Updated 31st May 2018 – The ICO moved their Privacy policy checklist, so we’ve updated the link.
Updated 15th June 2018 – We’ve uploaded a new track, with guest contributor, Matthew from Herrington Carmichael.
Updated for July 2019 ICO Cookie Guidelines update (see note in 3b of the Cookie section 3 of this post).
N.B. We are not solicitors and this post is not legal advice. You should always get legal advice from a legal professional. I’ve written this as the owner of a small business for other small and medium businesses, with a focus on websites. This is my own interpretation of the law in the absence of sensible, practical and up to date guidance, and in the presence of a lot of scare mongering. I hope we can shed some light on this and bring some relief, maybe with some light relief in the process.
– James
You can also listen to this post:
Listen to this post on SoundCloud
What is GDPR?
As you probably already know, the GDPR (General Data Protection Regulation) is a new set of Data Protection Rules. This law aims to streamline the way personal Data is handled across all EU member states, and by businesses dealing with people in the EU. Why? To prevent unscrupulous marketing and data analysis firms from spying on you – at least without your consent! Before GDPR, there were actually 28 different sets of rules in place in different countries. So this regulation is good news… But we realise it won’t feel like that if preparing for compliance triples your average workload.
But, but… Brexit?
Even though the UK voted to leave the EU, the Government decided that we would still comply with the GDPR. You have to follow the regulations, even if you’re a staunch Leave Campaigner who plans never to do business with anyone outside the M25.
I’m busy. Can I just pay the fine?
Of course! That’ll be 4% of your business’s annual global turnover, or 20 million Euros (whichever is greater), please. Cash, card, or kidney?
Are they really likely to fine me if I bodge it?
Your chances of being left homeless because you sent an unsolicited email to Sandra from Basingstoke are probably slim. But, if Sandra were to object to your email, she could report you. Will she? We don’t know, we don’t know what kind of emails you’re sending out (and we’re happy that way). But it’s possible. It’s also possible that the authorities approach will be as it has been in the past, which was to ensure you’re at least working on compliance and to gently push you in the right direction. However, instead of hoping to get around it, see GDPR for what it really is: a chance to experience the life-changing magic of tidying up your mailing lists. Just think of how much higher your email campaign open rates will be!
Ugh. Go on, then. Tell me what I need to do.
We knew you’d see sense.
Here’s a list of what needs to be done:
- Prepare your Organisation Internally.
- Website Privacy Notice – Create or update yours.
- Cookies – Sort out your Website Cookie Control and Policy.
- Forms – Update your Enquiry & Lead Capture forms
- Records – Record the ‘Opt-in’ process.
- Campaign pages – Create GDPR Landing pages.
- Bump up your security
- And relax!
Download the checklist as a printable PDF here
Note: This blog post is primarily interested in preparing your website (step 2 onwards), not your whole company. Why? Because we do websites, we’re not lawyers (despite watching every episode of Suits), and GDPR is a legal issue. If you’ve already prepared how your organisation is going to handle GDPR, you can skip to our website tips from step 2. Otherwise, stick with us as we will at least point you in the right direction.
Right, make yourself a pot of tea, grab a (full-ish) pack of Hobnobs, and let’s begin.
Step 1: Prepare your Organisation internally
1a) Get professional advice
Firstly, get some professional advice on how to prepare your organisation internally. So if your school reports regularly included words like “lackadaisical”, it might be an idea to call in some legal big guns to help create your general Company Policy on GDPR.
The Big Guns
Our Big Gun is Data Protection expert Matthew Lea from Herrington Carmichael Solicitors in Wokingham. He says:
“Where we collect personal data of an individual, we are required to provide that individual with certain information such as who we are, where they can contact us, contact details of the DPO [Data Protection Officer] if we have appointed one, why we are processing their personal data, who were are sending it to and if we are transferring it abroad. We must also provide information on their rights as data subjects and how long we intend to keep the personal data for. The best way of doing this is via a privacy notice which can be placed on our websites and on forms used to collect personal data, such as the ‘Contact Us’ forms many websites have. I also often recommend to clients they add a link in their email footers, as this is a great way of making sure the maximum number of people have access to it.”
