Professional Documents
Culture Documents
GDPR Measures On Website
GDPR Measures On Website
2. Unbundled Opt-In
The consent you are asking for should be set
out separately for accepting terms and
conditions, and acceptance of consent for
other ways of using data.
In this example, Sainsbury’s clearly set out the
acceptance of their terms and conditions, and
separately set out the active opt-in for their
contact permissions.
It’s a shame Sainsbury’s didn’t get the option
to be more granular in terms of communication
opt-in preferences (email, SMS, post).
<img class="aligncenter size-full wp-image-43157"
src="https://42kau828bfupkoivy3cyep8r-wpengine.netdna-
ssl.com/assets/sainsburys-granular-opt-in.jpg" alt="sainsburys
granular opt in" width="808" height="873"
srcset="https://42kau828bfupkoivy3cyep8r-wpengine.netdna-
ssl.com/assets/sainsburys-granular-opt-in.jpg 808w,
https://42kau828bfupkoivy3cyep8r-wpengine.netdna-ssl.com/as
sets/sainsburys-granular-opt-in-278x300.jpg 278w"
sizes="(max-width: 808px) 100vw, 808px" />
3. Granular Opt-In
Users should be able to provide separate
consent for different types of processing.
In this example, ABC Awards are asking for
specific permission for each type of processing
(post, email, telephone) and also asking
permission to past details onto a third party.
4. Easy to Withdraw
Permission or Opt-Out
It must be just as easy to remove consent as it
was to grant it, and individuals always need to
know they have the right to withdraw their
consent.
In terms of your web user experience, this
means unsubscribing could consist of
selectively withdrawing consent to specific
streams of communication:
<img class="aligncenter size-full wp-image-43171"
src="https://42kau828bfupkoivy3cyep8r-wpengine.netdna-
ssl.com/assets/Withdaw-consent-GDPR.jpg" alt="Withdaw
consent GDPR" width="658" height="636"
srcset="https://42kau828bfupkoivy3cyep8r-wpengine.netdna-
ssl.com/assets/Withdaw-consent-GDPR.jpg 658w,
https://42kau828bfupkoivy3cyep8r-wpengine.netdna-ssl.com/as
sets/Withdaw-consent-GDPR-300x290.jpg 300w" sizes="(max-
width: 658px) 100vw, 658px" />
5. Named Parties
Your web forms must clearly identify each
party for which the consent is being granted. It
isn’t enough to say specifically defined
categories of third-party organisations. They
need to be named.
In this example, you can see John Lewis
understands the gist that we need to give
named permissions for updates each from
Waitrose, John Lewis, and John Lewis
Financial Services.
But it’s a shame that it is opt-out rather
than opt-in.
<img class="aligncenter size-full wp-image-43177"
src="https://42kau828bfupkoivy3cyep8r-wpengine.netdna-
ssl.com/assets/john-lewis-permissions.jpg" alt="john lewis
permissions" width="677" height="584"
srcset="https://42kau828bfupkoivy3cyep8r-wpengine.netdna-
ssl.com/assets/john-lewis-permissions.jpg 677w,
https://42kau828bfupkoivy3cyep8r-wpengine.netdna-ssl.com/as
sets/john-lewis-permissions-300x259.jpg 300w" sizes="(max-
width: 677px) 100vw, 677px" />
7. Online Payments
If you are an e-commerce business, then you
are likely to be using a payment gateway for
financial transactions. Your own website may
be collecting personal data before passing the
details onto the payment gateway.
If this is the case, and your website is storing
these personal details after the information
has been passed along, then you will need
to modify your web processes to remove any
personal information after a reasonable period,
for example, 60 days. The GDPR legislation is
not explicit about the number of days, it is your
own judgement as to what can be defended as
reasonable and necessary.
Forms
When adding forms to your site, make sure that only
essential fields are covered. If you don't need to call
your clients, then there's no need to include a phone
number field in any contact forms. Even if you do
occasionally use a phone number, consider whether
it would be more prudent to stick with electronic
communication which also has the benefit of being
recorded.
Opt-in
Users must be informed of and choose to accept
actions that may include the collection of data, such
as agreeing to terms and conditions or signing up to
receive a newsletter. The user will need to accept the
opt-ins, and a record of the agreement should be kept
by the data administrator.
Under each form where such opt-ins are required,
we should add an information clause that includes
details such as who is the data administrator, and
provide details on the privacy policy (via a link, for
example). We could also include this information in
confirmation emails sent after a user completes a
form.
To be clear; each individual act of data collection
will need to be clearly marked and consent sought.
Many registration forms will include a terms and
conditions checkbox, but clicking it will also sign
the user up for the site's newsletter. Once the new
regulations are active this kind of action will no
longer be permitted.
