GDPR Measures On Website

1.
Forms: Active Opt-In

Forms that invite users to subscribe to
newsletters or indicate contact preferences
must default to “no” or be blank. You will need
to check your forms to ensure this is the case.
As an example, the current Boots registration
form pre-ticks the opt-in box, forcing the user
to actively opt-out. Very naughty, bad user
experience, and must be changed by May.
<img class="aligncenter size-full wp-image-43155"

src="https://42kau828bfupkoivy3cyep8r-wpengine.netdna-
ssl.com/assets/GDPR-Opt-In-Fail.jpg" alt="GDPR Opt In Fail"
width="1024" height="517"
srcset="https://42kau828bfupkoivy3cyep8r-wpengine.netdna-
ssl.com/assets/GDPR-Opt-In-Fail.jpg 1024w,
https://42kau828bfupkoivy3cyep8r-wpengine.netdna-ssl.com/as
sets/GDPR-Opt-In-Fail-300x151.jpg 300w" sizes="(max-width:
1024px) 100vw, 1024px" />
2. Unbundled Opt-In
The consent you are asking for should be set
out separately for accepting terms and
conditions, and acceptance of consent for
other ways of using data.
In this example, Sainsbury’s clearly set out the
acceptance of their terms and conditions, and
separately set out the active opt-in for their
contact permissions.
It’s a shame Sainsbury’s didn’t get the option
to be more granular in terms of communication
opt-in preferences (email, SMS, post).
ssl.com/assets/sainsburys-granular-opt-in.jpg" alt="sainsburys
granular opt in" width="808" height="873"
ssl.com/assets/sainsburys-granular-opt-in.jpg 808w,
sets/sainsburys-granular-opt-in-278x300.jpg 278w"
sizes="(max-width: 808px) 100vw, 808px" />
3. Granular Opt-In
Users should be able to provide separate
consent for different types of processing.
In this example, ABC Awards are asking for
specific permission for each type of processing
(post, email, telephone) and also asking
permission to past details onto a third party.
<img class="size-full wp-image-43165 aligncenter"

ssl.com/assets/GDPR-Granular-consent.jpg" alt="" width="811"
height="440" srcset="https://42kau828bfupkoivy3cyep8r-
wpengine.netdna-ssl.com/assets/GDPR-Granular-consent.jpg
811w, https://42kau828bfupkoivy3cyep8r-wpengine.netdna-
ssl.com/assets/GDPR-Granular-consent-300x163.jpg 300w"
4. Easy to Withdraw
Permission or Opt-Out
It must be just as easy to remove consent as it
was to grant it, and individuals always need to
know they have the right to withdraw their
consent.
In terms of your web user experience, this
means unsubscribing could consist of
selectively withdrawing consent to specific
streams of communication:
ssl.com/assets/Withdaw-consent-GDPR.jpg" alt="Withdaw
consent GDPR" width="658" height="636"
ssl.com/assets/Withdaw-consent-GDPR.jpg 658w,
sets/Withdaw-consent-GDPR-300x290.jpg 300w" sizes="(max-
width: 658px) 100vw, 658px" />
Or easily change the frequency of

communication, or stop all communications
entirely:

ssl.com/assets/withraw-consent-frequency.jpg" alt="withraw
consent frequency" width="621" height="847"
ssl.com/assets/withraw-consent-frequency.jpg 621w,
sets/withraw-consent-frequency-220x300.jpg 220w"
5. Named Parties
Your web forms must clearly identify each
party for which the consent is being granted. It
isn’t enough to say specifically defined
categories of third-party organisations. They
need to be named.
In this example, you can see John Lewis
understands the gist that we need to give
named permissions for updates each from
Waitrose, John Lewis, and John Lewis
Financial Services.
But it’s a shame that it is opt-out rather
than opt-in.
ssl.com/assets/john-lewis-permissions.jpg" alt="john lewis
permissions" width="677" height="584"
ssl.com/assets/john-lewis-permissions.jpg 677w,
sets/john-lewis-permissions-300x259.jpg 300w" sizes="(max-
width: 677px) 100vw, 677px" />
6. Privacy Notice and

