Tera Team April 18, 2018

GDPR and What It Means For Your Business

What is GDPR?

The General Data Protection Regulation (GDPR) is a new European Union (EU) data privacy law. It comes into full effect on 25 May 2018. The GDPR's main purpose is to create one coherent data protection framework across the EU. It will substantially enhance data protection and privacy rights in the EU, and imposes a comprehensive set of principles and obligations which businesses trading with EU will need to be aware of and comply with.



Does it affect us DOWN HERE IN NZ?

The main change is the territorial reach of GDPR, which will now go beyond the borders of the European Union. GDPR will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. This change will not just affect New Zealand businesses with operations and office in the EU, but any company dealing with the personal data of EU residents.


What are the main principles of data privacy under GDPR?

  1. Lawfulness, fairness, and transparency of data processing.
  2. Purpose limitation: personal data should be collected for specific, explicit and legitimate purposes.
  3. Data minimisation: only personal data relevant to the specific purpose should be saved and processed.
  4. Accuracy of data: any inaccurate personal data should be corrected or deleted. Where necessary, data must be kept up to date.
  5. Retention of data: data must be kept in an identifiable format and no longer than necessary.
  6. Integrity and confidentiality: data must be kept secure.


Can Terabyte help me to become compliant?

From a digital standpoint, we have developed a list of quick wins to help your website become compliant with the GDPR:


Website Forms

Make sure forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You will need to check your forms to ensure this is the case.

UNBUNDLE OPT-INThe consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data.


Granular opt-in

Users should be able to provide separate consent for different types of processing. Eg. How would you like us to contact you (post, email, telephone) and also asking permission to pass details onto a third party if needed.


Easy to Withdraw Permission

It must be just as easy to remove consent as it was to grant it, and individuals always need to know they have the right to withdraw their consent. In terms of your web user experience, this means unsubscribing could consist of selectively withdrawing consent to specific streams of communication. Or easily change the frequency of communication, or stop all communications entirely.


Named Parties

Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations. They need to be named.


Privacy Notices and Terms & Conditions

The Information Commissioner’s Office (ICO) has very kindly provided a sample privacy notice that you can use on your website. It is concise, transparent, and easily accessible. You will also need to update the terms and conditions on your website to reference GDPR terminology. In particular, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and in your office systems. You will also need to communicate how and why you are collecting data. Your privacy policy will need to detail applications that you are using to track user interaction.


Online Payments

If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway. If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days; it's down to your own judgement as to what can be defended as reasonable and necessary.


Third Party Tracking Software

Things can start to get tricky when it comes to third-party tracking software.

Many websites are using third-party marketing automation software solutions on their website. These might be lead tracking or call tracking applications like Hubspot or Marketo.

The use of these tracking applications raise some very interesting questions in terms of GDPR compliance, and this remains a grey area.  At first glance, these applications track users in ways they would not expect and for which they have not granted consent.  For example, it is tracking my behaviour each time I return to your website, or view a specific page on your site.

However, both Marketo and Hubspot have been making changes and developing tools to enable their clients to be GDPR compliant.

But if the software is doing something illegal, then it is your business’ responsibility as the Data Controller. The real question is to identify the GDPR compliance risks in using this kind of software, and to mitigate your risks as a business owner. As a result, you need to review your contract with these software providers carefully.


Google Analytics and Google Tag Manager

If you are interested in Google’s commitment to GDPR then this is a good place to start: How Google complies with data protection laws

Many websites are configured to use Google Analytics to track user behaviour. Google Analytics has always been an anonymous tracking system. There is no “personal data” being collected, so we believe GDPR does not impact on its usage.

With regards to Google Tag Manager; it’s a powerful tool that enables your website to send information to third-party applications by inserting small amounts of code. You can integrate in-house data repositories, as well as external remarketing and retargeting systems, and a host of other services.

The issue for businesses with regards to Tag Manager is to ensure you have a contract in place with the individuals that have access to your Tag Manager (which may well be your web designer, or digital marketing agency), confirming that they understand their legal responsibilities as a data processor on your behalf as data controller.

So, the underlying issue with the new GDPR is to identify and have in place contracts with your third-party data processors to protect both your own interests.


Cookie Consent

If your site is using Cookies you will need to ask for the user's consent for certain types of data that is being stored:

To be valid, consent must be freely given, specific and informed. It must involve some form of positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read. 

Consent does not necessarily have to be explicit ‘opt-in’ consent. Implied consent can also be valid. If you are relying on implied consent, you need to be confident that your users fully understand that their actions will result in cookies being set. However, in some circumstances (for example, collecting sensitive personal data such as health details) it is likely that explicit opt-in consent is more appropriate.

 This means you are unlikely to need consent for:

  • cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
  • session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – eg online banking services; or
  • load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.

However, it is still good practice to provide users with information about these cookies, even if you don't need consent.


What do you need to do as a business?

It's not only your website! The changes being introduced with GDPR will permeate your entire business - this blog focuses purely on your digital marketing. 

As you start planning the detail of your website, you will uncover an Aladdin’s cave of issues you will need to consider. The Information Commissioner has provided an excellent set of resources for your reference, but here are a few key questions to be considering now as we approach the May deadline:

  • You probably have lots of personal data stored in various places around the business. Do you have a good understanding, and documented record of the data you hold?
  • Do you need to either gain or refresh consent for the data you hold?
  • Do you have a defined policy for how long you retain personal data, so you don’t retain it unnecessarily, and ensure it’s kept up to date?
  • Is your data being held securely, keeping in mind both technology and the human factors in data security?
  • Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?

Although the GDPR may not affect your business or website it is still good practice to try and implement a strict policy around the use of cookies and the capture and management of users' personal data.

At Terabyte we follow best web practice and data management policies. With these new regulations being implemented across the EU we suggest all sites follow these new regulations to secure users' information, and provide them with transparency around the use of their data. 

It's also worth noting, for Umbraco users, that the latest version of Umbraco (v7.9) provides many of the tools required to achieve Umbraco GDPR compliance.


Get in touch if you'd like to investigate an Umbraco upgrade, or for a review of your site from a GDPR perspective.


Disclaimer: The information contained in this blog is not legal advice but background information intended to help readers make an informed decision about their standing in terms of GDPR.