The user will instead need to explicitly give
permission for each instance of data collection, so
we can't add two separate 'agreement' opt-ins to a
single checkbox, such as agreeing to terms and
conditions and signing up to a newsletter. Instead,
we would need to use a separate opt-in checkbox for
each separate data collection, which clearly
describes what the information collected will be
used for.
One final note on opt-ins; the users' agreement to
one or all of your data collection acts will require
explicit consent; that is, they must actively choose
which data collection they agree to, and click the
relevant checkboxes. For this reason, no checkboxes
can be pre-checked; the user must be the one to click
to add their agreement before proceeding.
Granular opt-ins
If we are going to pass all or a part of the data to a
third-party for processing, then the user must also be
informed and their permission sought. The most
common example of this is the collection of
statistics; we collect the data, but a third-party
analyzes and creates reports based on that data.
Google Analytics is a perfect example of this kind of
stat-driven reporting, but don't start worrying if you
use this on your site; the basic configuration of
Google Analytics which most people will use does
not collect any identifying information and doesn't
conflict with the GDPR, so no consent is required
from the user. However, if we use something beyond
the default configuration and turn on any of the
following features:
• User ID
• Demographic reports
• Remarketing functions
Then we must inform the user and get their consent.
A few useful links about Google analytics:
• Google Analytics usage guidelines
• Disabling GA Cookies
• Anonymize GA tracking
Withdrawal of data or opt-
out
Every individual should have the right to withdraw
their consent at any time. Furthermore, the user must
have the option to access their data records and
make changes at any time. This seems
straightforward enough, but in practice it can be a
little bit tricky.
For example; if we were running an online shop
selling apps, we would collect all data necessary for
processing. We would also collect data about the
user, such as logs detailing the last login time, IP
address and whether they have downloaded any
items. We may have a support desk for customers,
and a forum for discussion that the customer takes
part in.
If the customer should then request access to the
data we have stored, we have to integrate the entire
e-commerce system and then export all of the client-
related data that we have, on request, at any time.
The GDPR allows a time limit of only 30 days to
complete such a request, so though with just one or
two clients making the request we could viably
complete the data export manually, it just wouldn't
be feasible when dealing with hundreds of clients.
Unfortunately, it's currently very difficult to find a
fully-automated solution. Even the most common e-
commerce-friendly CMSs and extensions such as
WordPress, WooCoomerce and Joomla! do not have
a built-in way to collate such data.
However, there is some light at the end of the tunnel;
GDPR regulations are subject to modification by
each country in the EU, who may choose to
introduce mitigating solutions. For example, in
Poland, the responsibility for transferring data will
be limited, applying only to companies that employ
in excess of 250 people. It will also not apply to
companies that are not processing potentially
sensitive data; that is, data that could be used against
the customer in any way.
The right to be forgotten
A user may, on request, demand to remove any and
all information that we have stored about them. Also
when data are no longer necessary for the purpose
for
which they were collected or processed.This doesn't
just mean registration data; it encapsulates all
aspects of our site. If a user posted on our forum or
commented on blog posts, then they will have many
files, links and posts dotted around. It thus falls to
the data administrator to ensure that all such
information has been removed should a request to be
forgotten be received.
'Removed' is the keyword here; if a request to be
forgotten is made, it will not be sufficient to simply
deactivate or hide a profile; the data must be deleted
entirely. In addition, the regulations charge data
administrators with the responsibility to ensure the
information stored by associated third-parties (that
is, parties to which data provided to us was passed to
for processing or analysis) is also deleted.
Privacy Policy
A Privacy Policy is a document which must be
included on a website; for example, as a link. It
should adequately inform your website visitors of
what data you collect, what you use it for, who the
data will be passed to (if applicable), and how the
visitor can enforce their rights detailed above.
In the privacy policy you should include points
similar to the following:
• Who you are; who is the data administrator.
• What information is collected (names, email
addresses etc...), and what you do with it when
it is processed.
• Why you collect the data; why is it necessary for
your site to have this data?
• How you store the data and keep it safe and
protected.
• Who you share the information with.
This is just a summary, but to actually follow these
steps you need to be sure exactly what data you are
collecting, as well as where and when you are doing
it.
Besides the data you collect through forms, your site
will also likely send cookie files which are used to
optimise the user experience with webpages, as well
as gain valuable statistical data on how users behave
on your site.
For forms, you will not need to have consent
agreements except when the form is completed and
sent, as doing so before this would negatively affect
your site's usability. But you will need consent for
any cookies you send.
We have already mentioned Google Analytics, but
do you know what other elements on your site may
be collecting personal data via cookies? The list can
be quite extensive:
• Facebook, Twitter, Google+ or other social media
buttons and plugins
• Comment system (WP, Disqus)
• Google Adsense or Adwords
• Embedded videos from Vimeo, Youtube etc...
• Affiliate programs
• Chat software
• Support desk software such as Kayako
As well as giving users information about cookies
and how they are used on your webpage, you have to
give users the choice to opt-in, so users can decide if
they agree or not.