It sounds so simple when he says it, doesn’t it? And it is, really. (Although the full text of the GDPR makes it sound baffling.) We’ve teamed up with Matthew to produce the Website Privacy Notice and Website Cookie Policy that we are offering, so we rate them.
Slightly Smaller Guns
We appreciate that if you’re a sole trader or micro business, you won’t want to call in a solicitor, and may even have a few spare hours knocking around to work through this yourself. In this case, get yourself comfortable in a chair that won’t leave you with the sensation that your bottom has been anaesthetised and check out small business lawyer Suzanne Dibble’s GDPR materials here.
We suggest watching her webinar to get you started and then acquiring her compliance pack.
We’ve linked to both Matthew and Suzanne because their offerings will appeal to different sets of our customers. We’ve chosen these two because they are both established and experienced experts who make their respective offerings simple, and the subject matter accessible. They are separate third parties though, so remember that their materials and products are not ours and we are not responsible for them. Also, we are unable to adapt any of Suzanne’s templates for you, just our own (see steps 2 and 3, below).
1b) Data Processed by your website
Part of getting your company ready is to identify by whom your data is processed and where. Therefore during this process, you will need to chat to your website designer (hi!) to find out what data is processed by your website, then to your website host (hello again!) to ask where this data is processed.
If we host your website, please do feel free to ask us.
Onto the website stuff!
Step 2: Website Privacy Notice – Create or update yours
You need a notice on your website that explains your privacy policy, (under GDPR) to people. This must be separate to your Terms and Conditions of Business and your Cookie Policy (see next step for that).
If you haven’t got your new Privacy Notice sorted yet, we can provide a template and customise it for you. As ever, just ask. If you have an existing Privacy Policy on your website that was written before GDPR came in, then you will need to update it now to ensure you are compliant.
Want to write it yourself? The ICO (Information Commissioner’s Office, which is the UK body for this stuff) has a handy and simple checklist of what you should include. Yes, a government department with a simple checklist! No, this is not April Fool’s (we’ve done that already…).
Step 3: Cookies – Sort out your Cookie Control and Policy
This section is likely to be revised later, or followed up with another post (see 3b below for why).
3a) Biscuit Basics
Firstly, you should know that there are two types of cookies:
- Essential; i.e. required to make the website work; e.g. logins.
- Non-essential; i.e. that aren’t needed to make the website work; e.g. for analytics tracking.
3b) What to actually do
N.B. Re. Cookies
Update: Following the ICO’s updated guidance related to Cookies in July 2019, the use of Implied Consent using Cookies as encouraged as a minimum in this post (marked by an * below) is no longer compliant. We will write a new post related only to cookies -try to contain your excitement- as soon as possible.
Click here to read the ICO’s guidance.
Right now, we’re adopting the following suggested route for our customers:
- Audit – Know what cookies are being used by your website (if you don’t already), and write them down in your GDPR file (even if that’s on a napkin).
- Create a Cookie Policy – In your Cookie Policy, tell your users what you’re collecting on them and how you use that data. Be clear and keep it simple.
- Anonymise your Analytics – If appropriate to your marketing, ask your website designer to instruct Google Analytics to anonymise the data it records.
- Analytics Retention – Set your Google Analytics retention period, or ask your friendly web people to. This will the length of time you decided that you should retain this data for (during step 1). (We therefore suggest that you remember to extract the reports without the identifiable information every so often, so you have a record of those reports).
- Setup Control –
(For non-essential cookies)- * If you only have anonymised Google Analytics, then ensure you comply with the ePrivacy Directive by having a Cookie Notice on your website that uses at least the ‘Implied Consent’ method of consent. *
- If you use other cookies that track users and capture identifiable information, then implicitly ask for permission before deploying them.
We have solutions for all the above. Just contact us!
3c) I’m bored/waiting for a train/bus/sunshine, please tell me more
The actual GDPR documentation makes only a passing reference to Cookies, with which we won’t bore you. Suffice to say that if you can identify an individual, even through an IP address (which every computer has), then that’s still identifiable info and now protected.
It’s been little advertised that going through the legislative pipeline like a snail on valium are revisions to the ePrivacy directive. Yes, that law that originally triggered the onslaught of annoying pop-up bars, boxes and banners, asking you if you wanted a cookie (called Cookie Notices). Before you curl up in a corner and weep uncontrollably, bear with us; there’s some good news!
