Introduction

Whilst your website only forms a small part of your overall GDPR compliance approach, it is an important one, usually serving as the first point of contact with your users. It is important therefore that you establish a strong foundation of compliance on your website, making it easier to build your overall compliance program. This robust foundation should be formed of three key parts:

1. Privacy Policy: publish a comprehensive privacy policy on your website which outlines your company’s data practices.
2. Cookies Compliance: this should be formed of a cookies policy and a cookies consent tool.
3. Data Subject Rights: ensure you have mechanisms in place for your users to exercise their data privacy rights.

1. Privacy Policy

Your website must have a comprehensive privacy policy which outlines the your company’s data practices. A privacy policy (also regularly referred to as a privacy notice) is a public document that explains how your company processes personal data and how it applies data protection principles. If you are collecting data directly from someone, you have to provide them with your privacy policy at the moment you do so. Generally, a privacy policy should be provided in written form and is typically supplied electronically.

Rule of thumb = every company that maintains a website should publish their privacy policy there and it should be accessible via a direct link from every webpage.

In addition, if your website collects any personal data online, the privacy policy (or a link to it) should be provided on the same page where the data collection occurs.

What does a compliant privacy policy contain?

1. The identity and contact details of the company (and any affiliated websites or companies). 

2. If applicable, the identity and contact details of the Data Protection Officer (person with responsibility for data protection matters within your company).
   
3. The purpose for processing the data and the legal basis you are relying on to collect it (there are a number of legal basis your company can rely on – see here for more detail on the legal bases for processing. )
   1. Where you are relying on ‘legitimate interests’ as one of your legal basis, you will need to outline what these are.
   2. Where you are relying on ‘consent’ as one of your legal basis, you need to inform users of their right to withdraw consent at any time 
      
      
4. What kind of data are you collecting and how is it being collected.
   
   
5. Who will have access to the data (e.g. any other recipients or third parties).
   
   
6. If applicable, the details regarding any transfer of personal data to a third country (non-EU member state) and the safeguards you are taking (e.g using Standard Contractual Clauses.)
   
7. Details about the how you store, retain and secure the data. 
   
   
8. The existence of your users’ data privacy rights (e.g. information, access, rectification, erasure, portability etc.)
   
   
9. The right to lodge a complaint with a supervisory authority.
   
10. Whether the user must provide their data as part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data.
    
11. The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences.
    
12. The process for notifying users and visitors of changes or updates to the privacy policy.
    
13. Effective date of the privacy policy.

Having a transparent privacy policy plays a key role in build trusting with your users.

2. Cookies Compliance

Cookies regulation is governed by two laws; the EU ePrivacy Directive and the GDPR. These legislations are separate but complement each other and organisations must comply with both. When you are considering your use of cookies and other tracking technologies, the ePrivacy Directive should be your first port of call.

The ePrivacy Directive requires that you obtain consent in order to gain any access to information stored in the device of a user, or to store any information on a person’s device. Hence, consent must be obtained to store a cookie on a user’s device.

GDPR subsequently defined and raised the bar for obtaining this consent by defining that the consent must be “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Cookies are usually small text files stored on a device that can store information. They serve a number of important functions including to remember a user and their previous interactions with a website such as entering details into a form or placing items in a shopping cart. The information stored in cookies can include personal data, such as an IP address, a username, a unique identifier, or an email address. This is why they fall under data privacy laws

There are two exemptions where you do not need to obtain consent from the user to use cookies. These are:

1. The communications exemption
   • This applies to cookies whose sole purpose is for carrying out the transmission of a communication over a network, for example if you use a load-balancing cookie to distribute network traffic across different servers

2. The strictly necessary exemption
   • A cookie that is exempt under this criterion must simultaneously pass two tests:
     1. The service is delivered over the internet
     2. The service must have been explicitly requested by the user, and the use of the cookie must be restricted to what is strictly necessary to provide that service.

Cookies Best Practices 

Best Practice for cookies compliance is formed of two parts; a cookies policy (separate to your privacy policy) and a dynamic cookie management platform.

Cookies Policy

Your organisation’s cookie compliance needs to speak to two regulations; GPDR & the ePrivacy Directive. Therefore, it is best practice to maintain separate cookies and privacy policies. A cookies policy is a declaration to your website users about:

• What cookies are active on your website;
• What data the cookies are tracking and for what purpose; and
• Where in the world this data is sent.

