Updated 8th May 2018

Hello

So you’ve read all about GDPR, you’ve done a company wide data audit and now you need to make sure that your website is compliant. In this post I’ll go through the main areas of a standard Ecommerce website and suggest ways that it could be GDPR compliant based on what the IOC says about GDPR.

The main thing to consider with regard to your website is what the GDPR call the ‘Legal grounds for processing’. These are:

a) Consent: The individual has given clear consent for you to process their Personal Data for a specific purpose.
b) Contract: The processing of Personal Data is necessary for a contract you have with an individual, or because they have asked you to take specific steps before entering into a contract.
c) Legal obligation: The processing of Personal Data is necessary for you to comply with the law.
d) Vital interests: The processing of Personal Data is necessary to protect someone’s life.
e) Public task: The processing of Personal Data is necessary for you to perform a task in the public interest or for your official functions, and the task of the function has a clear basis in law.
f) Legitimate interest: The processing of Personal Data is necessary for your legitimate interests or the legitimate interests of a third party unless there is good reason to protect the individual’s Personal Data which overrides those legitimate interests.

The areas that will probably only apply to you, will be Consent, Contract & Legitimate interest and these are the only ones I’ll be referring to in this post.

Let's start with something simple:

Contact Forms:

Contact forms, whereby someone puts in their name, email address and a short message on an online form to contact you, are classed as ‘Legitimate Interest’, and so consent, and therefore an opt-in, is not required under GDPR. A simple line of text explaining what you will do with their Personal Data and a link to your Privacy Policy would be sufficient. A link to your Privacy Policy is required under GDPR from 25th May at the point of data collection. Not just in the footer of your website.

A basic example might be:
Your name and email address are processed and sent to me via email. Your data will not be shared or sold with any company. We will process your data in accordance with our Privacy Policy.

Signup Forms:

Getting people to sign up to your mailing list requires explicit consent. This means that you are no longer allowed to have pre-ticked boxes or applied consent, they have to actively opt-in.

You will need to tell the person at the point of data collection exactly what they are signing up for. For example, if you want to send emails about your business (Newsletter) and your services (Special Offers), state both! Make sure you also have a link to your Privacy Policy. In this example, no tick box is required. Unless you have two separate mail campaigns! The act of adding a user’s email address, explaining what they are signing up for, that they can opt-out at any time and having a link to your privacy policy is enough consent. As long as you keep a record of how you collected the data and you are only using the data for this sole purpose. Double opt-in is a great option here, but not a requirement under GDPR.

Depending on your wording and how you are promoting your lead magnet, it might be a better solution to add an opt-in tick box as well as the information above, just to be on the safe side. You can then be assured that you are 100% GDPR compliant.

An example signup form text is:
Sign up to our newsletter that includes news, offers and promotions and receive your free ebook. Your data will not be shared or sold with any company. You will have the opportunity to unsubscribe at any time. We will process your data in accordance with our Privacy Policy.

Existing Subscribers:

GDPR requires that you provide people with your privacy policy at the point of data collection. If you collected Personal Data in the form of a subscriber to your mailing list prior to 25th May 2018, you need to ensure that the subscriber had access to your privacy policy that met the requirements of the Data Protection Act, that they opted in (no pre-ticked boxes) and that there was enough information that told them exactly what they were signing up for.

If they weren't provided with this privacy policy, the box was pre-ticked or the information regarding what you will do with their data was lacking or misleading, you’ll need to get them to re-opt-in to your newsletter. However, if you had a privacy policy available at the time of data collection, the user had to opt-in (no pre-ticked boxes) and there was clear text explaining what you will do with the email address, you will not need to get people to re-opt-in to your newsletter.

If you think you will need to ask your subscribers to your newsletter to re-opt-in, view it as a good time to do a spot of list housekeeping and re-engage with your subscribers.

Blog Comments:

If you have a blog on your website and you have allowed for comments to be added, it is likely that people will need to give their name and email address to comment. The users IP address will most likely to processed too for security reasons. This requires consent which can be in the form of a sentence that explains what you will do with the personal data and have a link to your privacy policy. An opt-in tick box is not required under GDPR.

An example blog comment form text might be:
I am glad you’ve chosen to leave a comment. Please be aware that comments are moderated and your name and email address are stored in accordance with my privacy policy.

Checkout:

When a customer is buying something from you they will likely be giving you their name, email address and home address if the product needs delivering. These details are classed as personal data under GDPR, but fall under the contract part of legal grounds for processing and so does not need consent for storage. However, it is also likely that they will need to agree to your terms and conditions, and if you don’t have a link to your privacy policy in your TOC, then it is advisable to have a few words and a link to your privacy policy in your checkout.

An example checkout text might be:
Please read our privacy policy for more information on how we store your personal details.

