A Practical Guide to GDPR
GDPR – A Practical Guide for SMBs All you actually need to know about GDPR with real world examples and case studies
Introduction
Whilst your website only forms a small part of your overall GDPR compliance approach, it is an important one, usually serving as the first point of contact with your users. It is important therefore that you establish a strong foundation of compliance on your website, making it easier to build your overall compliance program. This robust foundation should be formed of three key parts:
Your website must have a comprehensive privacy policy which outlines the your company’s data practices. A privacy policy (also regularly referred to as a privacy notice) is a public document that explains how your company processes personal data and how it applies data protection principles. If you are collecting data directly from someone, you have to provide them with your privacy policy at the moment you do so. Generally, a privacy policy should be provided in written form and is typically supplied electronically.
Rule of thumb = every company that maintains a website should publish their privacy policy there and it should be accessible via a direct link from every webpage.
In addition, if your website collects any personal data online, the privacy policy (or a link to it) should be provided on the same page where the data collection occurs.
What does a compliant privacy policy contain?
Having a transparent privacy policy plays a key role in build trusting with your users.
Cookies regulation is governed by two laws; the EU ePrivacy Directive and the GDPR. These legislations are separate but complement each other and organisations must comply with both. When you are considering your use of cookies and other tracking technologies, the ePrivacy Directive should be your first port of call.
The ePrivacy Directive requires that you obtain consent in order to gain any access to information stored in the device of a user, or to store any information on a person’s device. Hence, consent must be obtained to store a cookie on a user’s device.
GDPR subsequently defined and raised the bar for obtaining this consent by defining that the consent must be “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Cookies are usually small text files stored on a device that can store information. They serve a number of important functions including to remember a user and their previous interactions with a website such as entering details into a form or placing items in a shopping cart. The information stored in cookies can include personal data, such as an IP address, a username, a unique identifier, or an email address. This is why they fall under data privacy laws
There are two exemptions where you do not need to obtain consent from the user to use cookies. These are:
Best Practice for cookies compliance is formed of two parts; a cookies policy (separate to your privacy policy) and a dynamic cookie management platform.
Your organisation’s cookie compliance needs to speak to two regulations; GPDR & the ePrivacy Directive. Therefore, it is best practice to maintain separate cookies and privacy policies. A cookies policy is a declaration to your website users about:
It is best practice to use a dynamic consent management tool, such as Dataships’ to manage & automate your cookie compliance, users consent and your records of compliance. There are four important considerations in the implication of such a tool:
We recommend implementing a non-intrusive cookie banner at the bottom of the user’s screen. This banner should contain a first layer of information about the use of cookies and should link to your Privacy Centre to provide further information:
This cookie banner cannot ‘nudge’ a user into accepting cookies and if you use a button on the banner with an ‘accept’ option, you must give equal prominence to an option which allows the user to ‘reject’ cookies, or ‘manage cookies’ which brings them to an additional layer of information in order to allow them to do that.
This second layer should provide further details about the categories of cookies being used. Consent does not need to be given for each cookie, but it must be given for each purpose for which cookies are used. These categories must not contain pre-checked boxes signaling ‘consent’ for the use of cookies or be ‘toggled on’. The second layer should also contain a link to your ‘cookie declaration’ detailing all the cookies that are used by your site & for what purpose.
Dataships’ cookie tool works dynamically by continuously scanning your site for cookies and surfacing these dynamically in your cookie declaration. These appear under four headings which you can manage; necessary, preference, marketing and statistics. Here you give your users additional information as to the name of the cookie, the provider, its purpose, expiry and type. Users can then make an informed decision whether to accept or reject these cookies. This ensures you are complying with the transparency articles of the GDPR (Articles 12 – 13).
If you store a record that a user has given consent to the use of cookies, you should ask the user to reaffirm their consent no longer than six months after you have stored this consent state.
The 4 most common non-compliant cookie practices are as follows:
The GDPR has given the individual back decision making power over their data. Organisations are now obliged to fulfill certain rights of the consumer. These rights are:
Below is a short guide to these rights along with how you can use the Dataships tool to not only fulfill these rights, but to automate this process saving your organisation valuable time, helping you avoid fines and most importantly build healthy data relationships with your users!
Articles 13 and 14 of the GDPR specify what individuals have the right to be informed about. We call this ‘privacy information’. You should provide the privacy information in a concise; transparent; intelligible; easily accessible; manner using clear and plain language.
You should regularly review and, where necessary, update your privacy information. If you plan to use personal data for a new purpose, you must update our privacy information and communicate the changes to individuals before starting any new processing.
