From the 25 May 2018, Europe's General Data Protection Regulation or GDPR comes into force. It's aim is to improve the privacy of European citizens by requiring businesses who operate within Europe to protect the information they have of EU citizens. We explain our interpretation of what you need to consider doing about the GPDR and what we are doing.
Understanding the GDPR
Due to rising concerns over the privacy of the EU's citizens online, the GPRD will replace the old Data Protection Collective. This is because the DPC was set in place before the internet became what it is today. The aim of the GDPR is to increase the security for the information about individual people which businesses within the EU hold.
The information which the GDPR is concerned with includes:
- Names, addresses, ID numbers
- Health and genetic information
- Political opinions
- Sexual orientation
- Web information, such as IP addresses, cookie data and RFID tags
- Biometric data
- Ethnic or racial data
You (and your company) are subject to the GDPR if you store or process information about citizens of the EU within EU states, even if you do not have a physical presence within the EU.
Complying with the GDPR
From 25th May 2018, if you use or store the information of anyone from within the European Union, you must comply with the GDPR. If you don't, you face huge fines of up to €20 million or 4% of your worldwide turnover, plus be sued. You may also have to pay compensation to any individuals who's privacy has been breeched.
You don't need to be living or have your business physically located within the EU to be subject to the GDPR either. For instance, if you live in New Zealand but sell products/services to people in the EU, or monitor the online behaviour of people in the EU, you must comply. Also, if you use tools such as web analytics or cookies to check how many people from Europe visit your website, you must comply. Potentially, this means everyone with a live website people in Europe can visit!
To comply with the GDPR, when handling any data from people located within the GDPR, you must understand and implement the following:
- Communicate - have a privacy policy on your website which says what the data you collect is, how you are going to use it, why you are able to use it (it was given to you etc), how long you will hold that information and a statement which says people can complain to the ICO if they believe you are mishandling their data.
- Holding Information - keep records of how you have processed that data and tell people who use the data you have collected about any changes which you make to it.
- Give rights - the people who's data you have collected have the right to access it, know what you're doing with it, be able to correct it, tell you to erase it - basically they can tell you what to do with it and know what you're doing with it.
- Lawful - all the information you collect needs to have a lawful reason as to why you are collecting and storing it, which is written in your privacy statement.
- Consent - people must give you conset freely before you collect this data and be able to withdraw consent at anytime.
- Children consent - children cannot give consent until they are 16 years old. Consent must be given by a parent or guardian.
- Data breaches - you must have a process ready to report data breaches to the ICO.
- Access - if you are asked for information on data you have, you must give this within one month.
How We Interpret the General Data Protection Regulation
- "Web Widgets Ltd" aka "Website World" is a data processor, not a data controller. This means all legal liability is with you (the website owner) to comply with the law. In most cases, all online service providers have a similar policy. We provide data storage services, but we don't create, manage, nor use your data ourselves.
- We will comply with all GDPR requirements: to only collect your data for the purposes of building your website and communicating with you. We will not sell nor share your data, except that where we are required to with authorised government agencies. We will delete your data if you request it, and if retention of the data is not necessary to comply with other jurisdictional issues, such as when you don't comply with laws, or when your financial account is in dispute.
- We will not store permanent tracking cookies on our websites, nor customers websites, unless a user specifically opts in. Users can opt in on login forms, and when selecting the remember my customer details on a form. This means you immediately comply with those sections of the law if you don't use any third party plug in services.
- We will not make any statement with regards to the use of cookies, including but not limited to Google Analytics, AddThis, Facebook, or any third party plug in that you, or we, use. We will defer to future updates as to their compliance, and do not believe it is user experience centric to enforce pop-ups forms for users to accept cookies.
- You should add a short plain English privacy statement to all forms on your website, stating how you will use any data collected, with a link to your full privacy statement. The statement should be about two sentences long, and explicitly state in plain English why you are collecting this information. An example statement could be,"We will use this information to communicate solely with you. We will not not sell or share this information with anyone and further information is available in our Privacy Policy." (see below in this blog for more information on how you can add this on subscription forms, contact enquiry forms, shopping forms and custom enquiry forms).
- We will be creating a double opt-in feature for subscriptions before 25th May 2018. A double opt-in feature is when a user must confirm a link in a welcome email, before you can send an ordinary newsletter. We will leave the choice to use this up to you, but we advise you use this approach . It will be the default option to begin with. When enabled, you will only be able to communicate with "confirmed email" status customers. You should send a short email to all your customers with the special [CONFIRMLINK] tag included asking them to confirm that want to receive further emails from you.
- We will forward any request by an end user, for data access or deletion, to you. We will act on an end users request if you have not responded to us with a week. When we say that data is deleted, we do not delete data backups immediately. We need backups to be able to restore data on request, or in the case of error. Eventually all backups are deleted after a retention period.
- We are delaying our "scarcity" display logic, eg "3 other users are looking at this product right now" until we have had time to confirm our implementation is fully compliant with European law.
- We will be modifying or deleting recently created "user product view tracking reports."
- We do not store any identify able user data in our URLs. All personal data is transferred via form posts. This means personal information is safe from analytics logs and third party plug ins.
- All websites not on an SSL mode should upgrade to an SSL compatible hosting plan, to ensure data privacy of your customer data during transmission from their computer to your website.
How to Add Privacy Statements to Forms
Adding a two sentence privacy statement to all forms on your website, stating how you use the data you collect and giving a link to your website's Privacy Policy is recommended. For further information on how to set up forms, please visit our CMS Help website. Here is how to add the privacy statement to an existing form.
- Subscription Forms - once you have set up your subscription form on it's own individual page, open the page to edit it like you would any other page. In either the Page Introduction or Page Footer, enter your privacy statement and Privacy Policy link.
- Custom Enquiry Forms - to add a contact form, select the page type Enquiry Form. Then choose the type of contact form you want and enter in the menu text, page heading and SEO file name. Then select Edit Form Page and choose the features you want to include on this form. Replace the text above the form with your privacy sentences and link to your Privacy Policy.
- Shopping Forms - you can add text to your shopping cart which contains your privacy statement and link to Privacy Policy. To do this, under the blue Shopping button option, select the Customise Display Options and Notifications option. Then scroll down the page until you read the Checkout Additional Text Insertion option. Here you can enter your privacy statement in the area on the checkout page which suits you best, preferably around the area where customers enter their contact details, which would be the Checkout-Comments/Questions after order summary option.
- Custom Enquiry Form - you can apply a custom enquiry form to an existing page. Detailed instructions on how to do this can be found on our Help CMS website.
Disclaimer: We are not able to provide legal advice. This blog is to give some direction to helping you comply with the various international laws. Any error or obmission in this blog will not place liability with us. If you are confused by any part of this blog, please engage a lawyer for such questions. If you feel that any of our services remain in breach, please let us know. We will continue to update our system to comply with all known laws as best we are able, and communicate key changes to you.