GDPR and websites: two years on
It’s now been nearly two years since the GDPR came into effect. So what has changed?
It’s now been nearly two years since the GDPR came into effect. So what has changed?
This time back in 2018, we had been preparing for the GDPR for months, but it still felt like a bit of a scramble. As the date approached we were making sure our clients understood and were complying with the regulation. Furthermore, it still felt like we were doing what we could to understand aspects of it and translate this to our work online. For example, we had numerous conversations with representatives of the ICO through their small business helpline to try to get clarity on cookie banners. It didn’t help when at the time, the ICO was using a banner that didn’t meet the requirements of the GDPR.
Since May 2018, we have continued to support our clients in understanding the GDPR. Common questions arise but we still get new ones that need a bit more digging into as they can fall into a grey area. To be clear, we aren’t lawyers and have no legal training, but each member of our team undertakes GDPR training so we can apply this knowledge to our work. Furthermore, we can only provide advice on what to do. It is up to our clients to either implement this or ask us to do the work. We do always recommend speaking to a lawyer if you’re uncertain!
We thought it might be helpful to set out some of the more frequent questions we get asked below. And as mentioned in this post several times, if you ever aren’t sure about something, contact the ICO. They are there to help and would rather you ask questions to ensure you are complying than don’t get in touch because you are nervous about getting into trouble. Furthermore, it is better to speak to them directly rather than an independent ‘consultant’. We’ve come across many who will make you pay for their interpretation.
A cookie banner is required if you have cookies on your website. Just because someone else doesn’t have one, whether it is a competitor or a national organisation, doesn’t mean you shouldn’t. The rule applies to everyone and it is up to them whether they would prefer to risk a fine. Furthermore, you might find a few examples of people who don’t but there are others who do. Don’t simply pick the answer you want to be right.
Again, yes, your cookie banner does have to ask for consent for cookies to be used. We’re still surprised by the number of websites we go on that have a banner saying ‘because you use this website, you agree to all cookies’. You have to ask for explicit consent i.e. a person has to be able to say yes or that they accept them.
You have to give users of your website a way to change their preferences on cookies at any point. Just because they clicked accept once, doesn’t mean that locks them in to this decision for all future visits. There are a couple of ways you can do this. You could have the cookie banner appear when they visit your website for the first time and when they click ‘yes’ or ‘accept’, it turns into a little icon visible on the screen. This is what we do. However, you could also have it so that if they want to make changes, they need to visit the cookie policy to do so. This makes it slightly harder for them to change their preferences. Realistically not many people will change their preferences. You need to find the balance between prioritising the design and look of your website against their rights.
Yes you can use Google Analytics and if you put the tracking for GA in your cookie banner and a person clicks accept, this is completely acceptable. If you want to start tracking regardless of whether a person clicks accept on the cookies, then you need to make some changes as the standard set up for Google Analytics does involve collecting IP addresses, which are classed as personal information under the GDPR. This means it is information that you need consent to collect. In order to still track users but in a way that is compliant, IP addresses need to be anonymised. This shouldn’t affect the accuracy of the data you collect.
After you have collected data, you need to keep it secure (keep reading to see how to do this). You should also only keep it for as long as is appropriate or you have been given consent for. You don’t have the right to hold onto this data indefinitely. This means you need to consider anonymising databases if say it has been two years since you had any meaningful interaction for a client or customer and there is no consent to retain it. Furthermore, this needs to be genuine anonymisation. There have been cases in the press that have shown attempts at anonymisation still meant data could lead to the identification of individuals. All personal information needs to be removed.
To answer this question, it is important to understand why WordPress websites need updating. WordPress is an open-source platform, and that means it is more open to vulnerabilities. Sadly, there will always be people who try to exploit these. WordPress is regularly updated to provide security patches and new features so updating your WordPress website to the latest version will help to keep your website secure. If you don’t do this, then a hack attempt on your website may be more likely to be successful than if it was carried out on a website that is regularly updated. That means the data on your website may be compromised anf this could be data which is classed as personal information. See where we are going with this?
