Is Your Website GDPR Compliant?
If you work in a large organisation, the chances are you've heard GDPR, or the General Data Protection Regulation, mentioned more than a few times since it was adopted by the European Union in 2017. This regulation goes further than existing privacy legislation because it covers any information relating to an identified or identifiable person – which includes information such as a somebody's IP address. This regulation created new responsibilities for organisations when it comes to collecting personal data, processing personal user data, and what you tell people about the way you intend to use it. I'll cover all three in this article.
What is GDPR compliance?
When the General Data Protection Regulation (GDPR) came into effect in the UK most organisations were not ready. It was made part of data protection law as part of the Data Protection Act 2018 and years later, many still do not understand what GDPR compliance is and how to apply data protection principles to their business or operations.
Simply put, GDPR compliance means that companies and organisations must:
- Be transparent about how they collect, store, and use personal information like names, email addresses (and more)
- Get permission from individuals before collecting their data (e.g. via cookie data or forms)
- Commit to keeping that data safe and provide information on how a user can retrieve and delete their data
If a company doesn't follow these rules, they can face big fines, and the ICO has already issued hefty penalties to big tech companies for breaches.
What does General Data Protection Regulation compliance mean for my website?
The biggest implication of GDPR for web teams is the change to consent. People must now give you their explicit consent before you can use their data. This must be:
- Freely given
- Specific
- Informed
- Unambiguous
It will no longer be enough to add a pre-ticked consent box to a form or show a message informing people that by visiting your website they agree to sharing their personal data. You must make sure that people are aware what you want to do with their personal data. You will also have to get people's consent to use their personal data for every different purpose you have in mind.
GDPR also makes clear that it's unacceptable to deny services to people unless they give you consent to use their data. So, for example, you won't be allowed to deny visitors access to your website if they refuse to let you place tracking cookies on their device or record their IP address.
It's vital that you record this consent so that you can prove you have abided by the GDPR if someone complains. You should store details of what a person agreed to and when they gave you permission. You must also provide a simple way for people to withdraw their consent in future if they change their mind.
Things to do now:
- Review how you ask for, record, and manage people's consent.
- Untick any pre-ticked consent boxes you are currently using.
- Update forms to include information on how you will use people's data and ask them for consent for each purpose.
- Begin getting your users to update any existing consent that doesn't meet the new standard.
- Audit your website cookies to determine which require consent.
Processing personal data
The collection, storage, or use of personal data in any way is called processing. As well as giving individuals more rights when it comes to the collection of their data, GDPR also gives people more control over how their data is processed.
You can only ask people for data that you need to do the things set out in your consent form. Data should be kept only as long as is absolutely necessary, and you must justify why you need to store it for so long. People have the right to ask you to delete or correct any of their data. They can also request a copy of it, so you need to store it in a common electronic format for simple data portability.
GDPR also places restrictions on processes that make an automated decision or profile people without their consent based on an individual's personal data. People have the right not to be subject to a decision based on this kind of processing if it has a legal or other significant effect on them. If you are using an automated process to profile people, you must make sure the process is fair, secure, and accurate.
Things to do now to achieve GDPR compliance:
- Put in place a schedule for deleting old data.
- Provide a way for people to delete their data.
- Allow people to request access to their data.
- Make sure you are storing data in a commonly used electronic format that makes it easy for people to read their data or move it to another system.
- Make it easy for people to rectify inaccuracies in their data.
- Review any processes that make an automated decision or profile people and ensure they comply with the new regulation.
Keeping people informed
The GDPR requires organisations to identify a lawful basis for processing people's personal data. Consent is the most obvious basis. Other reasons include fulfilling a legal obligation, protecting a person's wellbeing, or the processing being in the public interest.
You should document the kinds of processing you carry out and your legal basis for doing so in the privacy notice on your website. This should be:
- Concise, transparent, intelligible, and easily accessible
- Written in clear and plain language that's appropriate to the reading level of your audience
- Available free of charge
You must also provide information on why you need a person's data, the length of time you will keep it, and details of their rights – including the right to complain to a supervisory authority.
The mental health charity Mind has a very good privacy policy that's clearly written and sets out how they address the rights of the people whose data they process.
Things to do now:
- Review your privacy notices and make a plan to update them in good time.
- Include information on your lawful basis for processing the data.
- State how long you will keep data before you delete it.
- Make it clear that people have the right to complain to a supervisory authority if they are unhappy.