Terms and Conditions
The Information Commissioner’s Office (ICO)
has very kindly provided a sample privacy
notice that you can use on your website. It is
concise, transparent, and easily accessible.
You will also need to update your terms and
conditions on your website to reference GDPR
terminology. In particular, you will need to
make it transparent what you will do with
the information once you’ve received it, and
how long you will retain this information both
on your website and also by your office
systems.

ssl.com/assets/ico-privacy-policy.jpg" alt="" width="598"
height="484" srcset="https://42kau828bfupkoivy3cyep8r-
wpengine.netdna-ssl.com/assets/ico-privacy-policy.jpg 598w,
sets/ico-privacy-policy-300x243.jpg 300w" sizes="(max-width:
598px) 100vw, 598px" />
You will also need to communicate how and
why you are collecting data. Your privacy
policy will need to detail applications that you
are using to track user interaction.
7. Online Payments
If you are an e-commerce business, then you
are likely to be using a payment gateway for
financial transactions. Your own website may
be collecting personal data before passing the
details onto the payment gateway.
If this is the case, and your website is storing
these personal details after the information
has been passed along, then you will need
to modify your web processes to remove any
personal information after a reasonable period,
for example, 60 days. The GDPR legislation is
not explicit about the number of days, it is your
own judgement as to what can be defended as
reasonable and necessary.
8. Third Party Tracking

Software
Things now start to get tricky when it comes
to third-party tracking software.
Many websites are using third-party marketing
automation software solutions on their
website. These might be lead tracking
applications like Lead Forensics, Leadfeeder
or CANDDI. Or they could be call tracking
applications like Infinity Call Tracking or Ruler
Analytics.
The use of these tracking applications raise
some very interesting questions in terms of
GDPR compliance, and in my opinion, this
remains a grey area. At first glance, these
applications track users in ways they would
not expect and for which they have not
granted consent. For example, it is tracking
my behaviour each time I return to your
website, or view a specific page on your site.
However, the suppliers of these applications
assure us they are GDPR compliant.
First, the suppliers like CANNDI are advising
that banners stating clearly and
unambiguously that cookies are being used,

ssl.com/assets/CANNDI-GDPR-compliance-1.jpg"
alt="CANNDI GDPR compliance" width="723" height="373"
ssl.com/assets/CANNDI-GDPR-compliance-1.jpg 723w,
sets/CANNDI-GDPR-compliance-1-300x155.jpg 300w"
And, the software suppliers argue that the use
of cookie tracking technology is in
the legitimate interest of your business as a
data controller, and specifically Recital 47
allowing for “processing for direct marketing
purposes or preventing fraud.”
CANNDI advises:
Legitimate Interest - If using the
legitimate interest principle within your
website tracking it is advisable to have
on record during your GDPR preparation
that this is the case. This
should include the grounds on which
you are using this.
I want to thank CANNDI for sharing their GDPR
perspective, and would recommend you read it
(PDF.)
<img class="aligncenter wp-image-43183 size-medium"
ssl.com/assets/CANNDIO-GDPR-Perspective-216x300.jpg"
alt="CANNDIO GDPR Perspective" width="216" height="300"
ssl.com/assets/CANNDIO-GDPR-Perspective-216x300.jpg
216w, https://42kau828bfupkoivy3cyep8r-wpengine.netdna-
ssl.com/assets/CANNDIO-GDPR-Perspective.jpg 658w"
The providers of these tools are confident that

they are GDPR compliant. But if the software is
doing something illegal, then it is your
business’ responsibility as the Data Controller.
The real question is to identify the GDPR
compliance risks in using this kind of software,
and to mitigate your risks as a business owner.
As a result, you need to review your contract
with these software providers carefully.
9. What About Google

