Web Design

Is your website compliant with the requirements of GDPR due to come in effect in May 2018? Here are 10 changes you should make to your website now to stay on the right side of the law, and to keep your customers happy.

First things first: the General Data Protection Regulation (GDPR) comes into effect on 25 May. Be sure to start by reading our general overview of GDPR and its impact on digital marketing.

In this post, I want to cover specifically the narrow area of how to make your website GDPR compliant, and make recommendations for the specific changes you will need to be making.

GDPR will have a huge impact on website design, which will have a ripple effect on how your website integrates with your other digital activity like email marketing, social media, and e-commerce activities.

The golden thread that ties together all of these recommendations is that under the GDPR, the concept of consent being given freely, specific and informed is being strengthened, with new rules, which means businesses like ours need to provide more transparency.

Here are 10 steps you will want to review for your website, and discuss necessary changes with your web development team. Any questions, feel free to get in touch with me.

Let’s start with the straightforward changes that you will need to be making, and then move on to the more complex areas.

1. Forms: Active Opt-In

Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You will need to check your forms to ensure this is the case.

As an example, the current Boots registration form pre-ticks the opt-in box, forcing the user to actively opt-out. Very naughty, bad user experience, and must be changed by May.

GDPR Opt In Fail

2. Unbundled Opt-In

The consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data.

In this example, Sainsbury’s clearly set out the acceptance of their terms and conditions, and separately set out the active opt-in for their contact permissions.

It’s a shame Sainsbury’s didn’t get the option to be more granular in terms of communication opt-in preferences (email, SMS, post).

sainsburys granular opt in

 

3. Granular Opt-In

Users should be able to provide separate consent for different types of processing.

In this example, ABC Awards are asking for specific permission for each type of processing (post, email, telephone) and also asking permission to past details onto a third party.

4. Easy to Withdraw Permission or Opt-Out

It must be just as easy to remove consent as it was to grant it, and individuals always need to know they have the right to withdraw their consent.

In terms of your web user experience, this means unsubscribing could consist of selectively withdrawing consent to specific streams of communication:

Withdaw consent GDPR

 

Or easily change the frequency of communication, or stop all communications entirely:

withraw consent frequency

5. Named Parties

Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations. They need to be named.

In this example, you can see John Lewis understands the gist that we need to give named permissions for updates each from Waitrose, John Lewis, and John Lewis Financial Services.

But it’s a shame that it is opt-out rather than opt-in.

john lewis permissions

6. Privacy Notice and Terms and Conditions

The Information Commissioner’s Office (ICO) has very kindly provided a sample privacy notice that you can use on your website. It is concise, transparent, and easily accessible.

You will also need to update your terms and conditions on your website to reference GDPR terminology. In particular, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office systems.

You will also need to communicate how and why you are collecting data. Your privacy policy will need to detail applications that you are using to track user interaction.

7. Online Payments

If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway.

If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.

8. Third Party Tracking Software

Things now start to get tricky when it comes to third-party tracking software.

Many websites are using third-party marketing automation software solutions on their website. These might be lead tracking applications like Lead Forensics, Leadfeeder or CANDDI. Or they could be call tracking applications like Infinity Call Tracking or Ruler Analytics.

The use of these tracking applications raise some very interesting questions in terms of GDPR compliance, and in my opinion, this remains a grey area.  At first glance, these applications track users in ways they would not expect and for which they have not granted consent.  For example, it is tracking my behaviour each time I return to your website, or view a specific page on your site.

However, the suppliers of these applications assure us they are GDPR compliant.

First, the suppliers like CANNDI are advising that banners stating clearly and unambiguously that cookies are being used,

CANNDI GDPR compliance

And, the software suppliers argue that the use of cookie tracking technology is in the legitimate interest of your business as a data controller, and specifically Recital 47 allowing for “processing for direct marketing purposes or preventing fraud.”

CANNDI advises:

Legitimate​ ​Interest​ ​-​ ​If using the legitimate interest principle within your website tracking it is advisable to have on record during your GDPR preparation that this is the case. This should include the grounds on which you are using this.

I want to thank CANNDI for sharing their GDPR perspective, and would recommend you read it (PDF.)

CANNDIO GDPR Perspective

 

The providers of these tools are confident that they are GDPR compliant. But if the software is doing something illegal, then it is your business’ responsibility as the Data Controller. The real question is to identify the GDPR compliance risks in using this kind of software, and to mitigate your risks as a business owner. As a result, you need to review your contract with these software providers carefully.

9. What About Google Analytics and Google Tag Manager?

If you are interested in Google’s commitment to GDPR then a good place to start is this website:  How Google complies with data protection laws

Many websites are configured to use Google Analytics to track user behaviour. Google Analytics has always been an anonymous tracking system. There is no “personal data” being collected, so I believe GDPR does not impact on its usage.

With regards to Google Tag Manager; it’s a powerful tool that enables your website to send information to third-party applications by inserting small amounts of code. You can integrate in-house data repositories, as well as external remarketing and retargeting systems, and a host of other services. The issue for businesses with regards to Tag Manager is to ensure you have a contract in place with the individuals that have access to your Tag Manager (which may well be your web designer, or digital marketing agency) to ensure they understand their legal responsibilities as a data processor on your behalf as data controller.

So, the underlying issue with the new GDPR  is to identify and have in place contracts with your third-party data processors to protect both your own interests.

10. And Finally… It Isn’t Only Your Website That Needs to Be GDPR Compliant

The changes being introduced with GDPR will permeate your entire business, and in this series of articles, we are focusing purely on your digital marketing.

As you start planning the detail of your website, you will uncover an Aladdin’s cave of issues you will need to consider. The Information Commissioner has provided an excellent set of resources for your reference, but here are a few key questions to be considering now as we approach the May deadline:

  • You probably have lots of personal data stored in various places around the business. Do you have a good understanding, and documented record of the data you hold?
  • Do you need to either gain or refresh consent for the data you hold?
  • Do you have a defined policy for how long you retain personal data, so you don’t retain it unnecessarily, and ensure it’s kept up to date?
  • Is your data being held securely, keeping in mind both technology and the human factors in data security?
  • Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?

112 responses to “How to Make Your Website GDPR Compliant”

  1. Faye Brown says:

    Do we need to make sure our website has an ssl certificate in order to be GDPR compliant?

    • Susan Hallam MBE Susan Hallam MBE says:

      Great question, Faye!
      Having an SSL certificate means your website is using HTTPS send data over an encrypted connection which is really good and a first step towards compliance. But the real issue is how secure is the data being stored in the database itself, and is the database encrypted.
      If your website is not transmitting any personal information then this isn’t an issue. But almost all websites do: customer enquiry forms, email signups, and other types of interactions. You need to be asking yourself where is this data stored and how are you securing it.
      Irrespective of GDPR, you should have SSL implemented on your site. It gives people confidence in your site, and is a Google ranking factor.
      Here is an article for you to read
      https://www.hallaminternet.com/google-https-ssl-ranking-factor/

      • Rob Davis says:

        Free SSL / https certificates are available from letsencrypt.org (No catches and unlimited duration, but make sure you renew when it asks you to (every 3 months I think). I use these myself and have no financial or otherwise interest, just thought it would be helpful.

        This is a industry community initiative supported by well known names – visit https://letsencrypt.org/

        Paid ssl / https certificates are still available from vendors as before and the potential benefits can include some form of insurance regarding the certificate which I am not sure is worthwhile for smaller sites. Another benefit is the name of the organisation next to the padlock in the address bar which can reinforce confidence of the user in the site. Again not necessarily essential as not all sites use this added feature, even some large ones just have the basic https / ssl.

        Regarding storage of the data and databases, this is possible. You can do this on your server or ask your hosting or administrators.