How to allow for opt-in with
cookies
The most common way to obtain consent regarding
cookies is via a Cookie banner, which appears after
users first arrive on your site. The ones in use on
many websites today are passive, but to meet the
GDPR requirements we should add agreement
options covering the scope of the cookies
encountered on our site.
A good way to approach this is to separate cookies
into groups, with each group having its own
agreement checkboxes. Groups could be set up as:
• Necessary
• Preferences
• Statistics
• Marketing
Grouping like this allows users to make an informed
decision about what they are willing to allow.
Users will also need to have the ability to change
their minds about any of the agreements in the
future, so we need to make a mechanism available
that works similarly to the initial consent request.
You can see this implementation in action on this
GDPR popup demo page. Notice that the comment
section, which is powered by Disqus and requires a
cookie that we've separated into a 'Functionality'
group, does not load until the visitor confirms that
they accept the functionality-related cookies. This
means that even without consenting to specific
cookies users can still see your non-cookie-related
content.
As well as being responsible for providing
information about our own activities, it also fall to
the data administrators of our site to ensure that any
third-party companies that we use on our site to
collect data have a reasonable safety policy, as we
take responsibility for any data collected through our
site regardless of whom is doing the collecting.
We should be careful to only sign data-processing
agreements with above-board, reliable companies
that can give a sufficient guarantee that they will
treat the data appropriately, with all the necessary
procedures and protections in their data processing
to meet GDPR rules and protect the rights of our
users.
To summarize
The points discussed above covers only a few fairly
broad points directly regarding your website and
GDPR regulations. Besides the direct requirements
discussed earlier, you will also have to prepare
yourself in other ways, such as:
• Preparing a registry for personal data processing.
• Authorizing and training co-workers or other staff
who have access to the data.
• Creating records of any violations of personal data
processing regulations.
• Preparing a risk and consequence analysis for data
processing procedures.
Working on this can be a daunting prospect, and
there truly are a huge number of things that must be
done to ensure that the GDPR requirements are met.
however, if you're serious about continuing to have a
site presence online, then the fact is that we must
implement solutions to meet the regulations. As an
added bonus, your customers will appreciate that
you take full responsibility for protecting their data,
making them all the more willing to work with you!
If security and GDPR-compliance are big concerns
for your website, then Publii may be just the site-
building tool you need. With it you can start building
a super-fast static site that's near hacker-proof and
GDPR-compliant, all from the comfort and safety of
your desktop.
Email address
SUBSCRIBE
2. Contact forms
Watch for form plugins that store
personal data in the WordPress database.
As you shouldn’t keep personal data for
longer than required, the ideal situation is
to delete it when it’s no longer needed.
The Wider Gravity Forms Stop Entries
plugin blocks storage of Gravity Forms
entries.
Ninja Forms have a setting to not store
form entries. You need to enable it for
each form.
Ninja Forms storage turned off
Also, check for any forms which
automatically opt users into marketing
messages via pre-ticked checkboxes.
3. “Email This Page” Plugins
Print, PDF, Email by Print Friendly
collects user-submitted email addresses.
The developers have made a clear
commitment to protecting personal data:
Print, PDF, Email Privacy & Data
4. Giveaway Plugins
Plugins like KingSumo run giveaways.
Entrants are added to a list of email
subscribers.
What about cookies?
Cookies are covered under the ePrivacy
regulation, separate from GDPR. Its
implementation date was supposed to
coincide with GDPR, but it will likely be
delayed as it’s still in draft.
The ePrivacy regulation distinguishes
between first-party cookies, served by
your domain, and third-party cookies e.g.
from Google Analytics and some social
sharing plugins.
It may be that browser settings will be
used as a form of user consent for third-
party cookies, but this is something we’ll
have to keep an eye on.
What Next?
Once you’ve done your audit and
identified your legal basis for processing
personal data:
If there’s any personal data you no longer
need, delete it.
British pub chain Wetherspoons recently
decided to delete their entire customer
email database:
We felt, on balance, that we would rather
not hold even email addresses for
customers. The less customer
information we have, which now is almost
none, then the less risk associated with
data.
Do a risk assessment on what personal
data you have left, identify any high-risk
data and take steps to protect it.
Run a Privacy Impact Assessment on any
future or past projects involving personal
data collection.
In Summary
Understanding and adhering to the GDPR
is a challenge, but it’s one we can rise to.
Higher data protection standards benefit
us all.
Start your preparations now. Use the
following resources for guidance:
• Data Protection Network
• ICO: Data protection reform
• General Data Protection Regulation –
Isle of Man Information Commissioner
• Guide to the General Data Protection
Regulation
• Virtual Session: GDPR without the Hype
• GDPR: How to create best practice
privacy notices (with examples)
When and how shall a privacy impact
assessment be run?