available to the user as soon as possible. This is especially the case when it comes to apps. Always make sure to keep privacy policies up to date with any changes that might have been made in the running of the website.

Under the Privacy and Electronic Communications Regulations (PECR), individuals need to be informed when information (e.g. a cookie) is to be stored on their device as well as giving them an opportunity to reject this from happening.

Right to Access

Data subjects must be able to request and obtain confirmation that data is or is not being collected on them, and if so exactly what data is being collected, how, where, and for what purpose. That data must also be provided to them in an electronic format free of charge on request.

Right to be Forgotten

In Europe, there is a so-called ‘right to be forgotten’. This is a law introduced in 2006 which allows an individual to ask search engines, like Google, to remove any links that they might have to news articles and such, or at least remove them from the European version of their sites. This is an idea that has been prevalent in the UK for a long time. Over here there is the belief that after a certain amount of time, criminal convictions are ‘spent’ and should not be taken into consideration when it comes to things like employment, insurance, etc. On 13 May 2014, the European Court of Justice cemented the place of this law as a human right when they ruled against google in a landmark case. During this case it, was ruled that Google is to be seen as a so-called ‘data controller’ and is, therefore, required under EU law to remove online that data that is seen as being ‘inadequate, irrelevant, or no longer relevant’.

Privacy Principles

The Data Protection Act sets out a total of eight principles that businesses must follow when it comes to the use of personal information. Many of the principles have to do with ethics and general good practice for the processing of personal data. We have listed the various principles:

Principle 1: Personal data is to be processed in a way that is fair and lawful

Principle 2: Personal data is to be obtained for one or more purposes that have not only been specified but are also lawful. The data should not be further processed in any way that is incompatible with the specified purpose or purposes.

Principle 3: Personal data is to be adequate, relevant and should not be excessive when it comes to the reason or reasons for their use.

Principle 4: Personal data is to be accurate and should always be kept up to date (if applicable).

Principle 5: Personal data should not be retained for a period that is any longer than is necessary for the purpose or purposes that it has been collected and processed for.

Principle 6: Personal data is to be processed in line with the rights of data subjects under the Data Protection Act.

Principle 7: The technical and organisational approaches taken in response to unauthorised or unlawful processing of personal data should be appropriate against the accidental loss of, destruction of, or damage to personal data.

Principle 8: Personal data is not to be transferred to a country or territory that is outside the European Economic Area (EEA). This is only acceptable if the country or territory in question can guarantee adequate levels of protection for the rights and freedoms of data subjects when it comes to the processing of personal data.

Read more about the Data Protection Principes on the ICO website here.

Privacy Policy

There are certain guidelines that websites need to follow to ensure that your website is legal. These include things like company information (name, address, etc.), as well as a privacy policy. The privacy policy is required to inform the visitor about the following things:

  • What information is being collected
  • Why this information is being collected
  • How the information is being stored and kept safe
  • Whether or not the information is going to be shared away from the website
  • How to get in touch with the business/website in question

This is where cookies come into play. The user needs to be informed about what cookies are going to be created and for what purpose. The user also needs to give their consent for any cookies that will be left on the user’s computer, laptop, smartphone, etc.

When it comes to e-commerce sites and online shops, there are certain details and features that must be accessible on the web page. Among these are included:

  • Terms and conditions
  • Delivery and Returns policy

These are part of the general Consumer Protection (Distance Selling) Regulations and Electronic Commerce Regulations (EC Directive). As an e-commerce site, it is highly likely that you are collecting and processing credit and debit card information, in which case you must conform to the Payment Card Industry Data Security Standard (PCI DSS), which are there to help prevent fraud by outlining security and encryption requirements. Another thing that will be relevant to your e-commerce site will be the EU Anti Spam Laws; these relate to things like opt-in mailing lists and their opt-out policies. These EU laws also cover situations where email databases have been purchased; in circumstances like this, you are still required to ensure whether the individuals involved have given their consent for their contact details to be passed onto third party websites. Passing consumer information onto other third party websites always requires the consent of the user.

In principle, a privacy policy is basically a contract between your website and the visitor. The more accessible and more comprehensible this contract is, the better it is for everyone involved. This means that you should also ensure that the link to the privacy policy is very visible and easy to find on your web page.

BlackWebs 3rd Party Suppliers and Compliance

1&1 Internet – Servers
1&1 provide server facilities, where website and customer data is held.  Customer data comprises of full name, address, telephone number(s), email address, password (encrypted).

TSOHost – Servers
TSO Host provide server facilities, where website and customer data is held.  Customer data comprises of full name, address, telephone number(s), email address, password (encrypted).

Stripe – Payments
Your customer payment details are securely entered and processed, but not stored, on your website.  Customer data is transmitted to Stripe.

PayPal Standard – Payments
Your customer payment details are securely entered and processed on the PayPal website, no part of the transaction takes place on your website.

PayPal Pro – Payments
Your customer payment details are securely entered and processed, but not stored, on your website.  Customer data is transmitted to PayPal.

WorldPay – Payments
Your customer payment details are securely entered and processed on the PayPal website, no part of the transaction takes place on your website.  Customer data is transmitted to WorldPay.

Barclays – Payments
Your customer payment details are securely entered and processed on the PayPal website, no part of the transaction takes place on your website.  Customer data is transmitted to Barclays.

SagePay – Payments
Your customer payment details are securely entered and processed on the PayPal website, no part of the transaction takes place on your website.  Customer data is transmitted to SagePay.

Mailchimp
Customer name and email address are securely passed from the website to Mailchimp, and stored on the Mailchimp system.

SendInBlue
Customer name and email address are securely passed from the website to SendInBlue, and stored on the SendInBlue system.

Constant Contact
Customer name and email address are securely passed from the website to Constant Contact, and stored on the Constant Contact system.

BlackWebs Customer Update Schedule

BlackWebs will be updating all customer websites with the following changes before the end of April 2018:

  • Automatic:  Newsletter sign up forms consent updates
  • Automatic:  Contact form consent updates
  • Automatic:  Cookie policy pop-up (header or footer options available)
  • Automatic:  Guide to customer data (where it is stored and how to review/delete it)
  • Manual:  Privacy Policy Update
  • Manual:  SSL Certificate Update (optional by advised)
Updates and Templates

Cookies Policy Template – MARCH18 – Download Here

Privacy Policy Template – MARCH18 – Download Here

 

Useful Resources

ICO – Preparing for the General Data Protection Regulation (GDPR) [12 steps to take now] – PDF (view)