    • Kitty says:

      Many thanks for this great article!
      I have two questions:
      1) COOKIES: I’ve read that you need an active consent to cookies (for example to use remarketing), and messages like “by using this site you agree to cookies” are no longer enough. How will that be solved in practice, does every site need a banner at the beginning where users have to agree to cookies first ?!

      2) CONTRACTS: As a digital marketing freelancer, it seems I have to sign a contract with my clients if they grant me access to their CMS. And that they have to put my name in their privacy statement before “outsourcing” anything to me. Is this correct ?

      I hope someone can help, as I feel GDPR will make it very hard for me as a freelancer that clients will outsource work to me 🙁

      • Susan Hallam MBE Susan Hallam MBE says:

        Hi Kitty
        What we all need to keep in mind is that there is not yet any case law regarding the GDPR requirements, so it is impossible at this point to answer questions with any real certainty.
        That said, my view in a nutshell is a click to confirm acceptance of cookies has to be the surest way to ensure you comply, but I don’t really believe it is absolutely necessary
        Here is what the ICO say here
        https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/

        1. Cookies:
        The ICO put it this way, and what will be interesting in the concept of acceptable “implied consent.”

        What counts as consent?
        To be valid, consent must be freely given, specific and informed. It must involve some form of positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.

        Consent does not necessarily have to be explicit ‘opt-in’ consent. Implied consent can also be valid. If you are relying on implied consent, you need to be confident that your users fully understand that their actions will result in cookies being set. However, in some circumstances (for example, collecting sensitive personal data such as health details) it is likely that explicit opt-in consent is more appropriate.

        This means you are unlikely to need consent for:

        – cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
        – session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – eg online banking services; or
        -load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.

        However, it is still good practice to provide users with information about these cookies, even if you do not need consent.

        CONTRACTS

        And yes, as a freelancer you are going to need to have a legal agreement is you are processing your clients’ data, and clearly a CMS is full of personal data..

        More information here:
        https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/

        On the other hand, I do not believe they will have to name you in their Privacy Policy, no, but that may be something you need to get advice on.

  2. Steph Savill says:

    This is great thank you. Our challenge is that we sell an online lifetime membership subscription to women including monthly e-newsletters. If she (or her husband who may share the same e-address) unsubscribes to the newsletter in question, we effectively lose her within The Club. Our newsletter software doesn’t offer a warning facility here and we’re not able to do this as a second transaction. Still looking at options to maintain her membership record in these circumstances.

    • Susan Hallam MBE Susan Hallam MBE says:

      HI Steph
      I think you’ve already identified your problem: you are asking for two types of permission (being a member, and receiving the newsletter) as a single question. I think your solution is to have a newsletter unsubscribe button like you do now, and a separate, but still easy to use, mechanism for actually leaving The Club
      Good luck!
      Susan

  3. Roger Davis says:

    Hi,
    I’ve just found your blog & have found it very informative- thank you. I don’t know if this is a silly question but here goes:
    I administer a local website for non profit making local society, the Local history group using a free “ community “ host service. We are doing our best to comply with the GDPR and now have shiny new Data Protection Notices and we will be refreshing our consents using a paper form at our future meetings. Although we may email members an occasional newsletter there is no facility to request this on our websites. In view of this do we need to do anything to our websites to comply with the GDPR? Do we need to mention the website in our Data Protection Notice.

    Many thanks

    • Susan Hallam MBE Susan Hallam MBE says:

      It’s not a silly question at all, Roger!
      It sounds like you are doing the right thing: getting consent on paper format at your meetings which should include permission to send your email newsletter (you can just scan these forms, by the way, and store them that way)
      It is a shame you don’t have the ability to sign up to your newsletter on your website. That could be a great way to get engage with more members. And if you do have an online signup, then you will just need to to include the permissions tick box, and give people the chance to unsubscribe easily.
      And yes, you should still update your website’s Privacy Policy to be GDPR complaint, which in your case should be fairly simple
      Hope this is helpful!
      Susan

  4. Debbie Whitmore says:

    I found this very helpful and answered a number of my questions. Do you have any deeper advice about the “right to be forgotten”? I need to understand what would be considered compliance or not in the case of “being forgotten”. We have organizations that apply to us for grants. When we hand out funds, we track the organizations performance and should they fail to adequately perform the requirements of the grant, that becomes a factor for future funding. As tracking a person’s performance, it would be detrimental to our business should we have to “forget” their performance with our funds. How does an organization comply with the GDPR while protecting their business as well? In simple terms, it’s kind of like how grocery stores track someone who writes bad checks. They don’t want to continue taking checks from a bad actor. How can individual and business needs be balanced? Can you point me to further reading on this topic that is explained as beautifully as you have for website requirements? thank you!

  5. Anthony Sims says:

    Great article Susan.

    Can you offer any advise on GDPR when Cookies are being used?

  6. Good examples with the points, thanks for this.
    We are currently looking into adding Web Push notifications onto our website with an ability to unsubscribe.
    As this just stores an anonymous token, does this (like google analytics), fall out of the boundaries of GDPR?
    Or do we need to add to our privacy policy, similar to as if it was an email mailing list?
    Thanks in advance.

  7. Sami Laine says:

    If you are basing your direct marketing data processing on legitimate interest, then you make yourself vulnerable to objection. The objection to direct marketing is absolute. It means that at any time anyone can object and then you must stop all further processing and therefore also destroy all your legitimate interest-related data storages!
    https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-else-do-we-need-to-consider/

    The safest way is to have a combination of contract (for long-term personal data processing) and consents (for immediate and specific purposes on top of long-term contract). Legitimate interest is useful for fraud detection and security features that have compelling advantages to everyone (even data subjects).

    Legitimate interest might be useful for specific purposes under the direct marketing, like maintaining blocking lists of persons who have denied consent based marketing or objected against direct marketing. In this case, the interests of data subjects and data controller align – data subject does not get direct marketing and data controller does not violate GDPR. Consent or contract cannot be used as basis for such list (data subjects have denied/objected) but you can use legitimate interest as a basis for maining blocked lists (its also data subjects interests to not get marketing). The legitimate interest for direct marketing is meant for this kind of purposes – to enable enforcing the interests of all parties – not to enable marketing against the will and interest of data subjects.

  8. David Miles says:

    I have adjusted all the forms on our new site, have altered our privacy agreement and terms of use – and any other documents that I could find too – but I have one remaining issue …

    What to do about the 550 email subscribers that we have – they were all opt-ins – and can opt-out at any time they like – but do I need to re-confirm consent with them prior to GDPR coming into law?

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi David

      It sounds to me like your subscribers have already granted you permission to receive your newsletter (and you probably have a record of that opt-in in your email newsletter management system) and you are always giving them the chance to opt out.

      Re-permissioning is a powerful way to keep your marketing data clean and up to date, but I think you are already compliant with your existing processes.

      Cheers
      Susan

  9. Andrea Appleton says:

    Hello Susan
    Thanks for the really useful examples.
    One question please:
    When a customer enters our side to purchase a product, we guide the customer through a number of pages before we are asking them to consent for us to keep their data. However, we are keeping their data from the moment they pass the first page. Does that mean, we will need to ask for consent at the start of the website rather than the end?

    Thanks,
    Andrea

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Andrea

      I think I’m going to need a bit more information, but I’m assuming the data you are collecting as soon as they pass the first page is either cookie data or other types of tracking.

