GDPR and Website Privacy Notices
The General Data Protection Regulation (GDPR) is a new EU law that comes into effect on 25 May 2018 and will supersede the existing Data Protection Act 1998. The GDPR is a very significant body of legislation - it affects anyone and any business who collects personal data. Whether you are a sole trader, a charity or a multi-national, the GDPR will affect you. This article is for sole traders and small businesses who run an e-commerce website. We look at website privacy notices and how they will need to be reviewed and changed to comply with GDPR requirements.
GDPR and DPA
Let's put the GDPR into a bit of perspective. Data protection and laws to regulate how personal data is treated are not new. The Data Protection Act 1998 implemented a whole range of rights and responsibilities. The GDPR is an evolution of the DPA: it enhances the rights of data subjects and places greater responsibilities upon data controllers. It widens the scope of what 'personal data' is and places responsibilities upon data processors. Finally, the penalties for breaches of the GDPR are much higher.
This means that if you are already meeting your responsibilities under the DPA, then you may not have too much work to do to meed the requirements of the GDPR. If, however, you have never really thought about data protection before then you (and your business) need to act fairly smartly. Don't panic ... if you are a small business or sole trader and your use of personal data is limited to processing customer contact details then the work you need to do to comply with the GDPR should not be onerous. But it does need to be done. The main thing to remember is that the GDPR is an ongoing 'journey' - it's about your business processes and attitude to data protection as well as written things such as privacy statements.
If you collect sensitive personal data or personal data from children, undertake complex analysis of personal data, or share personal data widely with 3rd parties then you have greater responsibilities that we don't cover here. You should visit the ICO website if you need further information.
What Your Website Privacy Notice Should IncludeAll websites should have an on-line privacy statement that provides details of what personal data is captured and how it is used. That's not new. The GDPR, however, has added some additional requirements that your existing privacy notice may not cover. Your privacy notice must now include:
- Who you (the data controller) are and how to contact you
- What data you collect and why (the 'lawful basis')
- Who you share any of the personal data with
- How long you keep the data for
- A statement that the data subject has legal rights, has the right to withdraw consent (if consent is used as the legal basis for processing) and the right to complain to a supervisory authority
- The possible impact of the data subject not provide personal data that is required (as a statutory or contractual obligation)
- Details of any automated decision making (including profiling).
The above applies to data you capture directly from the data subject. If you obtain personal data from a different source then the requirements are slight different.
Your privacy notice must also be:
- concise, transparent, accessible and easy to understand
- written in plain language
- free of charge.
You must be thorough and specific in the information you provide e.g. it is unlikely to be enough to say "We collect your contact details to deliver your order and other business processes". You need to be 'granular' so that if one piece of information is used for different purposes then you must state all purposes clearly. Completeness and conciseness are both required - which can be challenging. One way to help with readability is to use headings and a 'table of contents' list of links so that anyone reading your privacy notice can easily navigate.
We've updated the template Privacy Notice we offer to help small businesses comply with these requirements.
Data and Cookie Audits
Of course, in order to be transparent and complete you need to fully understand what personal data you collect, why and how you use it. So it might be sensible to do a data audit before you update your privacy notice. The GDPR requires all data controllers to document details of the personal data they collect, the lawful basis for processing and data retention periods. Compiling such a document (and keeping it up-to-date) will help you comply with your obligations and will also help in drafting your updated privacy notice.
Cookies are also 'personal data' so you do need to include information about cookies in your privacy notice. Again, a review or audit of your website to ensure you know exactly what cookies are there is a valuable exercise. If your website uses 3rd party plug-ins e.g. social media sharing buttons, then you might be in for a bit of a surprise when you have a look at what cookies are actually being created and what they do.
No discussion on the GDPR would be complete without discussing 'lawful basis'. Lawful basis simply means the legal reason that allows you to process personal data. It's not a new requirement: under the DPA there was a similar requirement to satisfy one of the 'conditions for processing. What is new, is the greater emphasis on being transparent about data processing and the requirement to include details of the lawful basis (or bases) relied upon as part of your privacy notice.
The six lawful bases for processing are:
- Legal obligation
- Vital interest
- Public task
- Legitimate interest
For many small e-commerce businesses the lawful bases likely to be the most relevant are: consent, contract and legitimate interest. It's important to note that the requirements for obtaining consent to process personal data are much more stringent under the GDPR. Data subjects must be able to withdraw their consent as easily as give it, and you must stop processing the relevant personal data as soon as consent is withdraw. So, 'consent' is not the easy option and you may find that a different legal basis is more appropriate. If you are going to use consent then you need to understand how to obtain and record valid consent - the ICO has published a GDPR Consent Guidance booklet that should help.
The legal basis of 'legitimate interest' is the most flexible and can cover a wide range of normal business practices. If you use people's data in ways that they could reasonably expect, with little or no impact on their privacy then legitimate interest may apply. The interest can cover normal commercial interests and it can cover some types of marketing.
It may be that you rely upon multiple legal bases, and different ones for different items of personal data and processing. Whatever bases you use, you can't change your mind after you have collected the data.