Cookie Policy:

Almost all websites, no matter how simple, use cookies to work. However some do not collect Personal Data and do not fall under GDPR. Some cookies are essential for the website to work i.e. on an Ecommerce site, and some cookies can be very simply edited so that no Personal Data is taken (i.e. Google Analytics) and so do not fall under GDPR. These cookies can continue as they are, until the new ePrivacy Law comes into effect next year.

With regard to your cookie policy, the main thing is to understand is what you are using cookies for. As long as you explain this to your users and make the information easy to find and understand, you should be okay. Find out what cookies your site uses, what personal data they collect, if any, and what you, or third parties do with that data and have this clearly written in your cookie policy.

You can see what cookies a web page has by using your browser's 'Inspect Element' (ctrl click) and choosing 'Storage'. You will need to do this for each page type.

It is a good idea to tell the user in your cookie policy how they can delete cookies from their browser.

Cookie banner:

This is a good time to update the wording on your cookie banner. The more you do now, the less you’ll need to change next year when the new ePrivacy Law comes into effect. The new ePrivacy Law is expected to focus on browsers, in that the browser will ask you about cookies, rather than the website itself. Based on information we have so far, getting consent to track online browsing habits will fall into the hands of the four main browser companies: Google (Chrome), Apple (Safari), Mozilla (Firefox) and Microsoft (Edge). Although you will still need to have a clear and compliant cookie policy.

There are cookies that fall under the rule of GDPR as they collect Personal Data i.e. an IP address. These cookies should require an opt-in for the user before they are activated on your site. You will need to do a cookie audit on your site to find out what cookies you use, what data they collect and how you should implement that into your own site.

An example cookie banner text is:
In order to give you the best experience, this website uses cookies to personalise site content and analyse our traffic. Click the 'Accept' button to agree to the use of cookies. Or read our cookie policy here.

Privacy Policy:

Chances are that even if you have a privacy policy, it is not GDPR compliant as GDPR requires numerous things that need to be included in the privacy policy. If you don’t already have a link on the footer of your website to your privacy policy, add one in so that it appears on every page of your website. If you do already have one, make sure that you replace the old privacy policy with the new GDPR compliant privacy policy.

How should you write a privacy policy?

What is important in your privacy policy is that it is clear, easy to read and easy to understand. It doesn’t even have to be that long. It’s there to communicate to your customers that you are trustworthy and that you respect them. You should be happy to tell them that you keep their information secure.

The following questions should be considered when writing your GDPR compliant privacy notice, but
* Who are we?
* What type of data do we collect?
* Who is collecting the data?
* How is the data collected?
* Why is the data being collected?
* How will the data be used?
* Who will the data be shared with?
* How can I opt-out of data collection?

Informing people about your updated Policy:

GDPR requires you to inform your subscribers and customers about your updated Privacy Policy. To confirm, amongst other things, how you collect and process their personal data, for what purposes you use their data, the legal grounds of processing such data, how you keep their data secure and their rights in relation to such data.

Online Security:

As your website collects, stores and processes personal data, you need to make sure that this data is secure. Any data that is stored online, needs to be password protected and stored on a secure server. Make sure you have a list of all personnel in your business who has access to this data and inform them of GDPR and their responsibilities.

Any Personal Data that is transferred on your website needs to use HTTPS to ensure it's encrypted in transit. To do this your website will need to have an SSL (Secure Sockets Layer) certificate installed on your web server. An SSL is a technology that uses the encrypted connection between the web server and the web browser. When this is done, all connections are encrypted, which means that all data sent via a submitted form is only visible to the web owner. This helps to protect online users against hackers and means that you are well on the way to having your business GDPR compliant.

Laptop:
If you can assess the data collected via your laptop, you need to think about how secure your laptop is. What would happen if your laptop was stolen? How easy is it to gain entry to your laptop and then access all the data?

Offline Security:

If you keep records of people, that includes personal data, offline in the form of paper files, these files need to be securely stored in locked files as GDPR applies to all personal data, not just online.

Third Parties:

There are strict rules on transfers to third parties outside of the EEA (European Economic Area). So you will need to check what countries your third parties are in and check whether the country has an adequacy finding (whether a country outside the EU offers an adequate level of data protection) or if it is in the United States if it is certified under the GDPR approved Privacy Shield.

Data breach:

A data breach occurs where there is a loss, alteration, unauthorised disclosure of or access to personal data AND there is a risk to the rights and freedoms of individuals. If there is a data breach, you must notify the ICO within 72 hours of the breach.

Disclaimer

This guide is not legal advice and by using it you agree to this disclaimer. The materials provided are for informational purposes only and do not constitute advertising, a solicitation or legal advice. You should not rely upon this information for any purpose without seeking legal advice. The information contained is provided only as general information and may or may not be useful to you in your current situation or reflect the most current legal developments; accordingly, information is not promised or guaranteed to be correct or complete.

If you have a comment or want to ask any questions about GDPR, please leave a message below.