      If this is indeed the case, then the ICO says:

      “You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent can be implied, but must be knowingly given.
      To be valid, consent must be freely given, specific and informed. It must involve some form of positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.”

      https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/

  10. Adrian Bennett says:

    I think people are panicking unnecessarily, If you follow the uk data protection laws which are quite strict anyway you cant go wrong, i appreciate the need for online protection but i think this really only applies to the big boys who hold vast amounts of data. For the normal business owner who only has a few hundred customers and keeps everything tight with up to date security software and fire walls. they will be fine. In all the years of business i have never once had my data protection processes checked. as i say i follow all uk data protection laws and am fully compliant. This GDPR will be very hard to police any any error will only show up if there is a material breach and your systems hacked and the data stolen and sold on and it’s traced back to you. Keep your security up to date add the correct privacy policies and terms and conditions (you can get these free through My Business works) If your going to do email runs make sure you have permission to send them. Thats it…don’t panick!!!!!

  11. Adam says:

    Hello Susan!
    Lately i read as much as i can about de GDPR and how it will affect businesses all over the world. Is it really that hard to comply? I mean clearly you must store the ‘personal info’ as secure as possible and erase it when asked (only if you comply with the law to because sometimes you must Keep some records for years or does GDPR not affect documents and Information that you must clearly store?)

    My simple question is exactly as this message that i post.
    If on my Website someone leaves a message/comment with his Name and email as i do here, do i Need any Special consent from that user? He clearly knows as i do here that i am entering my Name and email adress to contact you or get in touch but do i Need any Information about storing the Clients Name and email adress or can i simply state that it is only used for the sole purpose of replying to their message with the Information they asked for and that we store their data only after we enage in a signed contract otherwise it is not stored?

    Any help is greatly appreciated!
    Thank you.

  12. Ben says:

    Hi, this is the most useful article I’ve read on the subject so far.

    But of course I have questions in my specific scenario!

    We are revising our current website and want to add a basic contact form: First name, surname, email address, subject, message. We don’t have a database as we’ve not harvested any data before and we don’t envisage needing one beyond adding a successful contact that proceeds forward to a shared contacts folder in our gmail system. We don’t send newsletters or marketing mailing of any kind, and we certainly wouldn’t share our contacts with anyone else.

    Most things I have read involve opt-ins for this and that, sites that involve logins, accounts, and lots of complex functions and features; none of which applies to us and our simple M.O. as far as I can tell, so I deduce that we will not be affected by GDPR… or are we?

    • Susan Hallam MBE Susan Hallam MBE says:

      To answer in a word, Ben, yes, you still need to be compliant.

      You are handling personal data.

      Boom!

      • Sarah Jane Down says:

        Hi Susan
        I’ve set up a website using Wix and will hopefully be developing it into a business which sells membership. With the GDPR, who holds the data, myself or Wix?? I also intend to use a third party to collect payments. What are my resonsbilities with regards to the new legislation?

        • Susan Hallam MBE Susan Hallam MBE says:

          Hi Sarah Jane

          As a Wix website owner, it is your responsibility to inform your visitors how your Wix site processes their data. You are permitted to process your site visitors’ data (e.g. collect, use, store), so long as the process meets the requirements of the GDPR. There are many ways in which you can lawfully process your site visitors’ data – requesting their consent is just one of these ways.

          Take a look at the Wix website where they have recently updated their GDPR information
          https://support.wix.com/en/article/gdpr-and-your-wix-site
          https://support.wix.com/en/about-wix/privacy

  13. Enrico says:

    Great article Susan.

    Is anyone else in the ‘industry’ surprised how slow businesses are to pick up on GDPR?

    Personally, I’m amazed how poorly prepared many UK companies are for GDPR.
    I work for an agency, we build a lot of websites, more than 200 a year.

    And unless our clients are attending to basics – like changing out their webforms and privacy policies – in house, it looks like less than a third of the sites we’ve built over the last 3 years are compliant.

    I landed on this page while searching for industry uptake and noted similar figures from other sources.

    Just how long do you think it will take most companies to understand this is mandatory? And what do you think the penalties will be during the first phases of implementation?

  14. Gemma Bates says:

    Hi Susan,

    thank you for the article, was hoping you could help me with a query. Our organisation does not undertake any mass email marketing to customers but we do all have email contact lists in gmail which are automatically gathered – as soon as you reply to someone they are in your contacts list -, so even though we’re not using them for mass mailout out we could recall someone. Do we need to email everyone we’ve ever been in touch with to check they’re still ok for us to have their email address? Seems excessive.
    For that matter emails – potentially in an ideal world we’d have an email retention policy that would automatically delete emails after x amount of time, however we have a lot of repeat annual jobs and so the company policy is to keep emails – is that an issue? (and if we do have to delete after a certain amount of time, how long should that be)

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Gemma

      Remember, GDPR doesn’t just apply to mass emailings; it covers all the data you hold about any individuals for even something as apparently insignificant as an email address.

      You raise a couple of issues that you need to be thinking about. First, you need an awareness of what personal data you have and how you are storing and processing it. You need to consider how you keeping the email address data secure, how it is being updated, and how people can correct the information you hold.

      And you need to consider the retention policy that you mentioned: just how long do you need to keep the data, what is the purpose of retaining the data, and do you have a legitimate business interest that would inform your retention policy.

  15. Jack says:

    Hi Susan,

    I have a question regarding google analytics. You mentioned that you think it’s not affected by the new GDPR law because it doesn’t track any personal data.

    But google analytics tracks IP Addresses, doesn’t that fall under personal data?

    I was just wondering if I have missed anything here?

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Jack
      Sorry I wasn’t clear about that…
      Google Analytics uses cookies to track visitor activity, so yes that is covered by GDPR and you will need to inform people accordingly.
      The data inside Google Analytics (the reporting) normaly does not have any personal information contained within it and hence there isn’t an issue with the data in the application.
      Cheers
      Susan

  16. Lucy says:

    A very valuable article, thank you. Why couldn’t I find this type of article on the government website? A few questions for you to which I would be very grateful for a reply:

    – Being an internet retailer, we pass on almost every customer’s information to couriers and, on occasions, to suppliers for direct deliveries. Do we need individual consent tick boxes for information to be passed onto the courier and supplier? Do we need a contract between ourselves and the couriers and suppliers?

    – Again, having a website, our website host and web developers have access to our customer data. Do we need individual consent for these? Do we need a contract between ourselves and them?

    – We keep a customer’s details for at least the length of the warranty on the products they purchase for traceability. Is this no longer acceptable? You would be surprised how many customers rely upon us to trace their original order, because they cannot find their proof of purchase.

    – Potential customers often provide their name, email address, etc, over LiveChat, especially when it is ‘off-line’ and they leave a message for us to respond to. How is their data protection covered in this scenario?

    Thank you in advance.

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Lucy, and thanks for your kind words about my post.

      I really must start by repeating I am not a solicitor, and this blog post does not constitute legal advice. It is just my personal interpretation,

      You asked several questions, so here goes:

      1. Consent is just one of six grounds for processing data. Another lawful ground is having a contract in place, for example to buy something. Delivery companies will almost always be able to use contracts with the individual to collect personal data. It is elf evident that delivery companies need people’s names, addresses and contact information to send packages to their destination and confirm their delivery.

      2. Yes, you do need to review your contracts with your various partners who process data on your behalf, including your web development partner. Here is some useful information for you:
      https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/

      3. GDPR states that personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. Your warranty period sounds reasonable to me, and you just need to document it in your GDPR documentation

      4. With regards to LiveChat, under new GDPR legislation, companies who use live chat software to collect customer data are classed as “data controllers”. Simply, a data controller is an individual or organisation that determines what, why, and how data can be collected. The consumers tracked and chatted to via live chat software are classed as “data subjects”. This term refers to an individual who can be directly or indirectly identified via the information collected about them. Businesses, then, are under new obligations to work within a clear data protection framework, and handle data legally and in compliance.

