The GDPR (General Data Protection Regulation) Compliance Deadline is May 25th 2018.
You may have read about this in the news but are not sure about how this affects your site and any associated data that you collect.
A lot of what has been published can be confusing, so we have spent time collating our take on GDPR and what measures need to be taken to ensure that you site or online store is compliant.
Please note, we are not legally trained and suggest that you take further advice as you deem suitable.
JooJoo is not responsible for your compliance, but should you wish us to help your site to comply with GDPR requirements for your website then we have set out the following information.
Please check the ICO (Information Commissioners Office) website on the link below for full details of your requirements: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
Ensure that you read the ICO guide and understand your business responsibilities along with the penalties (fines of €20 million or 4% of annual turnover) and consequences of not being compliant.
GDPR Applies to all Organisation that store, process, or use UK / EU persons data, both physical and digital, and all organisations need to show evidence of demonstrating compliance.
Below is our view on the forthcoming GDPR compliance requirements and how it will affect your business.
The key points that we have identified are:
1) LEGAL BASES TO COLLECT DATA
2) PRIVACY NOTICES
3) ESSENTIAL COOKIES
4) RIGHT TO BE FORGOTTEN (Delete Accounts and or Anonymise Data)
5) ACCESS REQUESTS (provide all data held on an individual within 30 days with no cost)
6) DATA BREACHES (Self-reporting to the ICO within 72 hours)
You need to have legal bases for processing (using/storing) data (including names, addresses, email addresses), there are six bases in total and four that relate to E-commerce:
1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose:
The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
2. Contract: the use and storage of data is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
You can rely on this lawful basis if you need to process someone’s personal data:
to fulfil your contractual obligations to them; or
because they have asked you to do something before entering into a contract (eg provide a quote).
The processing must be necessary. If you could reasonably do what they want without processing their personal data, this basis will not apply.
You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning.
3. Legal obligation: the use and storage of data is necessary for you to comply with the law (not including contractual obligations).
You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation.
This does not apply to contractual obligations.
The processing must be necessary. If you can reasonably comply without processing the personal data, this basis does not apply.
You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning.
You should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation.
4. Vital interests: the use and storage of data is necessary to protect someone’s life.
You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life.
The processing must be necessary. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply.
You cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.
You should consider whether you are likely to rely on this basis, and if so document the circumstances where it will be relevant and ensure you can justify your reasoning.
5. Public task: the use and storage of data is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
You can rely on this lawful basis if you need to process personal data:
‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
to perform a specific task in the public interest that is set out in law.
It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.
You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in law.
The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply.
Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis.
6. Legitimate interests: the use and storage of data is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Legitimate interests are the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.
There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
identify a legitimate interest;
show that the processing is necessary to achieve it; and
balance it against the individual’s interests, rights and freedoms.
The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
You must balance your interests against the individuals. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
You must include details of your legitimate interests in your privacy notice.
Essentially you must have consent and individuals must 'positively opt in' to have their data used by you.
You must state how their data will be used and give users the option to 'withdraw consent'.
GDPR is all about safeguarding the individual and giving them the following rights when it comes to their data:
So whilst Consent looks appealing customers can revoke it at any time, you need to be very clear and granular some data can be managed under the Contract and Legal Obligation and some under the Legitimate interests bases.
You need to provide more detailed information about the data you hold.
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. You must provide individuals with information including: your purposes for processing their personal data; your retention periods for that personal data; and who it will be shared with. We call this ‘privacy information’.
You must provide privacy information to individuals at the time you collect their personal data from them. If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
(https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/) Cookies will need to become much more clearly opt-in, or at the very least soft opt-in, so that landing on a site for the first time cookies have to be blocked until the user takes some action that they are clear will result in cookies being set.
A site that sets cookies for different purposes will also need to obtain consent for each separate purpose, however, this might be a challenge considering that the process should not be too disruptive.
Cookies for which you do not require consent
Cookies for which you require consent
All cookies other than strictly necessary cookies require you to obtain your users’ consent. Examples of cookies requiring consent include:
Cookies used for analytical purposes e.g. to count the number of unique visits to your website.
First and third party advertising cookies.
Delete Accounts and/or Anonymise Data
The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.The right to erasure does not provide an absolute ‘right to be forgotten’.
Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services at no cost and within 30 days. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
You must provide the personal data in a structured, commonly used and machine-readable form. Open formats include CSV files. Machine-readable means that the information is structured so that software can extract specific elements of the data.
This enables other organisations to use the data. The information must be provided free of charge. If the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible. However, you are not required to adopt or maintain processing systems that are technically compatible with other organisations. You must respond without undue delay, and within one month.
We've outlined the following areas that your site requires in order to be compliant.
These are at a high level and should you wish to discuss them further, then please get in touch!
1. Update Terms and Conditions
3. Update Cookie opt-in notice and control which cookies are served
4. Allow users to delete or anonymise data
5. Allow users to access and obtain all personal data held by you about them
6. Ensure that when a user submits their data that the option to Opt-in is clear
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority.
You must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
Now for the heavy stuff....
Please note, we are obviously not legally trained. Our offering is based on our understanding of the new legislation and suggest that you take further advice as you deem suitable.
We are not responsible for your site being compliant or any fines that you may incur should you have a breach or not be compliant.
As with PCI Compliance, GDPR compliance for your company (inc. the website and any other platforms) is entirely your responsibility, whether we carry out the GDPR updates we have suggested for your site or not.
GDPR is a minefield and we know that over the forth coming months, things are going to change and evolve.
We can help you to get your site GDPR compliant for May 25th, so talk to us today.