You have a responsibility as a website owner and data controller to keep all data you process secure. If you don’t have regular updates and then you are hacked and data is breached, you will need to report this to the ICO. That means you could receive a fine. So going back to the question… yes you do need to update your WordPress website
A WordPress website should be updated at least every quarter. Furthermore, eCommerce or websites containing customer data should really be updated every two months in order to keep this data secure. In addition to this, websites that have a large number of extensions and plugins should also be updated every month. We try to avoid using plugins but often clients want or need these because they provide features that would be expensive or time-consuming to build from scratch. We have seen a number of companies hacked where the cause was nearly always an out of date plugin that was exploited and allowed a hacker entry to the whole website. Take a look at our guide to stop your website from being hacked.
An update does not take long and does not cost much. But a hack will probably cost at least £500 to fix, and there is the loss of customer confidence and potential fine to consider too.
It depends on what your organisation is and does as to whether you need a Data Protection Officer (DPO). If you are a local authority, regularly and systematically track data or process ‘special categories’ of personal data then you will need a DPO. We appointed one (that’s me!), not because we have to have one, but because we thought it made sense to and would be helpful to have one person take on this responsibility. Furthermore, for transparency it helps clients to understand the importance we place on this and so there is a single named contact.
If you’re not sure whether you need a DPO, follow this very quick survey on the ICO’s website. There is one question that may make you pause before choosing an answer and that is whether your “organisation’s core activities require regular and systematic monitoring of individuals on a large scale”. If in doubt, don’t listen to us or anyone else giving you advice, but ask the ICO directly. We have read a number of articles written by organisations that say any body processing data has to have one, but the ICO doesn’t say this. Always ensure you are referring back to the ICO. This is because they are the ones implementing and enforcing the GDPR and will be the ones to tell you off if you are doing anything wrong!
The ICO has a data protection public register. If you process and store data, you need to be signed up to this as you are classed as a ‘data controller’. There is a small fee to do so, and the cost depends on the size of your organisation. It takes a few minutes to sign up, you can pay by direct debit and that is it. Helpful as always, the ICO has a mini assessment you can go through to find out if you should be on the register. If you don’t sign up and pay a fee, then you may be subject to a fine. Given the lowest the fee might be is £40 and a fine for not paying that is £400, why wouldn’t you sign up?
It shouldn’t really matter what you call the page or document where you outline how you handle data and privacy, what is more, important is that you have one and it is clearly where a user can find out about privacy and data. You could, and many people do, make arguments for each, which is probably why you are asking this question as you will have seen different companies call it different things. For example, you could say that a privacy policy is more how your company handles privacy and data, or that it is the policy for how data is handled on the website. You could also argue that a privacy statement is a one-off piece of text about privacy or is a statement about how you handle data on the website.
Going back to the ICO, which is what we always recommend, they call their own one a ‘Privacy notice’ but in their FAQs for SMEs, there is a question “what information do we need in our privacy policy” and the answer doesn’t say ‘don’t call it a privacy policy’. Indeed, in their answer, they seem to use ‘notice’ and ‘policy’ interchangeably.
Really, if you call a page on your website ‘privacy policy’ or ‘privacy statement’ then it is achieving the same goal of explaining to users that this is how you process data and look after their privacy. It is more important to focus on what it contains and this should be the same whatever you call it.
Here is a quick list of some of the key information that a privacy statement/notice/policy should contain. For more information and detail, head to the ICO. Additionally, if you handle a lot of personal data and this contains special categories of data, it is best to have a lawyer help you out with this.
Ideally all data processed on your website should be kept within the European Economic Area or EEA. As hosting is where files for your website are kept, this counts as processing. If you do have your website hosted somewhere that is not in the EEA then you may need to follow additional requirements. Really there should be no need for this because there are so many options for hosting within the EEA and also within the UK.
We are currently in a transition period, which should last until the end of December 2020. During this time, it is business as usual. Just because we are leaving the European Union, it doesn’t mean that the GDPR no longer applies. After that… who knows! The ICO has said it isn’t sure what the data protection landscape will look like but it is likely that it will be similar to how it is now. Keep watching out for updates and we will provide more detail closer to the time too.