The penalties for non-compliance are reportedly astronomical. However, as GDPR affects everyone, from large multinationals to SMEs, it is unlikely that small businesses and organisations will be immediately affected — especially as even at this late stage (April 2018), new rules are still emerging. So our advice is don't panic, and don't rush it. It's more important to think it through.
And we'll put our disclaimer right here: we are not lawyers. The purpose of this article is to give guidance but if you are unsure about anything, you must check the ICO website and/or seek legal advice.
Does Applegreen Websites have one?
Yes, it's here. But one thing was made clear to us at a recent WordPress conference: you can't copy it. Every policy must be based on a business or organisation's unique circumstances.
We attended several talks on GDPR at this conference and have distilled the information here, to help our clients and visitors. We are endebted to the speakers Toyin Agunbiade and Heather Burns and to the many writers and bloggers who have helped clarify points of detail.
The rights of individuals
The GDPR builds on an existing EU directive that was passed into UK law as the Data Protection Act 1998. It aims to protect the rights of EU nationals wherever their data are stored, where transactions are conducted within the jurisdiction of the EU. GDPR will continue to apply after Brexit.
It confers on people the following rights over their data:
- To be informed (companies have to respond within 30 days)
- To have access to what data companies have on them
- To rectify their data
- To erase it and be forgotten
- To restrict the processing of their data
- Portability: they can request that the data they have given to a particular company be returned to them in a form that is directly usable by another company — this usually means a csv or an Excel file
- To opt out of automatic decision making, for example, Netflix suggests programmes to watch based on those you have already seen, and you many not wish this.
The days of automatic opt-ins are over: if you have a box which clients can tick to receive your newsletter when they buy from you, this box must be unticked by default. Ideally you must offer a double opt-in: an email is sent to the client to confirm they didn't tick the opt-in box by mistake.
The 30-day response time is just that, a response time. You don't have to solve a particular request within 30 days, but you do have to respond to an enquirer within that time and give them a time frame within which you will have addressed their request.
You must have a lawful basis for keeping data
The main form of lawful basis is explicit consent. For example: a client signed up to your newsletter, on a given date. You may be asked to provide evidence of both the sign-up and the date.
An alternative lawful basis, important for many website owners, is called implied contract: this is where someone has bought from you, and has given you their details so you can bill them, post to them or email them their purchase for download. Many newsletter lists come from this source, which is legitimate.
Others include legal obligation (eg, an address for delivery of purchased products), vital interests (private information that can save a life), public task (data essential for performing public duties) and a looser category called legitimate interests. To argue legitimate interest you must identify the interest, show that data processing is necessary for it, and also show that you are balancing your interests against the interests, rights and freedoms of the person whose details you hold.
For a full list and description of all the lawful bases for holding data, see the website of the Information Commissioner's Office.
You may not collect any data at all: you still need to say so. But it's unlikely that you do not keep contact details for your clients somewhere, even if it's on pieces of paper. If so, you need to declare the fact.
- Who you are and how you can be contacted;
- What personal data you collect;
- Categories of data;
- The consent or legal basis on which you collect it;
- Children: 13 is the age of consent — otherwise, guardians must give consent;
- Who it is shared with: list them by name and link to their privacy policies. If you use a third-party provider to send an email newsletter(such as MailChimp) or integrate a shop on your website (such as WooCommerce), you need to name them;
- How long you plan to retain it. It's ok to keep it indefinitely, but this has to be stated;
- Where it is stored. Is it on your own computer? backed up to a cloud somehere?
- What rights people have over their data;
- How you protect it in the case of international transfers, eg to countries like the US that don't have privacy laws;
- What steps you take to protect data from breaches, and what you will do in the case of a suspected breach.
Your policy should be written and designed to be read, and not to obfuscate. Consider the following:
- Use plain English, and include plenty of headers and sections to help people navigate and find answers easily;
- Write it in a language that is accessible to children, if your website is for them;
- Write it in a language that is accessible to people with learning difficulties, if your website is for them;
- Consider people for whom English is not their mother tongue;
- It must be readable on mobile devices;
- Give choices and options over the storing of data: remember that it's a contract;
- Date it, and make clear that is revisited regularly.
In the event of a suspected data breach
A data breach is defined as “the accidental or unlawful destruction, loss, alteration unauthorised disclosure of, or access to, personal data”.
You need to establish the likelihood and severity of the risk topeople's rights and freedoms.
If it's likely that there will be a risk, you must notify the ICO within 72 hours, and the data subject immediately.
If it's unlikely, don't report it but document and be willing to justify your decision.
A few special conditions, affecting other parts of your website:
- If your website is used by children under 13, your contact form should include a tick box for parental consent;
- If your website is absolutely not to be used by children, you should require a declaration of age before entry. See a good example at Johnnie Walker.
All WordPress installations are different. Nethertheless there is a GDPR core compliance project going on right now.
In time, there will be a dedicated website with guidelines to help plugin writers, though Wordpress make it clear that no plugin can write your policy for you.
WordPress will also add tools that will allow website admins to create user-friendly privacy notices. This will help generate a privacy page, but it will still be the admin's responsibility to review it.