How to make your website GDPR compliant

GDPR was the topic on everybody’s to-do list in the lead up to the enforcement date of the 25th May 2018. All businesses needed to review how they collect, store, use and delete personal data.

Whilst it hasn’t impacted the community perhaps as much as the scaremongers would have foretold, it is still very much worth making sure your website is compliant. If nothing else, it’s good to care about your customer’s data.

Your website is affected by GDPR as it:

• Collects personal data from individuals (e.g. contact forms)
• Tracks individuals (e.g. cookies)
• Sends personal data to data processors (e.g. your email marketing list)

GDPR does not mean you need to stop using your website to grow your business. The law is not trying to prevent growth or even marketing.

It is aiming to bring our data protection laws up to date with current technology and practices. Ultimately, we should embrace the new legislation and take the opportunity to be open with our customers and prospects.

As a digital marketer, website designer, and having worked with software businesses that have had to adapt early, I am often asked about GDPR for websites. As this question has been asked so frequently, I have put together this guide.

Please note that I am not providing legal advice. However, this practical guidance can be used to help you do exactly what the Information Commissioners Office is asking: demonstrate compliance.

Before the first legal cases appear in court, nobody can be completely sure of what bullet-proof compliance looks like. But we can take reasonable steps to show that we have tried.

The most obvious way to achieve compliance would be to get legal advice.

This blog is divided into chapters:

1. Requirements of a website privacy notice
2. How we wrote our privacy notice
3. Cookies and the GDPR
4. Bonus tips for compliance in commonly used software

The Privacy Notice

Within the UK, our enforcing body for the GDPR is the Information Commissioner’s Office. Their website provides extensive guidance on the requirements of a privacy notice, and the extra requirements under the GDPR.

A privacy notice can be supplied in writing, through signage, orally or electronically. This makes the point that a privacy notice is not just one web page.

It is recommended to have a privacy notice on your website to contain the full details, but you must also display relevant privacy information at the data collection point.

A good example would be a clear notice on your contact form briefly describing what you will do with the data a user is about to enter.

Extra requirements for privacy notices are placed on businesses by the GDPR. The most important of which is the necessary clarity for the website visitor to be able to understand it.

Back in 2010 this article claimed that Facebook’s privacy policy was longer than the US Constitution. No person, realistically, is ever going to read a document that complex. Therefore, the user is not going to understand what they are agreeing to by using the application.

It is exactly this form of legalese writing and attempts to hide how an individual’s data is used that the GDPR has been designed to tackle.

Your privacy notice should be concise, transparent, intelligible and easily accessible. And it should not be a copy-and-paste job. It needs to be relevant to how your business uses personal data.

UX of Privacy Notices

The ICO do make recommendations on the user experience to assist users in understanding your privacy notice.

Layers are a brilliant way to lay out a lot of information in a skimmable and mobile-friendly design, as shown in their example:

This allows you to provide headline titles, with the option to click for more information. Finally, they also include a link to the full privacy notice for more information.

Just-in-time notices are also recommended, providing the website visitor with information about why that specific data is being collected and how it will be used.

What should you include in your Privacy Notice?

Now we have identified that a privacy notice should be:

• Easy to understand
• No longer than is necessary
• Widely accessible
• Delivered, in part, at the point of data collection

We can move on to identifying what should be included. Unfortunately, in our opinion it is not possible to download a simple template due to the specific and concise nature of a Privacy Notice. However, Article 13 of the GDPR does specify exactly what you must include.

I have interpreted the requirement in a less technical/easier to understand language as follows:

You can refer to the original specification in Article 13 on pages 40 and 41 of the GDPR here.

It is also suggested that you date, or version, your privacy notice and keep a copy of each version.

The GDPR does suggest you inform data subjects of changes to your processes, however it appears from the widespread practices of larger firms to date that the general consensus is to date a policy and expect website visitors to be able to find it.

As previously mentioned this is not legal advice, but a logical collection of what is being interpreted to date. Only a court judgement could define the accuracy of this suggestion.

Step 1 – The identity and contact details of the controller, and how to complain

This is pretty self-explanatory. Put the details of the data controller under a clear heading in your privacy notice.

We chose to also include the required information about the way for an individual to complain to the ICO should they be unhappy in this section.

Step 2 – What you process, under what basis and how long for

To tackle this point, you need to determine exactly what data you process, where it comes from and which legal basis you will use to process it. It’s the meatier part of GDPR, but it must be completed.

There are six lawful basis for processing data under the GDPR. You need to take a moment to understand them and the implications that come with using them. The available basis are [text has been copied directly from the ICO’s website for clarity]:

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
4. Vital interests: the processing is necessary to protect someone’s life.
5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

We found the easiest way to complete this section is to use the example spreadsheet from the ICO themselves. Scroll down to the ‘Is there a template we can use?’ section and download the ‘Documentation template for controllers’.

Once you have worked through the template you will have a complete document containing:

• the data you process
• why
• what category
• who it is shared with
• the legal basis
• how long you store the data for

It will take a while, but it’s the only way to secure your business for GDPR and to be able to create a privacy notice that is compliant.

