The General Data Protection Regulation, which will come into effect across the EU on 25 May 2018, will have a profound effect on business systems, workflows and internal processes.
For many practices, the firm’s website is one of the primary touchpoints with new and future clients. It’s often the first point of contact, a place to introduce your team, explain your services and collect vital contact data from enquirers. Which means your website is in the front line when it comes to GDPR compliance.
The protection of citizens’ personal data is at the heart of GDPR. In this article, we’ll look at how and where websites collect data and some of the things you need to be aware of when obtaining consent to collect and use it.
Where are you collecting data?
The first thing to consider is where your contacts’ personal data is being collected.
From your “Contact Us” form, of course! Quite possibly. But is that the only place on your website where you’re collecting personal data? What about your newsletter sign-up page? What about the seminars you’re running on IHT and pension planning, which have their own booking forms? And what about your Careers page?
Once you’ve tracked down all the forms, think about other ways you might be collecting data, even if it’s only an email address.
For example, do you have a LiveChat facility, or something similar? These often allow people to give their names and email addresses. Is this information stored anywhere? Is it used for anything? And what about the email links you have for each partner on your “Meet the Team” page? If someone clicks on one of these links and sends an email then the partner will have an email address, probably a name and potentially a lot more than that. How will this information be used? Where will it be stored?
Where cookies are used to uniquely identify a device or (combined with other data) used to identify an individual, they must be treated as personal data under GDPR.
Even if you don’t go out of your way to track and report on the behaviour of your website visitors, cookies are used by web analytics systems to show you how your web pages are performing, so it’s likely that most websites will employ them. Even the numerical “IP addresses” used to identify devices connected to the internet can, in certain circumstances, be considered personal data. 1
Under GDPR, the information you provide people about how you will process their personal data must be concise, transparent, intelligible and easily accessible. It must be written in clear, plain language and it must be provided free of charge. All this seems perfectly reasonable.
The UK Information Commissioner’s Office has more advice on how to write privacy notices, including a handy checklist showing the information you need to provide in your privacy notices. 3
If you’re collecting data for different purposes (for example, sending out a monthly newsletter versus organising an IHT seminar) then you’ll need different privacy notices, each one clearly and closely linked to the corresponding page or form.
Under GDPR, consent is a key consideration.
GDPR tightens the rules on what constitutes consent. Under GDPR, consent has to be informed, freely given and specific to the use of the data. It also has to be an “unambiguous indication of the individual’s wishes”. Pre-ticked opt-in checkboxes and vague references to terms and conditions will no longer be allowed. As the ICO puts it:
“There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent.” 4
Giving visitors a single tick-box to “accept the terms and conditions” will no longer be acceptable – consent has to be granular, so as to allow people to choose exactly what they do and do not give consent to.
If you’ve already collected consent under the Data Protection Act, you won’t necessarily need to refresh this, but if you are going to be relying on this consent under GDPR you have to make sure it meets the new GDPR standards of being “specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn”. 5
Checking your website against the new requirements for GDPR is, of course, just one of the things you’ll need to do over the coming months to ensure compliance, but it’s an important and very visible step towards that goal.
In future blog articles we’ll be looking at other aspects of GDPR and we’ll publish these to our Insight Hub where you can also find downloadable guides and checklists.
- See, for example, www.alstonprivacy.com/ecj-declares-ip-addresses-personal-data/ for an analysis and discussion of the European Court of Justice ruling
- For a discussion on cookies under GDPR, see: www.cookielaw.org/blog/2016/5/13/the-gdpr,-cookie-consent-and-customer-centric-privacy/
- See the ICO website ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/
- See the ICO website ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider/
- See the ICO website - link 4 above