Analytics and Google
Tag Manager?
If you are interested in Google’s commitment
to GDPR then a good place to start is this
website: How Google complies with data
protection laws
Many websites are configured to use Google
Analytics to track user behaviour. Google
Analytics has always been an anonymous
tracking system. There is no “personal data”
being collected, so I believe GDPR does not
impact on its usage.
With regards to Google Tag Manager; it’s a
powerful tool that enables your website to
send information to third-party applications by
inserting small amounts of code. You can
integrate in-house data repositories, as well as
external remarketing and retargeting systems,
and a host of other services. The issue for
businesses with regards to Tag Manager is to
ensure you have a contract in place with the
individuals that have access to your Tag
Manager (which may well be your web
designer, or digital marketing agency) to
ensure they understand their legal
responsibilities as a data processor on your
behalf as data controller.
So, the underlying issue with the new GDPR is
to identify and have in place contracts with
your third-party data processors to protect
both your own interests.
10. And Finally… It Isn’t

Only Your Website That
Needs to Be GDPR
Compliant
The changes being introduced with GDPR will
permeate your entire business, and in this
series of articles, we are focusing purely on
your digital marketing.
As you start planning the detail of your
website, you will uncover an Aladdin’s cave of
issues you will need to consider.
Forms
When adding forms to your site, make sure that only
essential fields are covered. If you don't need to call
your clients, then there's no need to include a phone
number field in any contact forms. Even if you do
occasionally use a phone number, consider whether
it would be more prudent to stick with electronic
communication which also has the benefit of being
recorded.
Opt-in
Users must be informed of and choose to accept
actions that may include the collection of data, such
as agreeing to terms and conditions or signing up to
receive a newsletter. The user will need to accept the
opt-ins, and a record of the agreement should be kept
by the data administrator.
Under each form where such opt-ins are required,
we should add an information clause that includes
details such as who is the data administrator, and
provide details on the privacy policy (via a link, for
example). We could also include this information in
confirmation emails sent after a user completes a
form.
To be clear; each individual act of data collection
will need to be clearly marked and consent sought.
Many registration forms will include a terms and
conditions checkbox, but clicking it will also sign
the user up for the site's newsletter. Once the new
regulations are active this kind of action will no
longer be permitted.
The user will instead need to explicitly give
permission for each instance of data collection, so
we can't add two separate 'agreement' opt-ins to a
single checkbox, such as agreeing to terms and
conditions and signing up to a newsletter. Instead,
we would need to use a separate opt-in checkbox for
each separate data collection, which clearly
describes what the information collected will be
used for.
One final note on opt-ins; the users' agreement to
one or all of your data collection acts will require
explicit consent; that is, they must actively choose
which data collection they agree to, and click the
relevant checkboxes. For this reason, no checkboxes
can be pre-checked; the user must be the one to click
to add their agreement before proceeding.
Granular opt-ins
If we are going to pass all or a part of the data to a
third-party for processing, then the user must also be
informed and their permission sought. The most
common example of this is the collection of
statistics; we collect the data, but a third-party
analyzes and creates reports based on that data.
Google Analytics is a perfect example of this kind of
stat-driven reporting, but don't start worrying if you
use this on your site; the basic configuration of
Google Analytics which most people will use does
not collect any identifying information and doesn't
conflict with the GDPR, so no consent is required
from the user. However, if we use something beyond
the default configuration and turn on any of the
following features:
• User ID
• Demographic reports
• Remarketing functions
Then we must inform the user and get their consent.
A few useful links about Google analytics:
• Google Analytics usage guidelines
• Disabling GA Cookies
• Anonymize GA tracking
Withdrawal of data or opt-
out
Every individual should have the right to withdraw
their consent at any time. Furthermore, the user must
have the option to access their data records and
make changes at any time. This seems
straightforward enough, but in practice it can be a
little bit tricky.
For example; if we were running an online shop
selling apps, we would collect all data necessary for
processing. We would also collect data about the
user, such as logs detailing the last login time, IP
address and whether they have downloaded any
items. We may have a support desk for customers,
and a forum for discussion that the customer takes
part in.
If the customer should then request access to the
data we have stored, we have to integrate the entire
e-commerce system and then export all of the client-
related data that we have, on request, at any time.
The GDPR allows a time limit of only 30 days to
complete such a request, so though with just one or
two clients making the request we could viably
complete the data export manually, it just wouldn't
be feasible when dealing with hundreds of clients.
Unfortunately, it's currently very difficult to find a
fully-automated solution. Even the most common e-
commerce-friendly CMSs and extensions such as
WordPress, WooCoomerce and Joomla! do not have
a built-in way to collate such data.
However, there is some light at the end of the tunnel;
GDPR regulations are subject to modification by
each country in the EU, who may choose to
introduce mitigating solutions. For example, in
Poland, the responsibility for transferring data will
be limited, applying only to companies that employ