  17. Really good article thank you. I am in the middle of the long process of re writing policys in line with addressing what we need to do as a small business.

    Perhaps this is a strange/daft question but thinking in terms of duplicate content, judging by the repetition of certain words/phrases (GDPR repeats amongst others including data). Not to mention the non relevancy to our product range, do you think this will place at risk of ‘google slaps’

    Kind Regards

    Sian

  18. Sabri Elia says:

    Hi Susan,

    Thank you for your article.

    There are some question I’d be happy if you could help me with.

    In order to manage our sales activities we use a third party service provider. Once we have a new sign up on our platform, we transfer potential partners to the third party service. The third party service provider facilitate the communication through different channels. With this in ming, do we need a specific consent during the sign up process in order to use this specific sales tool?
    Generally speaking, do we have to mention each third party service provider by name including an opt-in check box in our privacy notice in order to be able to use any third party services?

    Many thanks in advance!

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Sabri, and you’ve asked a great question. My answer at this point has to be I just don’t know

      The draft guidance does state “‘give granular options to consent separately to different types of processing wherever appropriate.’

      And “Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.”

      But this could lead to quit complex consent statements and could be seen to go against the very essence of the GDPR, which emphasises the requirement to make information notices clear and concise.

      So…. all I can say a this point is watch this space!

  19. Stuart says:

    Hi Susan

    Many thanks for this great blog piece. I’m still a little confused for my own personal situation. I’m a freelance print designer, been freelance for a year and have had very little enquiries through my website. Nearly all my clients are friends/family and word of mouth.

    I don’t have newsletter signup on website, all I have is a phone number, email address and a contact form. Do I need to make this GDPR compliant by adding T&Cs about data etc and tick boxes to contact form?

    What if I remove the form and just have a phone number and email address link, do I still legally need to put something on there and if so can you point me in the right direction of what I need to be saying?

    tbh, i need to do more with my website as I just did something quick to get live at the time and never done much with it.

    Many thanks

    Stuart

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Stuart

      Yes, even as a very small business you will still need to comply with GDPR

      And you will need informed consent, as well as complying with the other aspects of GDPR, too.

      Cheers
      Susan

  20. Stefan says:

    Google Analytics does indeed collect personal data if the scope of tracking includes users (as oppose to sessions). Please refer to Article 4 and Recital 30 about “online identifiers”:

    “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.”

    Websites owners that use tools like Google Analytics are not clear from the obligations of GDPR. Consent must still be given if dealing with data which is traceable to a single user.

  21. ian lee says:

    My issue is the actual content of a website and how it might be affected by the right to be forgotten. I run a website for a drama group that is full of pages and past programmes with people’s names, photos, etc. These form important historical records that would be destroyed if someone wanted to be removed.

    • Susan Hallam MBE Susan Hallam MBE says:

      An interesting question, Ian, and again please remember I’m not a solicitor!

      It seems to me that the members of your drama group gave their personal data for a specific production, and you are archiving that data for historical purposes.
      https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/exemptions/

      Purpose limitation
      Personal data must be collected for specified, explicit and
      legitimate purposes and not further processed in a way
      incompatible with those purposes. Further processing of
      personal data for archiving purposes in the public interest,
      or scientific and historical research purposes or statistical
      purposes shall not be considered incompatible with the
      original processing purposes. However, conditions in Article
      89(1) (which sets out safeguards and derogations in relation
      to processing for such purposes) must be met.

  22. Fillmore says:

    Thank you for the very informative article. I am perplexed about point 8 (which is what led me to your article in the same place). In my company we use Salesforce Pardot, which seems conceptually identical to CANDDI. Looking at what Pardot advises about GDPR compliance they seem to have taken the same stance as CANDDI: they claim that their legitimate interest of providers of marketing tools essentially trumps the rights of the data subject.
    Well, I don’t think it takes a lawyer to imagine that a nasty surprise is likely for them (and for their customers too?). If their interpretation of the law was case law, any spammer on the planet could argue that their interest overrides the interest of people. Obviously this cannot be ok.
    As a minimum, I would expect these companies to provide detailed guidelines on how to get consensus from end-users, boilerplate text that describes their usage of the data and GDPR compliance and an end-user portal where end user can go directly to check what pardot/canddi knows about them.

    If you have a different opinion, I would love to hear about it. Thanks

  23. Jamie says:

    Greetings,

    I have a tricky question, but first I feel that it’s important to set context. Before the advent of the Internet, companies asked their employees to punch in and out to record time spent working on the job. Companies essentially “own” the data in this traditional sense because, as required by law, they file and store these records for years–often for several years long after the employee has left the company. This practice is in place in case the government or the employee challenges hours paid and wishes to review this data. Companies use this data to track their employee’s time for payroll, human resources, and quality control, etc.

    Fast forward to today. Our website offers the same service, except it’s electronic: we offer a cloud-based service to enterprises. Employees in these companies create and use accounts on our service that are connected directly to their employer’s account. In short, their employers are able to see hours worked, etc., in order to fulfill the same business needs mentioned earlier.

    I feel this is a tricky question because the core feature of the product revolves around the fact that it is essentially the employer, and not the employee, that “owns” the information (just like they would in the traditional sense). Do you have any suggestions for this type of scenario with regard to the employee’s consent to their employer’s continued and ongoing use of this data long after the employee has stopped using their account?

    Kind regards,

    Jamie

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Jamie

      Please keep in mind I’m not a solicitor, and I’m not offering legal advice!
      😉
      But it sounds to me that the data being collected is for legitimate business interest. Quite simply the data that is required to ensure the employer fulfils their contractual obligations to their employees. Users of your website need to collect this data for the effective running of the business.

      You don’t want to be relying on consent for processing of HR data.
      Here’s a useful article for you
      https://www.taylorwessing.com/globaldatahub/article-processing-of-hr-data-under-the-gdpr.html

      Necessary for performance of a contract or to comply with a legal obligation

      Processing will also be lawful where it is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the data subject’s request prior to entering into a contract (which includes employment contracts), and where it is necessary in order to comply with a legal obligation. These grounds are helpful to employers but they should remember that the purpose limitation and data minimisation principles will apply and may have a bearing on how much data may be collected and what it can be used for.

      Hope this is helpful!
      Susan

  24. Paul says:

    Great article Sue. I’ve setup a couple of websites as favours for friends who run a couple of boxing and kickboxing clubs between them. Their websites are really just there to give them a presence on the web and they have no email marketing programs running but they do have contact forms on their websites.

    Q1.To what extent do these clubs have to comply with GDPR?
    Q2. Do they require specific terms and conditions/ privacy policy or can they use standard documentation for these?

    Thanks in advance.
    Regards
    Paul

  25. Tim says:

    It seems so much of the information I read about GDPR is about marketing and getting their consent to contact them.

    What about the scenario where you have a customer come to your site to create an account to purchase products.

    When they create an account or place an order, should there be a checkbox for them that they consent to store their personal information? If they don’t, they can’t create an account or place an order?

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Tim

      I think there are 2 issues going on here:

      1. The first is that you need their details in order to fulfil a contract. For ecommerce businesses this means the GDPR allows for processing of personal data for the processing when necessary for the performance of a contract with the data subject. This legal basis applies to data required to process an online payment or deliver the purchased product. In such cases, there is no need to get consent. Remember, you can ask ONLY for the information required to fulfil the contract.

      2. However, in reality you are going to want to keep in touch with them following the purchase, you may be storing additional information about them, and you are going to need consent for this ongoing contact. As a customer, I may choose not to give you that consent, but I can still order from you.

      Hope that is helfpul (and remember, I’m not offering legal advice!)

