GDPR – A Practical Guide for SMBs All you actually need to know about GDPR with real world examples and case studies
Three Steps to make your website GDPR compliant
Whilst your website only forms a small part of your overall GDPR compliance approach, it is an important one, usually serving as the first point of contact with your users. It is important therefore that you establish a strong foundation of compliance on your website, making it easier to build your overall compliance program. This robust foundation should be formed of three key parts:
- Cookies Compliance: this should be formed of a cookies policy and a cookies consent tool.
- Data Subject Rights: ensure you have mechanisms in place for your users to exercise their data privacy rights.
- The identity and contact details of the company (and any affiliated websites or companies).
- If applicable, the identity and contact details of the Data Protection Officer (person with responsibility for data protection matters within your company).
- The purpose for processing the data and the legal basis you are relying on to collect it (there are a number of legal basis your company can rely on – see here for more detail on the legal bases for processing. )
- Where you are relying on ‘legitimate interests’ as one of your legal basis, you will need to outline what these are.
- Where you are relying on ‘consent’ as one of your legal basis, you need to inform users of their right to withdraw consent at any time
- What kind of data are you collecting and how is it being collected.
- Who will have access to the data (e.g. any other recipients or third parties).
- If applicable, the details regarding any transfer of personal data to a third country (non-EU member state) and the safeguards you are taking (e.g using Standard Contractual Clauses.)
- Details about the how you store, retain and secure the data.
- The existence of your users’ data privacy rights (e.g. information, access, rectification, erasure, portability etc.)
- The right to lodge a complaint with a supervisory authority.
- Whether the user must provide their data as part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data.
- The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences.
2. Cookies Compliance
The ePrivacy Directive requires that you obtain consent in order to gain any access to information stored in the device of a user, or to store any information on a person’s device. Hence, consent must be obtained to store a cookie on a user’s device.
GDPR subsequently defined and raised the bar for obtaining this consent by defining that the consent must be “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Cookies are usually small text files stored on a device that can store information. They serve a number of important functions including to remember a user and their previous interactions with a website such as entering details into a form or placing items in a shopping cart. The information stored in cookies can include personal data, such as an IP address, a username, a unique identifier, or an email address. This is why they fall under data privacy laws
- The communications exemption
- This applies to cookies whose sole purpose is for carrying out the transmission of a communication over a network, for example if you use a load-balancing cookie to distribute network traffic across different servers
- The strictly necessary exemption
- A cookie that is exempt under this criterion must simultaneously pass two tests:
- The service is delivered over the internet
- The service must have been explicitly requested by the user, and the use of the cookie must be restricted to what is strictly necessary to provide that service.
- A cookie that is exempt under this criterion must simultaneously pass two tests:
Cookies Best Practices
Your organisation’s cookie compliance needs to speak to two regulations; GPDR & the ePrivacy Directive. Therefore, it is best practice to maintain separate cookies and privacy policies. A cookies policy is a declaration to your website users about:
- What cookies are active on your website;
- What data the cookies are tracking and for what purpose; and
- Where in the world this data is sent.
Dynamic Consent Management
It is best practice to use a dynamic consent management tool, such as Dataships’ to manage & automate your cookie compliance, users consent and your records of compliance. There are four important considerations in the implication of such a tool:
- Initial Cookie banner:
This cookie banner cannot ‘nudge’ a user into accepting cookies and if you use a button on the banner with an ‘accept’ option, you must give equal prominence to an option which allows the user to ‘reject’ cookies, or ‘manage cookies’ which brings them to an additional layer of information in order to allow them to do that.
- Second layer of information
- Cookie Declaration
Dataships’ cookie tool works dynamically by continuously scanning your site for cookies and surfacing these dynamically in your cookie declaration. These appear under four headings which you can manage; necessary, preference, marketing and statistics. Here you give your users additional information as to the name of the cookie, the provider, its purpose, expiry and type. Users can then make an informed decision whether to accept or reject these cookies. This ensures you are complying with the transparency articles of the GDPR (Articles 12 – 13).
The 4 most common non-compliant cookie practices are as follows:
- Banners that are easily collapsed or ignored. This means banners that pop up when a user lands on a website and which subsequently disappear when a user scrolls, without any further engagement by the user with the banner or with information about cookies.
- Banners that rely on ‘implied consent’. This means that wording in your cookie banner or notice which inform users that, “by their continued use of your website – either through clicking, using or scrolling it - that you will assume their consent to set cookies”.
- ‘Accept only’ banners. This mean a banner that merely gives the user the option to click ‘accept’ to say yes to cookies and which provides no other option – e.g. banners with buttons that read ‘ok, got it!’ or ‘I understand’.
3. Data Subject Rights
The GDPR has given the individual back decision making power over their data. Organisations are now obliged to fulfill certain rights of the consumer. These rights are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Below is a short guide to these rights along with how you can use the Dataships tool to not only fulfill these rights, but to automate this process saving your organisation valuable time, helping you avoid fines and most importantly build healthy data relationships with your users!
The Right to be Informed
Articles 13 and 14 of the GDPR specify what individuals have the right to be informed about. We call this ‘privacy information’. You should provide the privacy information in a concise; transparent; intelligible; easily accessible; manner using clear and plain language.
You should regularly review and, where necessary, update your privacy information. If you plan to use personal data for a new purpose, you must update our privacy information and communicate the changes to individuals before starting any new processing.