in excess of 250 people. It will also not apply to
companies that are not processing potentially
sensitive data; that is, data that could be used against
the customer in any way.
The right to be forgotten
A user may, on request, demand to remove any and
all information that we have stored about them. Also
when data are no longer necessary for the purpose
for
which they were collected or processed.This doesn't
just mean registration data; it encapsulates all
aspects of our site. If a user posted on our forum or
commented on blog posts, then they will have many
files, links and posts dotted around. It thus falls to
the data administrator to ensure that all such
information has been removed should a request to be
forgotten be received.
'Removed' is the keyword here; if a request to be
forgotten is made, it will not be sufficient to simply
deactivate or hide a profile; the data must be deleted
entirely. In addition, the regulations charge data
administrators with the responsibility to ensure the
information stored by associated third-parties (that
is, parties to which data provided to us was passed to
for processing or analysis) is also deleted.
Privacy Policy
A Privacy Policy is a document which must be
included on a website; for example, as a link. It
should adequately inform your website visitors of
what data you collect, what you use it for, who the
data will be passed to (if applicable), and how the
visitor can enforce their rights detailed above.
In the privacy policy you should include points
similar to the following:
• Who you are; who is the data administrator.
• What information is collected (names, email
addresses etc...), and what you do with it when
it is processed.
• Why you collect the data; why is it necessary for
your site to have this data?
• How you store the data and keep it safe and
protected.
• Who you share the information with.
This is just a summary, but to actually follow these
steps you need to be sure exactly what data you are
collecting, as well as where and when you are doing
it.
Besides the data you collect through forms, your site
will also likely send cookie files which are used to
optimise the user experience with webpages, as well
as gain valuable statistical data on how users behave
on your site.
For forms, you will not need to have consent
agreements except when the form is completed and
sent, as doing so before this would negatively affect
your site's usability. But you will need consent for
any cookies you send.
We have already mentioned Google Analytics, but
do you know what other elements on your site may
be collecting personal data via cookies? The list can
be quite extensive:
• Facebook, Twitter, Google+ or other social media
buttons and plugins
• Comment system (WP, Disqus)
• Google Adsense or Adwords
• Embedded videos from Vimeo, Youtube etc...
• Affiliate programs
• Chat software
• Support desk software such as Kayako
As well as giving users information about cookies
and how they are used on your webpage, you have to
give users the choice to opt-in, so users can decide if
they agree or not.
How to allow for opt-in with
cookies
The most common way to obtain consent regarding
cookies is via a Cookie banner, which appears after
users first arrive on your site. The ones in use on
many websites today are passive, but to meet the
GDPR requirements we should add agreement
options covering the scope of the cookies
encountered on our site.
A good way to approach this is to separate cookies
into groups, with each group having its own
agreement checkboxes. Groups could be set up as:
• Necessary
• Preferences
• Statistics
• Marketing
Grouping like this allows users to make an informed
decision about what they are willing to allow.
Users will also need to have the ability to change
their minds about any of the agreements in the
future, so we need to make a mechanism available
that works similarly to the initial consent request.
You can see this implementation in action on this
GDPR popup demo page. Notice that the comment
section, which is powered by Disqus and requires a
cookie that we've separated into a 'Functionality'
group, does not load until the visitor confirms that
they accept the functionality-related cookies. This
means that even without consenting to specific
cookies users can still see your non-cookie-related
content.
As well as being responsible for providing
information about our own activities, it also fall to
the data administrators of our site to ensure that any
third-party companies that we use on our site to
collect data have a reasonable safety policy, as we
take responsibility for any data collected through our
site regardless of whom is doing the collecting.
We should be careful to only sign data-processing
agreements with above-board, reliable companies
that can give a sufficient guarantee that they will
treat the data appropriately, with all the necessary
procedures and protections in their data processing
to meet GDPR rules and protect the rights of our
users.
To summarize
The points discussed above covers only a few fairly
broad points directly regarding your website and
GDPR regulations. Besides the direct requirements
discussed earlier, you will also have to prepare
yourself in other ways, such as:
• Preparing a registry for personal data processing.
• Authorizing and training co-workers or other staff
who have access to the data.
• Creating records of any violations of personal data
processing regulations.
• Preparing a risk and consequence analysis for data
processing procedures.
Working on this can be a daunting prospect, and
there truly are a huge number of things that must be
done to ensure that the GDPR requirements are met.
however, if you're serious about continuing to have a
site presence online, then the fact is that we must
implement solutions to meet the regulations. As an
added bonus, your customers will appreciate that
you take full responsibility for protecting their data,
making them all the more willing to work with you!
If security and GDPR-compliance are big concerns
for your website, then Publii may be just the site-
building tool you need. With it you can start building
a super-fast static site that's near hacker-proof and
GDPR-compliant, all from the comfort and safety of
your desktop.
What Rights Do Data