Dynamic Consent Management

It is best practice to use a dynamic consent management tool, such as Dataships’ to manage & automate your cookie compliance, users consent and your records of compliance. There are four important considerations in the implication of such a tool: 

1. Initial Cookie banner:

We recommend implementing a non-intrusive cookie banner at the bottom of the user’s screen. This banner should contain a first layer of information about the use of cookies and should link to your Privacy Centre to provide further information:

This cookie banner cannot ‘nudge’ a user into accepting cookies and if you use a button on the banner with an ‘accept’ option, you must give equal prominence to an option which allows the user to ‘reject’ cookies, or ‘manage cookies’ which brings them to an additional layer of information in order to allow them to do that.

2. Second layer of information

This second layer should provide further details about the categories of cookies being used. Consent does not need to be given for each cookie, but it must be given for each purpose for which cookies are used. These categories must not contain pre-checked boxes signaling ‘consent’ for the use of cookies or be ‘toggled on’. The second layer should also contain a link to your ‘cookie declaration’ detailing all the cookies that are used by your site & for what purpose.

3. Cookie Declaration

Dataships’ cookie tool works dynamically by continuously scanning your site for cookies and surfacing these dynamically in your cookie declaration. These appear under four headings which you can manage; necessary, preference, marketing and statistics. Here you give your users additional information as to the name of the cookie, the provider, its purpose, expiry and type. Users can then make an informed decision whether to accept or reject these cookies. This ensures you are complying with the transparency articles of the GDPR (Articles 12 – 13).

4. Duration

If you store a record that a user has given consent to the use of cookies, you should ask the user to reaffirm their consent no longer than six months after you have stored this consent state.

Common Mistakes

The 4 most common non-compliant cookie practices are as follows:

1. Banners that are easily collapsed or ignored. This means banners that pop up when a user lands on a website and which subsequently disappear when a user scrolls, without any further engagement by the user with the banner or with information about cookies.
   
   
2. Banners that rely on ‘implied consent’. This means that wording in your cookie banner or notice which inform users that, “by their continued use of your website – either through clicking, using or scrolling it - that you will assume their consent to set cookies”.

3. ‘Accept only’ banners. This mean a banner that merely gives the user the option to click ‘accept’ to say yes to cookies and which provides no other option – e.g. banners with buttons that read ‘ok, got it!’ or ‘I understand’.
   
   
4. Pre-checked boxes. This means using a cookies consent tool that has pre-checked boxes, sliders or other tools set to ‘ON’ by default to signal a user’s consent to the use of cookies.
   
   

3. Data Subject Rights

The GDPR has given the individual back decision making power over their data. Organisations are now obliged to fulfill certain rights of the consumer. These rights are:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.

Below is a short guide to these rights along with how you can use the Dataships tool to not only fulfill these rights, but to automate this process saving your organisation valuable time, helping you avoid fines and most importantly build healthy data relationships with your users!

The Right to be Informed

Articles 13 and 14 of the GDPR specify what individuals have the right to be informed about. We call this ‘privacy information’. You should provide the privacy information in a concise; transparent; intelligible; easily accessible; manner using clear and plain language.

You should regularly review and, where necessary, update your privacy information. If you plan to use personal data for a new purpose, you must update our privacy information and communicate the changes to individuals before starting any new processing.

The Dataships Privacy Centre allows you to house all your compliance materials in one place. This includes detailed information for the user from the outset on your company's privacy practices. By having a dedicated resource for privacy you are immediately communicating to the user that privacy is a priority for your company and lays a great foundation to build a healthy dataship with the individual. 

The Right to Access

All individuals have the right to access and receive a copy of their personal data, this is commonly referred to as a subject access request or ‘SAR’. A subject access request can be made verbally or in writing, including on social media, as long as it is clear that the individual is asking for their own personal data. You cannot charge the individual for your response to their request.

An individual may make the request through a third party or through an online portal as long as you are satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority.

If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.

Dataships allows you to integrate all the tools you are currently using in your business. Using our bespoke APIs, users can then view where you hold personal data on them and fulfill their data subject rights. You are giving the user access to their information and encouraging them to manage their data relationship with you. This transparency is a great way to build trust with your users. 

The Right to Rectification

Under GDPR and the UK GDPR individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed, or simply be allowed to edit their personal information. You may not charge a fee and you have one month to respond to the request.