The proposed changes to the ePrivacy directive are that responsibility for cookie control would move to your web browser (e.g. Chrome, Safari, Firefox, Edge, etc.), which in theory would mean that we might eventually be able to ditch those pesky Cookie pop-ups.
The bad news is that this is currently just a proposal, so right now you have to do what the GDPR law says, which we’ve covered in our steps above. Whether you comply with this or not is your responsibility…
Step 4: Forms – Update your Enquiry & Lead Capture forms
4a) Tick-boxes
Firstly, where you are using Consent as the basis for collecting data (e.g. enquiry forms), you need to have tick-boxes for the person to use to indicate they opt-in and consent!
N.B. Anywhere you have a tick-box for this, you must no longer have it pre-ticked.
4b) Tick-box Statements
Secondly, wherever you capture someone’s details, make it clear what you will use them for; e.g. “I consent to receive emails about your products and special offers.”
For example, ours might say, “This form collects your name and email address so we can add you to our newsletter list, and persistently wear you down until you buy one of our websites through Stockholm Syndrome.”
You will need to write this sentence to fit your organisation, we can only provide this as an example.
4c) Give them Options
If you’re worried someone might not opt-in to your marketing but you want them to get in touch anyway, then we suggest offering them granular options. For example, two tick boxes, such as:
- I agree to the terms of your beautiful new SiteBites Privacy Notice and to be contacted about this enquiry.
- I also consent to receive further emails about your products and special offers.
Step 5: Record the ‘Opt-in’ process
To comply with (and show you’re complying with) GDPR, you must keep proof of Opt-ins. So you’ll need to record the process your Opter-Inners went through to give their consent. This means recording:
- What – What the person saw on the screen when they opted-in.
- When – When the person opted in (time and date).
- Where – Keeping a log of the opt-in against their file; e.g. ‘from website; Contact page’.
The easiest way to do this is to put all of that information into the email that your website sends you, including the text that the person saw when they opted in, and keep that in the file for that contact. Having a folder in your email inbox to keep these might not be a bad idea.
As part of this process, you will also need to ensure your records themselves comply with brand new GDPR compliant internal record keeping policies.. This isn’t as daunting as it may seem when it comes to the website, you already know what data the site is keeping and where, from your questions in Step 1. So if your website is storing data (for example from enquiry forms) and this doesn’t match your policy, then ask your pet web geeks to disable that functionality and delete the stored data.
Step 6: Create GDPR Landing pages
As well as having Opt-in fields on your contact forms (see Step 4), it might be an idea create specific pages on your website that allow users to Opt-in or Opt-out.
The Opt-in pages can be especially useful if you are asking your email list to refresh consent.
We can create these for you, as well as help with email campaigns.
If you’d rather make your own, then create a new page and add a simple form to it. Remember Step 5; record what the form said on any record of the submissions.
- The Opt-In page: create a page that allows people to specifically opt-in to your marketing emails, and that links to your Privacy Policy (which states exactly how their data will be used).
- The Opt-Out page: as above, but in reverse. Give people the ability to give the finger to your marketing.
Step 7: Bump up your security
The security of data on your website is your responsibility, both when it’s nestling quietly on your website, and when it’s skipping about on its way to your customer’s internet browser.
To protect it, you need two kinds of internet security:
- Security that protects on your on-site data
This includes up-to-date patches, strict password policies, encrypted databases, and hack protection. A decent hosting provider (ahem) can do all this for you. - Security to protect your data on its travels
An SSL certificate acts like a bodyguard for internet data; we can add an SSL Certificate to your site quickly and cheaply.
Step 8: Have a G&T and relax
We know the bureaucrats won’t care, but you’ve earned it!
If you need any help at all with applying GDPR on websites, including creating your Privacy Notice, Cookie Policy, applying Cookie Control, anonymising Google Analytics, updating your contact forms, reviewing your security or advising you on the best gin, contact us!
The law kicks in on the 25th May 2018, so make sure you’re at least on your way to compliance by then.
Most importantly, don’t panic.
Download the checklist as a printable PDF here