  26. Tim says:

    Thank you so much for the reply. For the purchasing of goods, only require information needed (name, address (to ship the item), email, etc…) and no need to get consent. I can email them to let them know their order has been processed, shipped, etc…

    But if I wanted to follow up and let them know there is a special promotion or something to that effect, I would then need to get explicit consent (having them check a checkbox for that) at the time they purchase or create an account.

    ^ I guess that was more thinking out loud ^

    Thanks again!!!

  27. Janine says:

    I am an artist in Canada who spent the past year building and learning how to build my own website from scratch on wordpress with a website builder application I purchased for it. I noticed that If someone comments on my blog post I get sent their isp address and it is stored under the comments area of my wordpress back end. There is no way to delete people’s isp address once it’s there unless I remove their comment from my blog and then delete the record of it. That concerns me since my understanding is people must be able to request that I delete that information. There is also no way for users to delete their own comments with wordpress based sites. What to do there?
    My technical understandings of all that is required in the new law is not great. I don’t have an online shop yet but plan to add one soon. I also should add, I won’t be shipping or selling outside Canada due to challenges that shipping art has. But, my site is also a blog where anyone can interact with from anywhere.

    What can I do about this isp thing? I’m thinking since most of my interaction with people is directly on instagram , if maybe it would make my life easier to just not have comments sections on my blog posts.. to stop wordpress from holding isp addresses. Also this whole thing of having to allow people to download their data from sites they interact with. I have a whole slew of ??? with that one because that makes zero sense unless it’s facebook.
    The other question I have is what do I need to do with the fact that I have social media feeds on my site for facebook and instagram. I used a plug in for the instagram feed and I grabbed code from a facebook link that enables one to place ones feed on to ones website… do i need to worry about data privacy with that..?
    even if I don’t sell products to people outside Canada and possibly US do I still need to bother with all this GDPR stuff? Once I add an online shop as well I’ll be what’s known in Canada as sole proprietor. That is, not a registered business but an individual selling my own art.
    I was concerned too about GDPR and facebook pixels. Is it best to make my life easier to not bother with that? I’m not even sure I want to bother with my statistics .. not yet anyway.
    Is it enough in my privacy policy to just provide people links to facebook and instagram privacy policies. As far as site security I have a special plan with my web host where they monitor and manage the security of my wordpress site with a no hack guarantee. I have that mentioned in my privacy policy. Should I also provide contact information to my hosting service?
    I will be adding Mailchimp for newsletter opt ins, but they have stated they are making all those tools GDPR compliant for users of their service.
    Sorry I have a lot of questions, but I can’t find clear answers and I’m finding it all very confusing especially because I’m not sure I completely understand what happens when people interact with my site in regards to my social media feeds and if I decide to use facebook pixels. Also if i use shopify as my selling platform.. I so hope you can help. Thanks

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Janine

      First thing I would say is…. take a deep breath! This GDPR thing isn’t as scary as it looks! I think many business owners like you are feeling the panic, but don’t forget there is a lot of help and support out there for you.

      You’ve asked a lot of questions, so I’ll do my best to respond to your points:

      As business based in Canada who is not trading with individuals in the EU, I think your risks under GDPR are minimal. It’s all about balancing risk: how likely is it that an EU resident is going to file a complaint against you for storing their IP addresses as they browse your site? How likely is it that they will win the case if you were prosecuted?

      But I also think the principles of GDPR are just good business practice, so you will want to be complying just because it is the right thing to do.

      With regards to storing IP addresses on WordPress: you are allowed to collect and store this data. As a WordPress site owner, you just need to publish a detailed policy on which personal data points you’re using, how they are being processed and stored. The ICO has written a nice guide on how to share this policy information, and WordPress has GDPR plugins that you might want to consider using.
      https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/where-should-you-deliver-privacy-information-to-individuals#justintime

      Your no-hack guarantee on WordPress is a great step towards keeping personal data safe. And to simplify matters, you can configure WordPress so your contact forward all communication to your email address instead of storing them anywhere on the web server.

      With regards to embedding social media feeds on your website, the consent will have been granted by the user as part of their subscribing to Facebook or Twitter or Instagram.

      And finally, when you start using Mailchimp then it will make it easy for you to manage the individual consent, and opt out, and reporting that you need for GDPR.

  28. Dan Taylor says:

    Hi Susan,

    Great post – this aspect of GDPR is definitely something I’ve personally seeing a lot of webmasters and marketers having issues interpreting.

    One thing I would have also added to the post would have been the necessity to ensure that your website is secure, and not prone to hacks (data breach or not).

    Thanks again for the great article.

    Dan

  29. Elena says:

    Hi Susan

    Thank you for the great article, really informative!

    I wanted to ask about a specific query I have. I did a Wix website for my wedding platform, allowing guests o see all the details and information. They can leave a message to use through the website, so they’d have to submit some personal data (name/email). Do I need to make the website GDPR compliant as well, even though it’s not a business? How do I make it compliant, shall I incorporate a tick box for example which allows the guest to give their consent for their personal data to be processed, do I need to show the Wix privacy policy & terms & conditions?

    Thank you very much in advance for your help!

    Elena

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Elena

      I’m not entirely sure I understand your question. Is this you just creating one website for our own wedding? If so, GDPR does not apply to people processing personal data in the course of exclusively personal or household activity.

      Obviously, if you created a platform that can be used by several different weddings, then you will have the full responsibility of all the other compliance issues raised in this post.

      Hope this is helpful
      Susan

      • Elena says:

        Hi Susan
        Thank you very much – maybe I wasn’t very clear in my question but you fully answered it! It’s just a personal website for my own wedding, so GDPR doesn’t apply as you kindly reminded me. Thanks again!

        Kind regards
        Elena

  30. Ken Fish says:

    Hi.

    I have spent many hours looking through GDPR information on the internet but I am still as confused as when I started. Thank you for your web page it is so good to find some help written in a language I can understand.

    I am a Sole trader working from home. I provide computer repairs and support for home users and other small business. I have a web site just as a presence for customers to find me and obtain my contact details. There is an enquiry form as some people prefer to contact me this way rather than call. As regards to customer data the only details we keep are name, address, phone number and email address, purely so I can contact them when the work is complete. This detail is also on the invoice I provide. I do not call customers for any other reason and do not send out mail shots. If a customer has a problem they will call when necessary. Some customers have for their convenience asked me to keep some account details and passwords. All my invoices and data are stored on my Office 365 account. I have a lot of customers names and contact details in Outlook so if they call and leave a message I can call them back.

    Where do I stand regarding GDPR?

    Do I need to contact my customers and say what data I hold on them and ask them if they which me to keep their detail or remove it if they wish? How does this affect my Invoices as these contain details of the work I have carried out in case it has to be referred to at a later date. I do not keep an actual data base, all invoices and account details are done using Word and Excel.

    Should I have a page on my web site saying that I hold contact data but if they wish for it to be removed then I will do so?

    Many Thanks
    Ken

    • Ken Fish says:

      I forgot to say, I do have to perform data recovery from customer machines if the hard drive requires replacing or rebuilding. I hold the data for 1 month to be sure the customer is happy that all data has been recovered. The data is then deleted. I do make the customer aware of this and if they prefer I delete it immediately.

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Ken

      Even as a sole trader you will need to comply with GDPR. You’re website will need to be GDPR compliant because you are collecting and processing personal data via your forms.

      As a business, I would suggest you need to have a document (known as a Statement) that you can put on your website and share with customers to let them know how you are complying with GDPR. In particular, I think you have a special set of circumstances where you are going to have access to the information on my computer during the repairs process, and in particular you have access to passwords, so you will need to make especially clear your security processes and policies in light of the fact you have access to the information on my computer.