The right to rectification can be leveraged to your company’s advantage. By bringing together all the data you hold on your users in one place and offering your users an easy-to-use tool to let them rectify their data you are encouraging them to keep their data up to date. By using the Data Access Gateway you can make this process simple for the user. Any data they change will be changed in the relevant data source meaning when you next reach out to them with an email, call or campaign, the up-to-date data will already be reflected. In addition, this ensures that any internal analysis you are conducting is using the most up to date information.

The Right to Erasure

Under GDPR and the UK GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.

Individuals have the right to have their personal data erased if:

• the personal data is no longer necessary for the purpose which you originally collected or processed it for.
• you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent.
• you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing.
• you are processing the personal data for direct marketing purposes and the individual objects to that processing.
• you have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);

There are two main scenarios where you must tell other organisations about the erasure request. Where:

• the personal data has been disclosed to others
• the personal data has been made public in an online environment (social networks, forums etc)

You must also endeavor to delete personal data from backup systems. If any backup data cannot be immediately overwritten, you must put this data ‘beyond use’ and ensure it is not used for any reason.

At Dataships, we encourage companies to integrate all the tools that you are using into our tool. This can be third party tools such as Salesforce, Hubspot or Zendesk or your own SQL, firebase or other databases. This allows companies to have a clean, structured data environment and makes responding to request easy. Furthermore, we encourage companies to make all the personal data they hold on users available to them. This has a host of benefits including automating erasure requests. When a user requests to delete their data it will also be automatically deleted from all the data sources if is found in within your organisation.

This means you don’t have to spend hours or days searching for the data and can be safe in the knowledge that the erasure request has been fulfilled. And don’t worry, you can build in rules, so you are in charge of what data is deleted and in what timeframe. But remember – unless you need the data to fulfill a legal obligation why would you want to keep it? You’re striving towards having healthy data relationships with your users and you want to hold data on those users that want you to have it!

The Right to Restrict Processing

GDPR and the UK GDPR UK gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.

There are a number of different methods you can employ to restrict the processing, such as:

• temporarily moving the data to another processing system.
• making the data unavailable to users; or
• temporarily removing published data from a website.

It is particularly important that you consider how you store personal data that you no longer need to process but the individual has requested you restrict (effectively requesting that you do not erase the data).

The Right to Data Portability

The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

As a controller you must supply any personal data that the data subject has provided to you. This may include:

• mailing address, username, age etc
• traffic or location data
• ‘raw’ data such as smart meters or wearable devices.

It doesn’t include any additional data that you have created based on the data an individual has provided to you. However, however note that if this ‘inferred’ or ‘derived’ data is personal data, you still need to provide it to an individual if they make a subject access request.

This right only applies to personal data. Therefore, any data that you have anonymized or pseudonymized is excluded from scope.

To fulfill this request properly you must:

• Supply the user with a copy of their personal data and/or
• Transmit their data to another controller
• You can either directly transmit the data to the user or provide access to an automated tool that allows the user to manage and download this themselves.
• The data you provide must be structured, commonly used and machine-readable.

Through the Dataships Data Access Gateway, users can then view and manage the personal data that you hold on them. This includes our ‘data portability’ tool. By using this, your users can download all the data you hold on them across all your tools in a CSV format. This fulfills your obligation to them and allows your users to automate this request – giving you peace of mind and allowing you to focus on your business.

The Right to Object

GDPR and UK GDPR gives individuals the right to object to the processing of their personal data at any time. This effectively allows individuals to stop or prevent you from processing their personal data. Some examples of where an individual may object to processing include:

• Direct Marketing there is rarely any grounds for which you can rely on to refuse this request. However, this doesn’t mean you have to delete the user data and in many cases it’s good practice to retain their data for the purposes of ensuring that you don’t direct market to them again.
• Legitimate Interest if the individual has objected to the processing, it is likely that under the balancing test, the individual’s interests override the legitimate interest?

You must inform the individual about the right to object at the point of first communication with them.

Conclusion

Hopefully this guide has gone some way to show you some quick wins for your company to make your website compliant. Given your website is the first interaction your user has with your company it's imperative that you make a good impression. A strong data privacy foundation is built upon three pillars:

1. A Privacy Policy

2. Cookie Compliance

3. Data Subject Rights fulfillment. 

All great customer relationships are built on trust and we believe that having a robust privacy program is the ideal way to show users that you respect them and take their well being seriously. The Dataships tool is designed to allow you to implement this program seamlessly. Get started today by signing up at dataships.io

If you found this article useful subscribe to your mailing list below to receive more free resources on to help you build healthy Data Relationships with your users.