Subjects Have Under
GDPR?
As explained by the ICO, data subjects
have the following rights concerning their
personal data:
• Information
• Access
• Rectification
• Erasure
• Restrictions on processing
• Data portability
• Objection
• Revision of automated decisions or
profiling
GDPR data subject rights
The GDPR refers a lot to data processing.

This simply refers to any operation that is
performed on personal data – collection,
storage, amendment, deletion etc.
What Will Your Business

Have to Do to Comply
With GDPR?
1. Audit your personal data
Find out what personal data you process,
detailed below.
2. Document everything
Write down your policies and procedures
for handling personal data. This is part of
demonstrating your compliance with the
regulation.
You’ll need a plan for what to do in the
case of:
Subject access requests
Individuals may request access to,
updating of or deletion of their personal
data. How will you verify their identity
and fulfil the request?
Data security
Detail what you are doing to keep
personal data safe. This might involve
techniques like encryption,
anonymization and access control.
Data breaches
Any personal data breaches which would
significantly harm individuals must be
reported within 72 hours to the “relevant
supervisory authority”. In the UK that’s
the ICO. If the breach is serious enough,
you’ll also need to tell the individuals
affected.
3. Inform your audience
Create or update your privacy statement
to explain what personal data you collect
and what it is used for in a brief and
readable way.
Happytables privacy policy summary
Don’t just copy and paste one; make sure
that it is tailored to your business and the
data you hold.
4. Identify a legal basis for all
your personal data processing
activities
All personal data processing must have a
legal justification. More about this later.
5. Consider having a DPO
A Data Protection Officer (DPO) is
responsible for all data protection
activities. A DPO could be within an
organisation or externally appointed.
Discovering the Personal

Data Your Business
Collects
Find out:
• Who do you hold data on?
• What personal data is collected? Is any
of it sensitive?
• What file types are used?
• Where is it stored – locally, on a web
server, in the cloud?
• Do any third parties handle the data?
Which ones? Where are they based?
• If the data was initially collected and
stored within the EU, is it transferred
outwith the EU at any time? (Non-EU
transfer is permitted only if personal
data has adequate safeguards. If data
is transferred to the USA, the relevant
framework for data transfers is the
Privacy Shield.)
• How long is the data stored for?
• Is it secured in any way?
• Are subjects notified about what data is
held and used for when you collect it?
Personal data lurks in a lot of places! If
you’re anything like me, you will use a lot
of tools.
Here are some places to search:
• Live websites, development and staging
sites with:
WordPress plugins that collect and
store personal information
WordPress users – especially on
BuddyPress and bbPress
installations
Native WordPress comments or other
commenting software
WordPress ecommerce solutions e.g.
WooCommerce
• Files – documents, spreadsheets,
databases, PDFs
• Storage and backups: computers,
portable drives, USB sticks, DVDs,
online
• Cloud storage: Dropbox, Google Drive,
Amazon S3
• Intranets
• Email and email attachments
• CRM systems
• Email marketing software: MailChimp
and similar
• Social media: Check for your “address
book”
• Messaging apps e.g. Slack, Facebook
Messenger, Intercom
• Productivity apps e.g. Zapier. Trello
• Booking software e.g. Eventbrite,
Calendly
• And don’t forget that paper records
count as well as electronic ones!
Third Party Processing

