What is GDPR? (General Data Protection Regulation)

As you have no doubt seen recently in the media, new regulations re data handling are coming into effect as of 25th May 2018 under General Data Protection Regulation (GDPR). These are regulations which expand on the current Data Protection Act and it’s important that business owners are aware of its content.

The EU General Data Protection Regulation (GDPR) has attracted media and business interest because of the increased administrative fines for non-compliance. Not all infringements of the GDPR will lead to those serious fines.

Besides the power to impose fines, the Information Commissioner’s Office (ICO) has a range of corrective powers and sanctions to enforce the GDPR. These include issuing warnings and reprimands; imposing a temporary or permanent ban on data processing; ordering the rectification, restriction or erasure of data; and suspending data transfers to third countries.

---------------------------------------------------------------------------------------------------------

FOR GUIDANCE PURPOSES ONLY

The purpose of this article is to summarise some of the points that will affect business owners in regards to their website and mailing lists. It is NOT INTENDED TO BE ADVICE on what your company should do. It is your responsibility to read up on the GDPR so you are able to fully implement its requirements.  Please see section below for further information.

There are 4 main points in respect of your website:

---------------------------------------------------------------------------------------------------------

SSL Certification

Websites are expected to have SSL Certification. To check you have this, take a look at your website in a browser and it should ideally show in the top address bar, your website address prefix of "https". EG: https://www.hyperlinx.co.uk and also show a padlock icon as below.

If you don't see this icon when viewing your website, you will need to ask your hosting provider to install a security certificate to your website, otherwise browsers may display warnings to your visitors that the website is not secure like this below:

Hyperlinx are currently adding this facility FREE OF CHARGE to sites for clients that are hosted with ourselves.

If you are not hosted with Hyperlinx, you will need to contact your hosting company and request that your host is upgraded to SSL.

---------------------------------------------------------------------------------------------------------

Enquiry Forms

Enquiry or Contact Forms need to give the user the option to "opt out" which means explicit consent has to be obtained before data collection can take place. In other words, before the user submits the form. In most cases this is just a name and an email address They must be made aware that this form is collecting personal data with the intent to store that data. A tick box can be used which needs to be manually ticked to express consent.

Hyperlinx will need to charge a small fee for adding this to enquiry forms if requested.

A "Captcha" is also preferred to be integrated into any enquiry forms to ensure the form is completed and sent by a human being rather than an automated process.

Here is a "Captcha" which I'm sure you are familiar with seeing.

The box needs to be manually ticked to prove it is an authentic enquiry.

Again, Hyperlinx will need to charge a small fee for adding this to enquiry forms if requested.

Pages with Enquiry forms without Captcha or Opt out options may show the site insecure warning in the address bar for that page. See below.

---------------------------------------------------------------------------------------------------------

 Privacy Policy

A privacy notice is a public statement of how your organisation applies data protection principles to processing data. It should be a clear and concise document that is accessible by individuals.

The privacy policy is one of the most essential legal requirements for websites.

Even if you just have a small business or a blog with no income at all, you might be surprised to discover that you still need a privacy policy.

Basically, if your website collects personal data, you need a privacy policy that informs your users about this according to privacy laws in most jurisdictions, including the EU and the US.

Hyperlinx will need to charge a small fee for adding this to websites if requested.

---------------------------------------------------------------------------------------------------------

 Cookie Policy

Almost all modern websites function with the use of cookies, so chances are high that your website is collecting personal data, for example for statistical, functional or marketing purposes.

Hyperlinx will need to charge a small fee for adding this to websites if requested.

---------------------------------------------------------------------------------------------------------

The official overview of the GDPR regulations can be seen here (PDF – Information Commission Office – ICO).

Mailchimp has also produced an easy to understand summary which you can read here.

Some key points for anyone who has a form on their website (quoted from the ICO overview):

Consent (Page 10):

Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given.

Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data.

You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.

We were unable to define “repaper” but in this case it seems to mean to get consent again. So if the personal data you originally collected required a specific consent i.e. a tick-box that someone had to actively tick to agree to you sending them information, then they would not need to be asked to consent again.

Individual rights – Page 13

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.


The right to be informed
 – Page 14

The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.

Privacy Notice

If your website collects personal information such as on a contact enquiry form or online shop, it should have a Privacy Policy. The points that need to be included in the privacy policy according to the Information Commissioners Office (ICO) are:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?


Actions To Take

Based on our interpretation of the information some actions to take in regards to a website would be:

  • Add a tick-box to forms to explicitly approve the collection of the person’s information and asking them to agree to further contact
  • Modify the Privacy Policy to ensure it covers the points above
  • Contact your current mailing list and ask them to opt-in to the list – unless the list already contains contacts who have opted to on the list

If you use an online mailing system such as Mailchimp, ConstantContact or iContact they are likely to already have informed you of changes to make on your forms.