      It also sounds like you are collecting and processing personal data as part of fulfilling the contracted work, so consent just for this is not required and it is as easy as letting people know that is the case. What will your policy be about retaining customer data once the job is done? it may be guided by any warranty on the work you provide, or a fixed period like 5 or 7 years.

      And finally, you may find it useful to look at GDPR statements on other business sites like your own:
      http://www.angleseycomputersolutions.co.uk/gdpr/

  31. John Salmon says:

    Hi Susan

    Thank you for this interesting article.

    I have a very simple, single page website which is no more than an electronic business card. It says who I am what I do and what I charge.

    I supply my email address and phone number should anyone wish to contact me.

    I have no third party widgets, no Google Analytics, no forms, no tracking cookies and do not store data in any way through the website.

    After all the above answers, I’m still a bit confused as to whether the website is GDPR compliant. Common sense tells me it is but what do you think?

    Thank you for any assistance.

    John

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi John
      GDPR is all about how you process personal data. If your website doesn’t collect or process personal data in any way, like forms or tracking, then I don’t think you have any risk about compliance in this specific area.
      However, your business must still comply with GDPR in many other respects, and perhaps your website would be a good place to publish your statement on how you comply overall
      Hope this is helpful
      Susan

  32. Jason says:

    Hi Susan,

    I have a question in regards to forms featured online.

    If someone wants to find out more about our services they can fill out our online form featured on our website with their name, email and telephone number for us to contact them.

    Below the form we feature the following statement:
    By submitting your details, you agree to receiving marketing communication from us in regard to our services. Should you wish to stop this at any point, please click on the unsubscribe link in the email. We do not share your details or information with third parties. For more information on your rights and how we use your personal information please see our Privacy Policy.

    My question is, as well as this do we also need to feature a separate tick box that they need to opt into if they are happy to receive future marketing communication from us?

    Kind regards
    Jason

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Jason, and sorry to have to say it looks like the approach you are recommending is NOT going to be GDPR compliant. Individuals must be given the right to actively Opt In to marketing communications and you are combining the enquiry process with also adding me automatically to your marketing list. You are only giving me a chance to Unsubscribe once you have started to send it to me without my permission.
      So, in answer to your query, yes you do need an Opt In tick box for marketing communications, and you also need to remove the text saying “By submitting your details, you agree to receiving marketing communication from us in regard to our services” and you may NOT add me to your marketing list until I’ve ticked the box
      Cheers
      Susan

  33. Filippo Morelli says:

    Hello again. My company website embeds an occasional Google YouTube video and a Google Map to show where our office is. It just dawned on me that this may have GDPR implications. Would we be the Data Controller with Google being the Data Processor in that case? Quite frankly, I don’t think that that would make any sense because we would not be passing any information about the user to Google.
    Now chances are that Google already knows a lot about that user. In this case, it would make more sense to say that Google is the controller and if users have something to say, they should take it up with Google.
    Assuming the second scenario is the correct interprettion, what should companies report in their privacy policy?
    1) Nothing 2) a mention that Google is used and an invitation to go to them to hear how personal data is handled?

    Thanks

    • Susan Hallam MBE Susan Hallam MBE says:

      No worries about embedding YouTube videos or Google Maps. All you need to do is to make sure you let your visitors know that you are using third party services on your website which may collect data pertaining to IP addresses, cookies/session/ browser information.

      For example:

      “Third Party Cookies
      Third party Cookies are not placed by Us; instead, they are placed by third parties that provide services to Us and/or to you. Third party Cookies may be used by advertising services to serve up tailored advertising to you on Our Site, or by third parties providing analytics services to Us (these Cookies will work in the same way as analytics Cookies described above).”

  34. Patty says:

    Hello – I’m a 1-person shop that offers consulting services via recorded phone line or skype, many in EU countries. I have a Wix website, customers pay for my services ahead of time via PayPal on my site, then complete a form through 123formbuilder app with their personal data,some sensitive data. I follow up with a monthly email newsletter through Constant Contact. I am NOT a technical person so I’m trying not to freak out. Do I now need to have data processing agreements signed with PayPal, 123 and Constant Contact? I recently learned that Wix uses cookies on my site; do I need to also now have a cookie policy as part of my new privacy policy that I now have to add to 123 form builder and newsletter sign up? What about the service I use for recorded phone calls or Skype – are those Data Processors as well? Do I have to have ALL of my clients re-opt in, or just EU clients? Have I missed anything as a very small business owner? Help, I don’t want to stress over this any more!! I would appreciate your reply – sorry for all the questions in one post.

    • Susan Hallam MBE Susan Hallam MBE says:

      Wow, a lot of questions in there, Patty!

      You are working with a number of suppliers who are acting as data processors (PayPal, ConstantContact, etc) and you will need to review each of their GDPR statements. To be honest, these are all well known businesses and you should be on safe ground there.

      You must have your own GDPR privacy policy and cookie policy on your website suitable for your own business data collection and processing activities.

      With regards to Skype and telephone calls, this isn’t my specialist area but a quick search found some useful articles, and I found this helpful:
      “Companies that record telephone calls or support voicemail need to make sure that they have a legal basis for collecting and processing personal data that may be contained therein. They will have to actively justify the capture of conversations and put consumers rights ahead of their organization otherwise the recording could be deemed unlawful. Also, they should comply with all of the other aspects of the GDPR based on that lawful reason. This may include individual rights of access, challenge, amendment and erasure, security and notification of breaches.”
      https://activereach.net/newsroom/blog/voice-recording-gdpr-call-recorded-training-purposes/

      Not knowing your circumstances, I would have thought you would need clear and explicit consent in order to be recording these calls.
      https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

      Hope this is helpful
      Susan

      • Patty Oliver says:

        THANK YOU immensely for your reply and for finding articles for me to review, I feel much better! I’ve read on other sites that I should have an actual signed Data Processing agreement with each of the providers I mentioned in my original email, of which you said (and I agree) that they are all pretty big players and I “should” be fine with all of them. Do you think I need to go the extra step to try to get them to sign something (seems it might be a long awaited process) or copy off their GDPR compliant statements and have them in my files?

        • Susan Hallam MBE Susan Hallam MBE says:

          Glad you found this post useful!
          In my experience you do not need an individually signed contract; their GDPR compliance statement forms part of their contract with you and the provision of their services.

  35. Alison Moo says:

    Hi Susan

    Thank you so much for all the information you have provided it has answered many of the questions I have with regard to GDPR however I would be grateful for some insight into email and servers. My business email,address is on gmail whose servers are outside the EU. How can I ensure I find an email provider who will not transfer data outside the Eu? I have been looking but am not confident in what I have found.

    Many thanks

    Alison

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Alison

      Google provides its Gsuite (including Gmail) customers with a comprehensive set of GDPR compliance documentation.
      https://cloud.google.com/security/gdpr/

      What they say is “You can count on the fact that Google is committed to GDPR compliance across Google Cloud services. We are also committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and contracts over the years.”

      Also be aware that Gmail is introducing new data security feature that you might find very useful, and could also form part of your own compliance strategy
      http://www.bbc.co.uk/news/technology-43891796

      Cheers
      Susan

  36. Flo Thompson says:

    Hello Susan,

    Thank you so much for this article. First time I’ve gotten my head around GDPR for my website.

    I’m a nursery owner and I ask potential clients to give me their details ie emails so I can track who’s been visiting my website. I do not intend to pass this information to anyone and I’m happy to delete after say a month. Infact I don’t need their information to be honest if I do not intend to send them any marketing material or contact them when they get access to a download on my page. The only time i will contact them is if they fill in the contact form.
    My question is should i have a statement page they should click on before they submit their personal details to see how i intend to be GDPR complaint? It’s like the t&c tabs most companies make you click on before you submit your order.

