The new GDPR (General Data Protection Regulations) come into force on Friday 25th May 2018 and cover a wide range of rights and responsibilities. It builds on the 1998 Data Protection Act and strengthens individuals’ rights regarding the collection, use and storage of their personal data.
The law applies to businesses or organisations in the European Union. It also applies to those outside the EU offering goods and services to people living within the EU so this is likely to be adopted as a global standard.
It’s clear that companies doing direct marketing by different channels such as email, direct mail etc must already have their measures in place in their customer databases and CRM systems. This is beyond the scope of this blog, we’re focussing on websites.
The liabilities presented by your website will be less obvious as calls to actions and data collection vary depending on the type of data collection and data processing taking place. This could be one or more of the following:
- Anonymous tracking data.
- Cookies storing behaviour and interests.
- Personal data such as names, addresses, email addresses, age and gender.
- Sensitive personal data such as credit card details, passwords and preferences.
- Purchase history.
- Other identifiable behavioural information such as pages visited while logged in, links clicked etc.
Before we offer advice on what you can do with your website, let’s make sure we understand the various terms.
Under the GDPR what is personal data?
Personal data is defined as follows:
any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Article 5 of the GDPR requires that personal data shall be:
- a) processed lawfully, fairly and in a transparent manner in relation to individuals;
- b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- d) accurate and, where necessary, kept up to date;
- e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
All sizes of companies from multi-site multi-nationals to micro-businesses will capture, store and use personal data from customers. Communication must either be by clearly sought and recorded consent or as Legitimate Interest where it is an integral part of the business processes.
There are certain situations where you can send communication without prior consent where there is a so-called Legitimate Interest.
This is defined by the PECR (Privacy and Electronic Communications Regulations) and the GDPR in Article 6(1)(f) which gives you a lawful basis for processing where:
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
For example Legitimate Interest covers communication during an online transaction such as delivery alert emails or texts, answering an email enquiry by email and other standard communication.
It’s when you want to send them communication outside this Legitimate Interest then that is where the GDPR really kicks in.
Main obligations under GDPR for website owners
If you run a website you may do one or more of the following:
- Collect data from email enquiry forms.
- Collect customer data from online sales.
- Record interests in particular products or services.
- Generate user accounts with usernames and passwords for accessing private areas.
- Analyse and store behavioural and web traffic data.
If you want to use this information to send individuals communication about other products and services, then under GDPR you need to gain their consent and keep records of that consent.
Opt-in – the consent must have an active opt-in – pre-filled boxes are not acceptable.
Opt-in specific to each communication method – the opt-in must refer to each type of communication – you can’t text message if you only have permission to email. This permission must be recorded.
Transparency – you will need to explain the lawful basis for processing customer data, as well as how long you retain it for and the customer’s right to complain about how you are using it. This must be communicated clearly and concisely.
Opt-out – individuals must be able to opt-out of communications at any time.
Data portability – individuals have the right to request their personal data in a commonly-used, machine-readable format, provided free of charge and within one month. Consider how your organisation will provide this.
Data security – personal data should be protected “against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. That can mean, for example using SSL / https and having strong security measures to protect against data loss and breaches such as good back-up and PC security measures.
As long as you have been complying with the Data Protection Act and PECR, the GDPR should require moderate changes to your business practices. Making your website compliant may involve some additional work but these are often good practice anyway.
This information is given in good faith based on our own research, plus advice and discussions with clients and colleagues. We cannot be held liable for any disputes or losses resulting from the advice in this blog post. If in doubt seek qualified legal advice.
Please let us know if you have any comments.