Collecting data from your website - GDPR series

Collecting data from your website - GDPR series

8th January 2018 in GDPR

It’s 2018, meaning the countdown to GDPR enforcement is well underway - and we all need to make sure our websites are in order before 25 May.

The way you collect data through your website isn’t the only thing you’ll need to think about ahead of the May deadline, but if you haven't already, it’s a good place to start.

Before we begin, if you’re thinking “What’s all this about?”, read our summary of GDPR and why you need to take action first. Otherwise, here are some of the things you might need to take a look at:

Data captures

Wherever you capture personal data on your website, be sure to include the following:

  • Privacy notices. Summarise why you’re collecting the data, and how it will be used. Check out our previous blog post for more information on how to write a privacy notice.

  • Active opt-ins. If you want to use personal data for any processing that requires consent (such as direct marketing), you need to make sure your website users are actively opting in. This means no more pre-filled ticked boxes or withholding services if users don’t agree to marketing.

  • Granulated opt-ins. Make sure your opt-ins are granulated. For example, if you use different forms of direct marketing, have different tick boxes for email, SMS, post etc. so users can choose which ones they agree to.

  • Clear consent requests. While we’re on the topic of consent, be sure to keep requests for data processing consent separate to other T&Cs. Different opt-ins need to be provided for each.

But GDPR doesn’t just apply to new data you collect - it will apply to any existing / historic data you control too. You will need to carry out an audit of all the data you have to make sure you are using it compliantly.

For example, your email marketing subscribers. If you can’t demonstrate that you have consent to send marketing emails to someone, they will need to be removed from your database. Also, it would be best practice to remove any of your subscribers who are consistently inactive (e.g. if they haven’t engaged with an email in 6 - 9 months), for two reasons:

  • You’ll be paying to send to these subscribers via your email marketing software. Removing people that have consistently shown they’re unlikely to engage could save you money.

  • From a branding and perception point of view, you could be damaging your business by appearing in an inbox time and time again without any indication that the recipient is interested in your products or services.

Privacy policy

Hopefully you will already have a privacy policy on your website, but it might need some updating to bring it in line with the new regulations. Your updated privacy policy needs to be:

  • Available as a separate piece of information. You need to make it 100% clear when you’re talking about the use of personal data. Keep your privacy policy on its own page, away from all other T&Cs.

  • Written in clear, plain language and easily accessible. Take out all the unnecessary formalities - your privacy policy needs to be easy to understand, especially if your audience is children.

  • Data controller’s contact details. Identify your organisation as the data controller and state your contact details.

  • Data Protection Officer’s contact details (where applicable). If your organisation is a public authority, you carry out large scale monitoring of individuals (e.g. online behaviour tracking), or you carry out large scale processing of sensitive data (such as criminal convictions / offences), you will be required to appoint a dedicated Data Protection Officer under the GDPR.

  • Purposes and legal basis of processing. Outline what data you collect, how you use it and why.

  • Legitimate interests. If you process data on the basis of legitimate interests (e.g. fraud prevention), state what these are.

  • Cookies. Identify any cookies you use on the site and how you use them. This includes any third party services that may use cookies (for example, we use Google Analytics, LiveChat, Canddi and Whoisvisiting on our website - details are over in the privacy policy). Provide information on how users can control or disable cookies.

  • Who will have access to or use the personal data. Include any other organisation you share personal data with (name them!) and explain what they do with it.
  • Transfers to non-EU countries. State any intended transfers and what your legal basis for this transfer is.

  • How long you will store the data for.

  • Data subject rights. Outline what your users/customers’ legal rights are as a personal data subject.

  • Withdrawing consent. Make it clear that (if consent is the basis for processing) data subjects can withdraw consent at any time and explain how they can do so.

  • Automated decision-making. If you conduct any automated decision-making, explain why, and what impact this will have on website users.

Of course this isn’t an exhaustive list by any means. Making your data collection GDPR compliant is just one of the steps you can take to improve the security of your visitors’ / customers’ data.

There are other methods you can also implement, such as SSL certificates and fraud prevention tools (which are particularly relevant for eCommerce sites) that can help improve the security and integrity of your website.

More information on the GDPR can be found here: 

More from the blog

What to include in a privacy notice - GDPR series

7th December 2017 in GDPR

By Lucy Adamson

What to include in a privacy notice - GDPR series

With GDPR enforcement just around the corner, businesses across Europe (and the world) are assessing the ways they collect data, and the privacy notices that sit alongside them.

In our summary of GDPR and how it will affect digital marketing, we mention the importance of using privacy notices on your website. So now you know that you need one, we’re ready to delve deeper into what a privacy notice actually is…

Read article chevron_right