Check privacy policies and/or supplier
agreements of any third parties you use.
Find out what their plans to comply with
the GDPR are. If you don’t get
satisfactory answers, hunt for alternative
suppliers.
For example, MailChimp has blogged
about their GDPR compliance process.
WordPress Plugins That

Collect Personal Data
Look for ways to minimize the collection
of personal information. Adopt a Privacy
by Design approach.
Avoid creating forms like this asking for a
lot of data without making it clear what
it’s used for.
A “greedy form” with many fields

If you’re a plugin developer, build in
options to let site owners choose what
they want to collect and store, and the
option to delete data. Make sure that
when the plugin is removed, all the data
is purged.
Implement access via WordPress user
roles: subscribers shouldn’t be allowed to
view form data, for example.
Now, a look at some specific plugins.
1. Akismet
I contacted the developers behind
Akismet and asked what happens to
personal data when it checks WordPress
comments for spam.
Chris from Automattic replied:
“We’re working on getting into full
compliance with GDPR by the time it goes
into effect early next year.”
(We can infer that this applies to Jetpack
and WooCommerce as well.)
He continued:
“The only information sent to Akismet
when a comment is tested for spam is
information that the commenter provided:
their name, email address, site URL, and
comment (plus other non-personal
information like the current time, etc.).
This information is not transferred to any
non-Akismet servers, but we cannot
guarantee in which country it will be
processed. To that end, we have signed
model contract clauses with our Irish
subsidiary that cover the transfer of data
in and out of the EU for processing.”
German users may wish to use the
Akismet Privacy Policies plugin to provide
a warning that comment data may be
sent to the USA. (No English translation
as yet.)
1.6 million WordPress Superheroes read and

trust our blog. Join them and get daily posts
delivered to your inbox - free!
Email address
SUBSCRIBE
2. Contact forms
Watch for form plugins that store
personal data in the WordPress database.
As you shouldn’t keep personal data for
longer than required, the ideal situation is
to delete it when it’s no longer needed.
The Wider Gravity Forms Stop Entries
plugin blocks storage of Gravity Forms
entries.
Ninja Forms have a setting to not store
form entries. You need to enable it for
each form.
Ninja Forms storage turned off
Also, check for any forms which
automatically opt users into marketing
messages via pre-ticked checkboxes.
3. “Email This Page” Plugins
Print, PDF, Email by Print Friendly
collects user-submitted email addresses.
The developers have made a clear
commitment to protecting personal data:
Print, PDF, Email Privacy & Data
4. Giveaway Plugins
Plugins like KingSumo run giveaways.
Entrants are added to a list of email
subscribers.
What about cookies?
Cookies are covered under the ePrivacy
regulation, separate from GDPR. Its
implementation date was supposed to
coincide with GDPR, but it will likely be
delayed as it’s still in draft.
The ePrivacy regulation distinguishes
between first-party cookies, served by
your domain, and third-party cookies e.g.
from Google Analytics and some social
sharing plugins.
It may be that browser settings will be
used as a form of user consent for third-
party cookies, but this is something we’ll
have to keep an eye on.
Finding a Legal Basis for

