Plenty of time has passed since the GPDR entered into force, and things finally stared to move forward. Companies are becoming increasingly aware of their obligations, even though generally the awareness level is still rather low. This is not the companies’ fault; the institutions have done very little to help them get up to speed with the new regulations, with many governments introducing bills only a few days before the GDPR was to enter into force. Panic ensued as a result, which should be surprising to no one.
Nowadays, most companies (even smaller ones) as well as non-profits have indeed started working on becoming GDPR-compliant. In some cases, this is due to a fear of fines and the GDPR is mostly viewed as yet another form of taxation by the EU bureaucrats.
Compliance on the Web
What exactly does it mean to be “compliant”? Well, when it comes to websites, you should consider the following:
- Does my website collect personal data?
- If it does, are my visitors aware of that fact?
Before you ask, yes, most websites do collect personal data, even if you personally are unaware of the fact (this website does so, too, for example). Cookies and related technologies are certainly at the forefront of such stealthy data collection, but data can be collected in other ways too, such as via contact forms, newsletter subscription forms, comments etc.
The law does not prescribe any mandatory elements that must be placed on the website in order to become compliant. If you are, for example, certain you don’t collect personal data via your website (which does not happen often), you truly don’t need privacy policies and the like.
A fully compliant website will contain all the necessary notices and allow your users to manage their privacy preferences. In the next section we will go over the most glaring issues we encountered in the last few months.
Plenty of pages contain contact forms where potential clients can submit a query without leaving the comfort of their web browser. It’s a very convenient way of getting new clients since manually sending e-mails is usually too much of a hurdle for many users.
However, care needs to be taken when implementing contact forms on your website. Great many contact forms contain plenty of unnecessary fields that unnecessarily ask for too much data. The most common superfluous fields are name and surname, phone number, sex, even occupation. These are in most cases simply not required for you to provide the answer to the query – accordingly, you shouldn’t be collecting this data in the first place.
If such data is absolutely required, you can follow-up with the client and ask them to provide it. Collecting personal data in advance because it might be needed later is not in line with the GDPR and is treated as excessive processing.
What do I have to do?
Consent and newsletters
You will generally need to obtain consent from individuals who sign up to receive newsletters and/or marketing communications. This means you should have some form of confirmation that a person really wanted to sign up and understood all the circumstances.
Some companies opted for complete deletion of customer databases and did away with newsletters altogether; such a nuclear option is generally unnecessary.
What do I have to do?
Provide an additional checkbox next to the e-mail field so that people can mark it if they want to receive your promotional messages. This applies if you are collecting e-mails for some other purpose (such as during registration), where it is not expected that the e-mail address will be used for marketing purposes. Make sure to add a short privacy notice outlining the purposes of processing and the individual’s rights (this applies to all cases).
Yet another solution is the so-called double opt-in principle. In this case, users must confirm their registration by clicking on the link provided in the e-mail, which also contains additional information. If they don’t, the e-mail record is deleted.
What about legitimate interest?
Do not go overboard and send such e-mails too often. Outline the rights of the recipients in every e-mail you send, particularly the right to unsubscribe; include a prominent unsubscribe link that will allow users to opt-out instantly. Under the GDPR, there are no exceptions allowed for direct marketing. Upon request, you must cease with such activities, no matter how strong your legitimate interests are.
The pervasive use of various cookies is mostly a result of a widespread use of templates, plug-ins and various other ready-made solutions that work as black boxes of sorts. It’s no wonder many website owners aren’t even aware personal data is being collected and their users tracked by various advertisers.
For example, Google Maps are widely utilised as an interactive way to mark the office location on the webpage. Google in general serves advertising cookies in this case. The situation doesn’t differ much when it comes to social media buttons or live chat platforms such as Zendesk.
What do I have to do?
Plenty. First, you should reduce the number of cookies your website sets. Remove superfluous plug-ins and elements that bog down your site anyway. This will dramatically reduce your workload in the next part.
Then, you should make a list of all the cookies you use. It’s easier to do so manually, but several online tools also exist that do this in an automated way (although with errors, so the method is not 100 % reliable). Bear in mind that not all cookies collect personal data. These remain outside the scope of the GDPR. Necessary cookies are also fine to use, as per the ePrivacy Directive.
On the other hand, analytics and marketing cookies shouldn’t be set without consent.
When providing a cookie notice, you should ask for valid consent first. The notice above violates two principles. First, implied consent is invalid under the GDPR. Second, according to Article 7(3), “it shall be as easy to withdraw consent as to give it”, which is not the case here.
Don’t forget formatting. Properly formatted documents are easy to read and navigate. Avoid copying and pasting plain text without any navigational elements. This is contrary to the purpose of such a document.
If you also collect data at your physical location (store, office, etc.) it is prudent to have a similar document prominently displayed for individuals to reach an informed decision on whether they want to provide you with their personal information.
Contents of privacy policies
Then, you should provide an explanation on what you do with the data, when, and how. List all cases when you collect data and list the data that you collect for each specific case. Set firm retention periods and stick to them. Outline the data protection measures you will undertake and state the location where you store the data. If you collect special categories of personal data or data related to children, you should take special precautions. You need parental consent for data belonging to children if you are processing such data based on consent.
If you plan to transfer the data outside the EU to inadequate countries (according to adequacy decisions adopted by the European Commission), you should mention that in your policy and state the mechanism used for such a transfer. Luckily, so far, the US is considered adequate owing to the Privacy Shield. Don’t forget listing the procedures in case a data breach occurs.