The Dataships Privacy Centre allows you to house all your compliance materials in one place. This includes detailed information for the user from the outset on your company's privacy practices. By having a dedicated resource for privacy you are immediately communicating to the user that privacy is a priority for your company and lays a great foundation to build a healthy dataship with the individual.
The Right to Access
All individuals have the right to access and receive a copy of their personal data, this is commonly referred to as a subject access request or ‘SAR’. A subject access request can be made verbally or in writing, including on social media, as long as it is clear that the individual is asking for their own personal data. You cannot charge the individual for your response to their request.
An individual may make the request through a third party or through an online portal as long as you are satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority.
If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
Dataships allows you to integrate all the tools you are currently using in your business. Using our bespoke APIs, users can then view where you hold personal data on them and fulfill their data subject rights. You are giving the user access to their information and encouraging them to manage their data relationship with you. This transparency is a great way to build trust with your users.
The Right to Rectification
Under GDPR and the UK GDPR individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed, or simply be allowed to edit their personal information. You may not charge a fee and you have one month to respond to the request.
The right to rectification can be leveraged to your company’s advantage. By bringing together all the data you hold on your users in one place and offering your users an easy-to-use tool to let them rectify their data you are encouraging them to keep their data up to date. By using the Data Access Gateway you can make this process simple for the user. Any data they change will be changed in the relevant data source meaning when you next reach out to them with an email, call or campaign, the up-to-date data will already be reflected. In addition, this ensures that any internal analysis you are conducting is using the most up to date information.
The Right to Erasure
Under GDPR and the UK GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.
Individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which you originally collected or processed it for.
- you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent.
- you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing.
- you are processing the personal data for direct marketing purposes and the individual objects to that processing.
- you have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
There are two main scenarios where you must tell other organisations about the erasure request. Where:
- the personal data has been disclosed to others
- the personal data has been made public in an online environment (social networks, forums etc)
You must also endeavor to delete personal data from backup systems. If any backup data cannot be immediately overwritten, you must put this data ‘beyond use’ and ensure it is not used for any reason.
At Dataships, we encourage companies to integrate all the tools that you are using into our tool. This can be third party tools such as Salesforce, Hubspot or Zendesk or your own SQL, firebase or other databases. This allows companies to have a clean, structured data environment and makes responding to request easy. Furthermore, we encourage companies to make all the personal data they hold on users available to them. This has a host of benefits including automating erasure requests. When a user requests to delete their data it will also be automatically deleted from all the data sources if is found in within your organisation.
This means you don’t have to spend hours or days searching for the data and can be safe in the knowledge that the erasure request has been fulfilled. And don’t worry, you can build in rules, so you are in charge of what data is deleted and in what timeframe. But remember – unless you need the data to fulfill a legal obligation why would you want to keep it? You’re striving towards having healthy data relationships with your users and you want to hold data on those users that want you to have it!
The Right to Restrict Processing
GDPR and the UK GDPR UK gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.
There are a number of different methods you can employ to restrict the processing, such as:
- temporarily moving the data to another processing system.
- making the data unavailable to users; or
- temporarily removing published data from a website.
It is particularly important that you consider how you store personal data that you no longer need to process but the individual has requested you restrict (effectively requesting that you do not erase the data).
The Right to Data Portability
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
As a controller you must supply any personal data that the data subject has provided to you. This may include:
- mailing address, username, age etc
- traffic or location data
- ‘raw’ data such as smart meters or wearable devices.
It doesn’t include any additional data that you have created based on the data an individual has provided to you. However, however note that if this ‘inferred’ or ‘derived’ data is personal data, you still need to provide it to an individual if they make a subject access request.
This right only applies to personal data. Therefore, any data that you have anonymized or pseudonymized is excluded from scope.
To fulfill this request properly you must:
- Supply the user with a copy of their personal data and/or
- Transmit their data to another controller
- You can either directly transmit the data to the user or provide access to an automated tool that allows the user to manage and download this themselves.
- The data you provide must be structured, commonly used and machine-readable.
Through the Dataships Data Access Gateway, users can then view and manage the personal data that you hold on them. This includes our ‘data portability’ tool. By using this, your users can download all the data you hold on them across all your tools in a CSV format. This fulfills your obligation to them and allows your users to automate this request – giving you peace of mind and allowing you to focus on your business.
The Right to Object
GDPR and UK GDPR gives individuals the right to object to the processing of their personal data at any time. This effectively allows individuals to stop or prevent you from processing their personal data. Some examples of where an individual may object to processing include:
- Direct Marketing there is rarely any grounds for which you can rely on to refuse this request. However, this doesn’t mean you have to delete the user data and in many cases it’s good practice to retain their data for the purposes of ensuring that you don’t direct market to them again.
- Legitimate Interest if the individual has objected to the processing, it is likely that under the balancing test, the individual’s interests override the legitimate interest?
You must inform the individual about the right to object at the point of first communication with them.
Hopefully this guide has gone some way to show you some quick wins for your company to make your website compliant. Given your website is the first interaction your user has with your company it's imperative that you make a good impression. A strong data privacy foundation is built upon three pillars:
2. Cookie Compliance
3. Data Subject Rights fulfillment.
All great customer relationships are built on trust and we believe that having a robust privacy program is the ideal way to show users that you respect them and take their well being seriously. The Dataships tool is designed to allow you to implement this program seamlessly. Get started today by signing up at dataships.io
If you found this article useful subscribe to your mailing list below to receive more free resources on to help you build healthy Data Relationships with your users.