The Dataships Privacy Centre allows you to house all your compliance materials in one place. This includes detailed information for the user from the outset on your company's privacy practices. By having a dedicated resource for privacy you are immediately communicating to the user that privacy is a priority for your company and lays a great foundation to build a healthy dataship with the individual.
All individuals have the right to access and receive a copy of their personal data, this is commonly referred to as a subject access request or ‘SAR’. A subject access request can be made verbally or in writing, including on social media, as long as it is clear that the individual is asking for their own personal data. You cannot charge the individual for your response to their request.
An individual may make the request through a third party or through an online portal as long as you are satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority.
If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
Dataships allows you to integrate all the tools you are currently using in your business. Using our bespoke APIs, users can then view where you hold personal data on them and fulfill their data subject rights. You are giving the user access to their information and encouraging them to manage their data relationship with you. This transparency is a great way to build trust with your users.
Under GDPR and the UK GDPR individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed, or simply be allowed to edit their personal information. You may not charge a fee and you have one month to respond to the request.
The right to rectification can be leveraged to your company’s advantage. By bringing together all the data you hold on your users in one place and offering your users an easy-to-use tool to let them rectify their data you are encouraging them to keep their data up to date. By using the Data Access Gateway you can make this process simple for the user. Any data they change will be changed in the relevant data source meaning when you next reach out to them with an email, call or campaign, the up-to-date data will already be reflected. In addition, this ensures that any internal analysis you are conducting is using the most up to date information.
Under GDPR and the UK GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.
Individuals have the right to have their personal data erased if:
There are two main scenarios where you must tell other organisations about the erasure request. Where:
You must also endeavor to delete personal data from backup systems. If any backup data cannot be immediately overwritten, you must put this data ‘beyond use’ and ensure it is not used for any reason.
At Dataships, we encourage companies to integrate all the tools that you are using into our tool. This can be third party tools such as Salesforce, Hubspot or Zendesk or your own SQL, firebase or other databases. This allows companies to have a clean, structured data environment and makes responding to request easy. Furthermore, we encourage companies to make all the personal data they hold on users available to them. This has a host of benefits including automating erasure requests. When a user requests to delete their data it will also be automatically deleted from all the data sources if is found in within your organisation.
This means you don’t have to spend hours or days searching for the data and can be safe in the knowledge that the erasure request has been fulfilled. And don’t worry, you can build in rules, so you are in charge of what data is deleted and in what timeframe. But remember – unless you need the data to fulfill a legal obligation why would you want to keep it? You’re striving towards having healthy data relationships with your users and you want to hold data on those users that want you to have it!
GDPR and the UK GDPR UK gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.
There are a number of different methods you can employ to restrict the processing, such as:
It is particularly important that you consider how you store personal data that you no longer need to process but the individual has requested you restrict (effectively requesting that you do not erase the data).
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
As a controller you must supply any personal data that the data subject has provided to you. This may include:
It doesn’t include any additional data that you have created based on the data an individual has provided to you. However, however note that if this ‘inferred’ or ‘derived’ data is personal data, you still need to provide it to an individual if they make a subject access request.
This right only applies to personal data. Therefore, any data that you have anonymized or pseudonymized is excluded from scope.
To fulfill this request properly you must:
Through the Dataships Data Access Gateway, users can then view and manage the personal data that you hold on them. This includes our ‘data portability’ tool. By using this, your users can download all the data you hold on them across all your tools in a CSV format. This fulfills your obligation to them and allows your users to automate this request – giving you peace of mind and allowing you to focus on your business.
GDPR and UK GDPR gives individuals the right to object to the processing of their personal data at any time. This effectively allows individuals to stop or prevent you from processing their personal data. Some examples of where an individual may object to processing include:
You must inform the individual about the right to object at the point of first communication with them.
Hopefully this guide has gone some way to show you some quick wins for your company to make your website compliant. Given your website is the first interaction your user has with your company it's imperative that you make a good impression. A strong data privacy foundation is built upon three pillars:
1. A Privacy Policy
2. Cookie Compliance
3. Data Subject Rights fulfillment.
All great customer relationships are built on trust and we believe that having a robust privacy program is the ideal way to show users that you respect them and take their well being seriously. The Dataships tool is designed to allow you to implement this program seamlessly. Get started today by signing up at dataships.io
If you found this article useful subscribe to your mailing list below to receive more free resources on to help you build healthy Data Relationships with your users.
GDPR – A Practical Guide for SMBs All you actually need to know about GDPR with real world examples and case studies
Find out the best cookie compliance strategies to make sure you are compliant with cookies regulations from EU ePrivacy act, GDPR, CCPA and more
The GDPR has given the individual rights to be informed, access, rectification, erasure, restrict processing, portability