Where to go from here
The Information Commissioner's Office has detailed information on exactly what you should include in your privacy notice. And, if you work for a public authority, your organisation will need to appoint a Data Protection Officer as part of complying with GDPR. This person will be a valuable source of information on all the steps you should follow to become fully compliant with the new regulation.
FAQs - GDPR compliance and data protection principles
Do you need GDPR compliance certification?
In the UK and under GDPR regulations, there isn't a specific requirement for obtaining a GDPR compliance certification. However, organisations are expected to demonstrate compliance with GDPR principles and regulations. Achieving GDPR compliance typically involves implementing appropriate technical and organisational measures to protect personal data, conducting data protection impact assessments, appointing a data protection officer (in certain cases), and maintaining records of processing activities, among other responsibilities outlined in the GDPR.
While there is no official certification mandated by GDPR, some organisations may choose to undergo independent audits or seek certification from accredited bodies to demonstrate their compliance with GDPR standards. This can provide assurance to stakeholders, customers, and regulators that the organisation is effectively managing personal data in accordance with GDPR requirements.
Is a cookie banner enough to be GDPR compliant?
A cookie banner alone is not sufficient to ensure GDPR compliance. While cookie banners are a common tool used to obtain user consent for the use of cookies and similar tracking technologies, GDPR compliance involves broader requirements for handling personal data.
What is a data protection officer?
In the UK, a Data Protection Officer (DPO) is a person appointed by an organisation to oversee and ensure compliance with data protection laws and regulations, including the General Data Protection Regulation (GDPR). The role of the DPO involves a range of responsibilities, including:
- Providing advice and guidance to the organisation and its employees on data protection and data security obligations.
- Monitoring compliance with data protection laws and regulations, including GDPR.
- Serving as a point of contact for data subjects (individuals whose personal data is processed by the organisation) and supervisory authorities (such as the Information Commissioner's Office in the UK).
- Conducting data protection impact assessments (DPIAs) for high-risk data processing activities.
- Coordinating with relevant departments within the organisation to ensure that data protection requirements are integrated into business processes and systems.
Under GDPR, organisations are required to appoint a DPO if they meet certain criteria, such as being a public authority, engaging in large-scale systematic monitoring of individuals, or processing large amounts of sensitive personal data. Even if not required by law, some organisations may choose to appoint a DPO voluntarily to enhance their data protection practices and demonstrate their commitment to privacy compliance.
What is a data protection impact assessment?
A Data Protection Impact Assessment (DPIA) is required under the GDPR any time you begin a new project that is likely to involve “a high risk” to other people’s personal information.
A DPIA (Data Protection Impact Assessment) is a mandatory requirement under the GDPR aimed at ensuring "protection by design." Organisations should conduct a DPIA when certain conditions are met, such as utilising new technologies, tracking individuals' location or behaviour, monitoring public spaces on a large scale, processing sensitive personal data, making automated decisions with legal consequences, handling children's data, or when data processing could lead to physical harm if leaked.
What is a data breach?
Under the General Data Protection Regulation (GDPR), a data breach is defined as a security incident where personal data is accessed, disclosed, altered, or destroyed without authorisation. This could include incidents such as:
- Unauthorised access by an employee or third party.
- Loss or theft of physical devices (e.g., laptops, USB drives) containing personal data.
- Hacking or cyberattacks targeting systems or databases storing personal data.
- Accidental deletion or corruption of data.
- Any other incident that compromises the confidentiality, integrity, or availability of personal data.
GDPR requires organisations to report certain types of personal data breach to the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Additionally, in certain cases, organisations may be required to notify affected individuals about the breach without undue delay, particularly if the breach is likely to result in a high risk to their rights and freedoms. Failure to comply with these notification requirements can result in significant fines and penalties.
What is a data controller and data processors?
In the context of GDPR, "controllers" and "processors" refer to different roles that entities involved in data processing can assume. Here's a breakdown:
- Controller: A controller is the entity that determines the purposes, conditions, and means of the processing of personal data. Essentially, they are the ones who decide why and how the data is processed. Controllers have specific legal responsibilities under the GDPR, including ensuring that data processing complies with the regulation's requirements and that individuals' rights are respected.
- Processor: A processor is the entity that processes personal data on behalf of the controller. They act only on the controller's instructions and may include third-party service providers or subcontractors hired by the controller to process data. Processors have their obligations under the GDPR, primarily to ensure they process data securely and by the controller's instructions.
The GDPR imposes specific requirements on controllers and processors to protect individuals' personal data. Controllers are ultimately responsible for compliance with the GDPR, but they must also ensure that any processors they engage with adhere to the regulation's requirements.