    Thanks in advance. I’ve found scrolling through other comments very useful too.

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Flo

      Yes indeed, you are processing personal information, and yes you need to comply with all the requirements of GDPR.
      So, yes, you do need a privacy policy statement, and probably a cookies statement, and yes you need information on the page to let them know what you’re going to do with their information when they give it to you.

      And glad to hear you found this whole long string of Q&A useful!
      Susan

  37. Savio says:

    Hi Susan,
    A very interesting article which answers a number of questions. However I have a particular situation. Up until a year ago I took a go at being full time freelancer and a made a few sites for local small businesses. Some of those sites collect information in order to fulfill orders. I am no longer building sites, but in order not to leave my previous clients stranded, I still host their sites on my personal server, and I suppose that makes me a data processor.
    I have informed them about their need to add a GDPR compliant privacy policy and about the opt-in requirements, but not all of them seem to care about taking action. In that case, what are my obligations, considering I had built their sites long time ago (back when GDPR wasn’t an issue). If they want to make changes, they would probably expect me to do them. Do I have any obligations towards their clients?

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Savlo
      You are correct that you have a responsibility both as a data controller and a data processor under GDPR and you need to comply with the requirements of the regulations which includes your own GDPR compliance statement.
      As is the case with answering all these questions I have to stress I’m not a solicitor, but I would signpost you to the excellent set of resources WPEngine have provided:
      https://wpengine.co.uk/support/gdpr-compliance/
      Hope this is helpful
      Susan

  38. Paul says:

    Hi Susan, you mention that the ICO has provided a sample privacy policy, but i can’t see it anywhere on their website – could you share the link please? Thanks

  39. Paul says:

    Oh I see, I thought they provided a full privacy policy template. Thanks anyway.

  40. Kamila Saha says:

    Fantastic article and very helpful, thank you very much. I hope you don’t mind me asking but one of my clients is an online magazine. Assume the contracts with clients for advertising services are not going to cause any issues, but they also publish new articles each week and send an alert once a week for these to individuals – these individuals had to sign up to receive it and provide their details, so they knew what they were doing, but as for majority this has been done a while ago, so do they need to send opt in form now again….they have an option to opt out on their website. Thank you again. Kamila

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Kamila
      The fact the consent was given a while ago shouldn’t be a problem. Iin particular if you hae a record of the consent being granted, and of course you are always giving people the opportunity to opt out.

  41. Karl says:

    hi Susan,

    I manage the website content of a local charity, and have been asked to put a GDPR privacy statement on the website, am I correct in thinking that it only needs to go on the page where people fill out a contact form to get help from us ?

    There are no other pages on the website where they can enter data.

  42. P Willover says:

    This article doesn’t seem to mention that this only effects those websites collecting or using information from European Union – not the US.

  43. Faraz A. says:

    Is there a way to properly follow GDPR guidelines for blogger or individual website owners who collects only emails from Mailchimp and use anonymize IP in google analytics ? Thanks!

    • Susan Hallam MBE Susan Hallam MBE says:

      As a blogger GDPR applies to you if you process personal information and are processing it as part of an enterprise. Article 4(18) defines enterprise as ‘a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity,’

      If you aren’t making any money through your blog then the regulations don’t seem to apply. If you are making any money, then you need to comply, and the rest of the content in this post applies.

      As a blogger using WordPress some typical ways you might collect user data include:

      user registrations
      comments
      contact form entries
      analytics and traffic logs
      any other logging tools and plugins,
      security tools and plugins

      In particular, you will need to ensure your plugins are GDPR compliant in addition to your own processing.

  44. Mark Nenadic says:

    Hiya Susan

    One of the sites I run is an auction website where users can advertise race cars for sale etc. It’s here

    http://www.racebredauctions.com

    The core software for this is provided by a third party software provider. We have a huge discussion on their forum at the moment and are awaiting them to provide an update to include GDPR tools. They are Canadian based by the way.

    My question is we can’t actually implement code ourselves, well we could but then the next time we receive a core update from them the code and any changes we had made would be overwritten. It is unlikely we will get the GDPR update before the GDPR law comes into effect this week however so where does that leave us?

    • Susan Hallam MBE Susan Hallam MBE says:

      Hey Mark

      Oh dear…. not ready in time for the GDPR deadline! I suspect you are not going to be the only one…

      To be honest, I don’t think you can do much in terms of getting your third party supplier to move faster, but you can be absolutely sure your business is complying and is prepared in every other way.

      I think what you are risking is a user filing a complaint against you to the Information Commissioner. You are the best one to judge the likelihood or risk of that.

      So whilst you are awaiting the core update, I recommend you get cracking on everything else that also needs to get done.

      Good luck!

  45. Jen says:

    Hello,

    Thank you for this wonderful and informative article, by far one of the most helpful resources I have found on GDPR.

    I am struggling to find information that is applicable to my exact business, perhaps I am not understanding correctly, but I was hoping you might be able to help.

    I run a small cleaning business. I arrange self-employed cleaners for private homes. Currently I have a wordpress website where people can download a membership form if they want a cleaner. This includes Ts & Cs but I would need to update this informing people about our GDPR compliance. We do not use newsletters or anything like that.

    Currently clients provide their details such as Name, phone number, email address, and home address when they sign up to become members and agree to the Ts and Cs. We hold these details on our computer and pass them on (with consent from the clients) to the cleaners we arrange for them. We do not pass the clients’ details on to any other parties. All these details are kept on file so we can be of ongoing assistance to the clients and any cleaning needs they have. They then pay an annual membership fee in order for the cleaners to keep cleaning for them.

    We also hold the contact details of the cleaners on file. And we are amending the form they sign at the interview to consent to this to be GDPR compliant.

    I am uncertain of what exactly I need to change in our current practice. I shall change the membership form and put a notice on the website for any client to access to learn about our GDPR compliance. I was informed by the ICO helpline that I do NOT need to contact each of our existing members individually to inform them of our new GDPR compliance, as long as they can look it up on our website. Is this correct?

    I don’t know if I need to change how we store the details of our clients and cleaners (name, phone, address, email – stored on a computer and external hard drive as back up, as well as google drive).

    I would greatly appreciate any help you can give me. We are a very small business and a lot of this information feels really overwhelming. So articles like yours are a godsend. Thank you!!

    • Susan Hallam MBE Susan Hallam MBE says:

      It sounds like you are well organised, but I think you will need to be gaining and recording the explicit consent to share information with your cleaners, and let your customers know how you are complying with GDPR In other words you need to do an audit of the personal data you hold, how you are processing it, and your GDPR compliance statement. I think for a business like yours, that is handling customers’ home address details, you need to make sure you’re doing everything to keep that data secure and your customers will want to know your policies. Good luck!

      • Jen says:

        Thank you very much for your reply, that is very reassuring to hear that we are on the right track.

        Do you have any advice on how to best store data that contains our customers’ and cleaners’ private contact details? Currently they are stored on a computer and hard drive and google drive, but is there some way to make this more secure, or some software that can help protect files?

        Once again, many thanks for your help.

  46. Laboratoryum says:

    Dear Susan, thank you so much for your valuable information. It’s helped me a lot.

    I have a question. In our case, we collect information from a web form that is sent to an email address. Then, we upload this information into a post in WordPress. It’s an collaborative art project, were people can send us their files (audio files) in order to share them with the world. We don’t ask for a registration, and we don’t store this information in a database in order to use it internally, but we publish it on our website. Should we consider this like we are storing personal data? And if so, should we provide our users the same tools as if we were collecting data in a private database?

    Thanks a lot!

    • Susan Hallam MBE Susan Hallam MBE says:

      Would you consider yourself an enterprise, in other words a business? If so, then yes indeed, you are collecting and processing personal information and need to comply with GDPR

      And yes, I think you should provide the same information about your processes and policies and users’ rights when it comes to you handling their data.