If you decide on legitimate interest as the lawful basis to process any data, you must complete a legitimate interest assessment (LIA). You can find an LIA template document on the ICO’s website.

Remember to review your website thoroughly, ensuring you capture all services that may gather IP addresses or use cookies. We’ve provided a thorough guide to creating your cookie policy later in this blog post.

Now you can create the relevant headings in your privacy notice.

Step 3: Individual’s rights

You must describe the rights that individual’s have under the GDPR. This includes their right to withdraw consent. We chose to create a section that listed out these rights, and where applicable, how to enforce them.

Step 4: Sense check

If you are writing your privacy notice yourself, I found it helpful to work through the points above and then refer to other companies that have done privacy notices well. It can help you to make sense of the technical language used in the GDPR specification.

I think there is some irony there – in the need to reduce legalese language, we first need to interpret legalese language ourselves!

Some privacy notices that we are a fan of:

• Microsoft, who have made use of the Layers concept. Try the ‘Learn More’ options to see additional information on each section.
• Simply Business has a clean UX with all headers visible when you hit the page, and a simple drop down for further information. They’ve clearly hit the key areas defined by the GDPR.
• M&S have an in-depth policy with clear headers. Their description of their legitimate interests and legal basis is particularly useful.
• Obsequio Software have all the right sections but have really managed to keep it concise.
• The Guardian have a strong section on policy updates, and a great example of how to use video as part of your privacy policy.
• Slack have a larger (read longer) policy, which is not necessarily a good thing. However, they do keep an archive of old policies and have taken a strong approach at tackling the multiple international regulations at play.

Essentially this means that if a cookie can be used to uniquely identify an individual, then it is processing personal data and GDPR applies.

Cookies, PECR and the ePrivacy Regulation

PECR has been adopted as UK law from the EU ePrivacy Directive. An EU Directive is used locally by individual countries to create their own laws. An EU Regulation applies, as is, across EU member states and citizens.

The ePrivacy Regulation is currently being drafted which will replace the ePrivacy Directive, and therefore PECR.

As this law is still in draft form, we cannot take action to comply with it. On the day the GDPR hits, you need to comply with GDPR for data processing and PECR for electronic marketing.

If you have a cookie notice on your site, and you specify the essential (required for the website to operate) and non-essential (such as retargeting cookies like the Facebook Pixel) cookies, you are meeting PECR regulations at least.

There is a lot of conflicting information across the internet, with some suggesting you must gain explicit consent under GDPR before placing a single non-essential cookie on a website visitor. Whilst others suggest that the upcoming ePrivacy Regulation will force internet browsers to allow users to manage their cookie preferences themselves, removing the need for the cookie pop-up that shows on websites today.

New ICO cookie guidance in July 2019

In July 2019 the ICO released new guidance on cookies. This new guidance nulled and voided our old content taking a ‘best guess’ stab at meeting the current regulations.

Due to the change in guidance we’ve removed the content from here, and we’ve written a new guide to help website owners comply with the new ICO cookie guidance.

We’ve also included a review of five WordPress cookie plugins and a guide to writing a cookie policy and carrying out a cookie audit.

Have Microsoft email?

An obvious one, but easy to set up. If you use Microsoft as your email provider, make sure you set up an alert to help you delete data past it’s retention point. Navigate to Data Privacy > GDPR Dashboard and then ‘Create a label’ to set up an alert that will either:

• Delete all data after a certain amount of time, or
• Alert you when data passes a certain age so you can decide whether it should be deleted

Use Google Analytics?

If you’ve used Google Analytics for a long time, you may still be running their ‘classic’ version. This was replaced by Universal Analytics a few years ago.

Universal analytics anonymises IP addresses, meaning the IP addresses collected are no longer counted as personal information. If you aren’t sure, it is worth checking and upgrading before the 25th May. Here’s a great article that goes in to more detail by Ryte.

If you are using Google Tag Manager to implement Analytics on your site, it’s slightly more complex. You need to set the ‘anonymizeIp’ variable to ‘true’ yourself.

Why SSL matters

Very simply, an SSL certificate enables data to be transferred securely from the point of data entry (e.g. a form on a website) to wherever it is going (i.e. to be saved on your website hosting server). If you don’t have an SSL certificate, which gives a website the ‘S’ in HTTPS, then you have no secure method of transferring this data.

There is no specific mention of SSL/TLS in the GDPR. However, article 32 does state:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

• the pseudonymisation and encryption of personal data;

• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

SSL/TLS certificates have been around for a long time, are relatively simple to implement and are used widely. Considering these points, I personally would not run a website without an SSL certificate once GDPR comes in to force unless the site did not have any data collection points.

You can get SSL certificates free now from Let’s Encrypt through good hosting providers, and they are relatively painless to implement for a small website.

Add on the upcoming ‘not secure’ security warnings from browsers, and the potential SEO benefit, with GDPR best practice – in our opinion any serious business website should be using HTTPS.