Your Personal Data
Processing
There are 6 main grounds for the legal
processing of personal data. At least one
condition must be met.
Two of them are unlikely to apply to
those working with the Web – vital
interests and public function.
That leaves the following:
1. Necessary for performance of a
contract
Activities like collecting payment
information from a supplier are covered
by this principle.
2. Legal obligation
For example, UK businesses are required
by law to keep expenses records for 5
years after the 31 January submission
deadline of their tax return.
3. Consent
This is a key processing criterion for
most businesses. If no other legal basis
applies you will need to seek consent for
your personal data processing.
Consent must be:
Given freely – no-one should be tricked or
coerced into supplying their personal
data.
Explicit – if you want to add email
addresses from a contact form to a
mailing list as well, you can’t use a pre-
ticked checkbox automatically opting
them in.
A booking form with auto-completed checkbox

This relates to:
Specific and separate – if there are
multiple processing purposes, consent
must be asked for separately for each
one. For the Kingsumo plugin mentioned
earlier, there should ideally be 2
checkboxes.
• Yes to entering the competition under
its terms and conditions.
• Yes to receiving email marketing.
Named – state your organisation name
and any others that will be processing the
data.
Able to be withdrawn at any time – if
someone wants to opt out later, you must
allow them to. You should make it easy to
do this.
You need to record:
• What someone has consented to.
• When they consented.
• How they did it.
• What they were told about how their
information would be used.
Does consent run out?
There is no minimum time that consent
lasts – it depends on the context.
What about previously gained consent?
Many of us have email lists with
subscribers who have opted in for
marketing information.
You can keep your existing subscriber
data if you can prove that it was obtained
under the same provisions as in the
GDPR.
The obvious way to do this is to ask your
email subscribers for marketing consent
again, but beware: Flybe and Honda were
fined for doing just that!
Communicator has a helpful table for
dealing with legacy email lists.
4. Legitimate interests
Data processing is allowed on the basis
of legitimate interests of the business,
provided that it does not override the
rights of the individual.
Using this basis for your data processing
means that you must:
• Document your assessment of your
interests vs those affected
• State in your privacy policy that you are
using legitimate interests as your
legal condition for data processing
• Allow individuals to object to this type of
data processing
For example, you might use a security
plugin that logs visitors’ IP addresses.
After an assessment of interests, you
decide that this data collection is
justified on the basis of legitimate
interests. You state in your privacy policy
that you collect IP addresses of visitors
to your website for the purposes of
protecting your website from hacking
attempts.
What Next?
Once you’ve done your audit and
identified your legal basis for processing
personal data:
If there’s any personal data you no longer
need, delete it.
British pub chain Wetherspoons recently
decided to delete their entire customer
email database:
We felt, on balance, that we would rather
not hold even email addresses for
customers. The less customer
information we have, which now is almost
none, then the less risk associated with
data.
Do a risk assessment on what personal
data you have left, identify any high-risk
data and take steps to protect it.
Run a Privacy Impact Assessment on any
future or past projects involving personal
data collection.
In Summary
Understanding and adhering to the GDPR
is a challenge, but it’s one we can rise to.
Higher data protection standards benefit
us all.
Start your preparations now. Use the
following resources for guidance:
• Data Protection Network
• ICO: Data protection reform
• General Data Protection Regulation –
Isle of Man Information Commissioner
• Guide to the General Data Protection
Regulation
• Virtual Session: GDPR without the Hype
• GDPR: How to create best practice
privacy notices (with examples)
When and how shall a privacy impact
assessment be run?

GDPR Measures On Website

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GDPR Measures On Website

Uploaded by

Copyright:

Available Formats

1.

Forms: Active Opt-In

<img class="aligncenter size-full wp-image-43155"

<img class="size-full wp-image-43165 aligncenter"

Or easily change the frequency of

<img class="aligncenter size-full wp-image-43174"

6. Privacy Notice and

<img class="aligncenter size-full wp-image-43178"

8. Third Party Tracking

<img class="aligncenter size-full wp-image-43181"

The providers of these tools are confident that

9. What About Google

10. And Finally… It Isn’t

What Rights Do Data

The GDPR refers a lot to data processing.

What Will Your Business

Discovering the Personal

Third Party Processing

WordPress Plugins That

A “greedy form” with many fields

1.6 million WordPress Superheroes read and

Finding a Legal Basis for

A booking form with auto-completed checkbox

You might also like