  47. Susan, great post! What are the GDPR rules on email addresses on webpages/blog posts?

    I reference an article, another blog post, etc., and in the course of my post, I include email addresses that I have gathered (no consent) for the authors or others. I haven’t found an answer to what must be a very common occurrence.

    Thanks!

    Patrick

    • Susan Hallam MBE Susan Hallam MBE says:

      I’m not exactly sure, Patrick, but it doesn’t feel right to be sharing someone’s email address if they haven’t given permission.

      When I reference content I often share the author’s Twitter profile, bit it seems sharing email could leave them vulnerable to spam or worse.

      I think I would advise against it for those reasons.

  48. Kate Watkins says:

    Seeking clarification on the consent front.

    We run an online business. Customers can complete purchases either as a guest or they can choose to register allowing them to log in and have their contact details automatically filled in. We do not hold their card details as part of the registration.

    When they register we do have an opt in for marketing material, even though we never send any, and this is recorded in their account.

    Is there anything additional we need to do with these accounts for GDPR. As they have registered does that give us implicit permission to hold those contact details.

    With guest orders their contact details remain only on the orders in our system. We obviously need to hold order details for accounting – should be deleting their contact details once the order is processed or is it okay to keep so long as we do not use it to contact them for any purpose other than the processing of their order?

    We use an external processor for processing cards, and any card details provided are deleted once processed. Customer’s also have the option to pay via Paypal and are redirected to that site. So long as this is listed in our data processing register are we covered?

    Thanks,
    Kate

  49. Abigail says:

    Hi Susan, the most informative article on GDPR that I have read! My husband and I run an online gift basket company, and receive a handful of non-US orders each year. At this time, our privacy policy and terms and conditions are quite clear, but am I understanding that we need to place the “cookie notice” on our home page when a customer lands?

    Also, we have a checkout page where the customer provides their basic information such as name, billing address, email, phone number, etc, we would need to place the GDPR notice on this page with a check box I would assume in regards to something along the lines of “I consent to having this website store my submitted information” or a link that would take them to our policy/terms page? Essentially a checkbox that they acknowledge that we are storing their information?

    Thanks so much!

  50. Keith says:

    I used to automatically add the user who purchased software to the email list (which only was sent when there was news about the product or a software update)

    Do I need to now have them “consent” by sending a form out and having them check a box?

    Or

    I am also seeing emails where the company emailed me, stating a change to their privacy policy (and does not require consent from the user). I am wondering if that would be ok, since my users are only customers that have purchased a product.

    Thanks

  51. Guest says:

    Hi, if I visit your website for example, I don’ see any message asking for consent.
    Did you put all informations on privacy policy page? I don’t really understand this?

  52. Bagger says:

    Hello Susan

    I’m running a forum. The forum is about Harley-Davidson. Have been reading that things falling under journalism, opinion, statement, information or ideas does not have the right to be edited or deleted, not even anonymous if the poster did add his/her name or email adres.

    Did read on ICO some of the same things, if I did understand it right.

    Have been reading a bit over anonymous right to post. Does that mean that I have to grand membership without them telling me they’re email (using the email today to send them a confirmation link, and if they loses they’re password, a email adres to get a new one).

    Hope you can give some answers to this.

  53. Click Here says:

    Very good article! We are linking to this great content on our website.
    Keep up the good writing.

  54. seo says:

    Great article.

  55. Nicola says:

    Hi Susan,

    Hope you are well. Thank you for a very informative, accessible article and advice.

    I was hoping you could help to clarify re my query. I volunteer with a small charity and have been working on a Wix website page for us.

    Essentially I am hoping to clarify the following;

    1. I have added a Cookies Alert Pop-Up which just says cookies are used/collected (very basic but something along those lines) which people then hit a button saying ‘Got It’. Would this be sufficient or would an accompanying policy re cookies also be required? Or would further info re Third Party Cookies be required as it is a Wix site and apps such as 123 Form Builder have been used?

    2. We will have a Contact Us form which people can use if they wish to send a query. Would a Privacy Notice (on a separate page) be sufficient just to explain that the form data is collected, stored, used to reply and retained for a specified period?

    3. We will also have an online Volunteer Form for prospective volunteers to fill in. Again, would it be sufficient to include details of how this data is collected, stored, used and retained in the same Privacy Notice on a separate page?

    I imagine that the details submitted via the Contact Us form will not need to be retained for long but those submitted via the Volunteer Form will be should an individual become a volunteer so some additional information would need to be provided in the notice re this?

    Hope this makes sense.

    Thank you,

    Nicola

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Nicola
      Sounds like you are doing a good job complying with GDPR requirements. I think a Cookies Pop Up alert is a good idea, and ideally it would give the basic information as well as link thru to further details. Likewise, on your Contact Form a very brief description of why you are collecting this data and how you are going to use it sounds good. You will have the fuller infomation on your Privacy Policy page. And finally, for your Volunteer Form you will also need to give information about how you are collecting and using data, and you might need to think a bit more carefully about this data, if appropriate.
      Hope this is helpful!
      Susan

      • Nicola says:

        Hi Susan,

        Thank you very much for your reply. It’s reassuring to know I’m heading in the right direction! I was hoping to get your advice on a further related query if possible. I have been reading the Wix Privacy Policy for any information that would perhaps need to be included in our website Privacy Policy, however it has been a relatively complex read. Essentially I am not sure that it would be viable to try to capture elements of the Wix policy in our own but instead thought that adding a section/note in the policy referring and linking to the Wix Privacy Policy would hopefully be sufficient?

        The Wix policy itself notes that as a user your responsibility is to ensure that you advise your users of what you are doing with their data. Do you think that it would then be sufficient to do as described above and link to the Wix Privacy Policy should anyone wish to read this and focus our policy on our collection, uses, etc?

        Finally, I am not entirely sure when noting our legal basis for processing whether it would be consent or legitimate interests? It would seem that essentially by providing their data via the forms that consent is being provided to use it to respond to queries/volunteer applications. However, I may be wrong, but it seemed that legitimate interests would also/or be viable as the basis for processing the information provided?

        Thank you again for any clarity or advice you can offer re the above. It certainly is easy to overthink this!

        Best Wishes,

        Nicola

  56. Anthony Lynch says:

    Hi Susan
    Thank you so much for this info, but my question is…Is this all there is to be GDPR compliant…I think I saw in some document about THE RIGHT TO a. THE RIGHT TO b…and all these rights…..

  57. Anthony Lynch says:

    I am still confused
    Could you give me some broad headings under which one have to adjust to be compliant?
    What section does the privacy policy fit in, in relation to the other sections?
    No body seem to put it in clear sections that you can see what you are doing…I mean no sort of order..so it’s all jumbled up to me.

  58. Shirley Scott-Summers says:

    I am setting up an ecommerce shop online with shopwired who keep telling me it is my responsibility to become gpdr compliant. But what do I need to do . I am not having a newsletter so the only personal information I will be using is the customer name, address and email, which will be needed to process the order. All orders will be payed for via PayPal. I have used the shopwired privacy policy which states who uses the I information etc but at a loss of what I as a business need to put on my website to cover the business as gpdr compliant?

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Shirley
      Yes indeed, it is your company’s obligation to be GDPR compliant, and your shopping cart provider will have their own compliance duties. Read thru the long list of Q&A’s on this post, but at the very briefest you need a GDPR statement of policy, you should check your forms to make sure they are compliant, and you will want to review how you are handling customer data through their entire lifecycle with your business.
      Hope that gets you started!
      Susan

Leave a Reply

Your email address will not be published. Required fields are marked *