From the 25 May 2018, Europe's General Data Protection Regulation or GDPR comes into force. It's aim is to improve the privacy of European citizens by requiring businesses who operate within Europe to protect the information they have of EU citizens. We explain our interpretation of what you need to consider doing about the GPDR and what we are doing.
Understanding the GDPR
Due to rising concerns over the privacy of the EU's citizens online, the GPRD will replace the old Data Protection Collective. This is because the DPC was set in place before the internet became what it is today. The aim of the GDPR is to increase the security for the information about individual people which businesses within the EU hold.
The information which the GDPR is concerned with includes:
- Names, addresses, ID numbers
- Health and genetic information
- Political opinions
- Sexual orientation
- Web information, such as IP addresses, cookie data and RFID tags
- Biometric data
- Ethnic or racial data
You (and your company) are subject to the GDPR if you store or process information about citizens of the EU within EU states, even if you do not have a physical presence within the EU.
Complying with the GDPR
From 25th May 2018, if you use or store the information of anyone from within the European Union, you must comply with the GDPR. If you don't, you face huge fines of up to €20 million or 4% of your worldwide turnover, plus be sued. You may also have to pay compensation to any individuals who's privacy has been breeched.
You don't need to be living or have your business physically located within the EU to be subject to the GDPR either. For instance, if you live in New Zealand but sell products/services to people in the EU, or monitor the online behaviour of people in the EU, you must comply. Also, if you use tools such as web analytics or cookies to check how many people from Europe visit your website, you must comply. Potentially, this means everyone with a live website people in Europe can visit!
To comply with the GDPR, when handling any data from people located within the GDPR, you must understand and implement the following:
- Holding Information - keep records of how you have processed that data and tell people who use the data you have collected about any changes which you make to it.
- Give rights - the people who's data you have collected have the right to access it, know what you're doing with it, be able to correct it, tell you to erase it - basically they can tell you what to do with it and know what you're doing with it.
- Lawful - all the information you collect needs to have a lawful reason as to why you are collecting and storing it, which is written in your privacy statement.
- Consent - people must give you conset freely before you collect this data and be able to withdraw consent at anytime.
- Children consent - children cannot give consent until they are 16 years old. Consent must be given by a parent or guardian.
- Data breaches - you must have a process ready to report data breaches to the ICO.
- Access - if you are asked for information on data you have, you must give this within one month.
How We Interpret the General Data Protection Regulation
- "Web Widgets Ltd" aka "Website World" is a data processor, not a data controller. This means all legal liability is with you (the website owner) to comply with the law. In most cases, all online service providers have a similar policy. We provide data storage services, but we don't create, manage, nor use your data ourselves.
- We will comply with all GDPR requirements: to only collect your data for the purposes of building your website and communicating with you. We will not sell nor share your data, except that where we are required to with authorised government agencies. We will delete your data if you request it, and if retention of the data is not necessary to comply with other jurisdictional issues, such as when you don't comply with laws, or when your financial account is in dispute.
- We will not store permanent tracking cookies on our websites, nor customers websites, unless a user specifically opts in. Users can opt in on login forms, and when selecting the remember my customer details on a form. This means you immediately comply with those sections of the law if you don't use any third party plug in services.
- We will be creating a double opt-in feature for subscriptions before 25th May 2018. A double opt-in feature is when a user must confirm a link in a welcome email, before you can send an ordinary newsletter. We will leave the choice to use this up to you, but we advise you use this approach . It will be the default option to begin with. When enabled, you will only be able to communicate with "confirmed email" status customers. You should send a short email to all your customers with the special [CONFIRMLINK] tag included asking them to confirm that want to receive further emails from you.
- We will forward any request by an end user, for data access or deletion, to you. We will act on an end users request if you have not responded to us with a week. When we say that data is deleted, we do not delete data backups immediately. We need backups to be able to restore data on request, or in the case of error. Eventually all backups are deleted after a retention period.
- We are delaying our "scarcity" display logic, eg "3 other users are looking at this product right now" until we have had time to confirm our implementation is fully compliant with European law.
- We will be modifying or deleting recently created "user product view tracking reports."
- We do not store any identify able user data in our URLs. All personal data is transferred via form posts. This means personal information is safe from analytics logs and third party plug ins.
- All websites not on an SSL mode should upgrade to an SSL compatible hosting plan, to ensure data privacy of your customer data during transmission from their computer to your website.
How to Add Privacy Statements to Forms
- Custom Enquiry Form - you can apply a custom enquiry form to an existing page. Detailed instructions on how to do this can be found on our Help CMS website.
Disclaimer: We are not able to provide legal advice. This blog is to give some direction to helping you comply with the various international laws. Any error or obmission in this blog will not place liability with us. If you are confused by any part of this blog, please engage a lawyer for such questions. If you feel that any of our services remain in breach, please let us know. We will continue to update our system to comply with all known laws as best we are able, and communicate key changes to you.