This article explains what is GDPR and how to go about constructing a GDPR compliant Data Privacy statement for your website.
For any website hosted in Europe, or doing business in Europe, a website Data Privacy statement is mandatory and is based on:
- General Data Protection Regulation (https://gdpr-info.eu/)
- ePrivacy Regulation (operative as the ePrivacy Directive in EU countries as the Regulation is still not finalised)
The GDPR deals with strengthening citizen's rights around the collection, storage and use of their personal data. The ePrivacy Regulation, intended to work in tandem with the GDPR, is to protect citizens from being tracked, without their consent, by internet corporations and various technologies such as fingerprinting and cookies.
A website's Data Privacy statement is based on the GDPR. A website's Cookie Policy is based on the ePrivacy Directive.
Purpose of Data Privacy Statement
Your responsibility, via your website's Data Privacy statement, is to explain to visitors:
- What Personal Data is collected by your website (eg name, phone, address, photo, IP address)
- How you collect Personal Data (eg website forms, payment forms, cookies etc)
- What is the reason for collecting their Personal Data (eg to communicate with you, to provide a service)
- How long you keep their Personal Data
- What providers (eg webhost) would also have access to their Personal Data
- Whether you use/sell their Personal Data for direct (from your company) or indirect (not your company) marketing
- How you secure their Personal Data
- Whether or not their Personal Data ever leaves the European Union
- If you collect 'sensitive data' - eg gender, ethnicity, religion, sexuality, etc - that you do not collect this from minors (16 years or younger)
- And finally that you recognise the rights of your website visitor to access/correct/delete any Personal Data that you hold under the GDPR
As far as the Data Privacy statement is concerned, you should declare whether you set cookies that capture any Personal Data and refer them to your Cookie Policy for a more detailed explanation (and in the current confusion, you would also have to obtain permission from your visitor to set such cookies first). Note that the Data Privacy statement and the Cookie Policy are required to be two separate documents.
Is my website's Data Privacy statement about my whole organisation - or just the website?
The simple answer is: usually, just the website. You're explaining to visitors how their Personal Data is collected and used on your website. But if you're harvesting personal data from the website and storing it on, for example, your Customer Relationship Management system for your customer fulfillment team to use, then you would be obliged to disclose that to your visitors, and inform them if their data will be treated differently to what you've disclosed in your website's Data Privacy statement.
Constructing the Data Privacy Statement
The following headlines cover the topics that most websites need to address to have a GDPR compliant data privacy statement. Just go through them and answer each of the questions.
Example: We collect personal data from our Contact forms, shopping cart, Google Analytics, etc.
If you're using Google Analytics, be sure to turn off IP address collection because IP addresses count as personal data under the GDPR. See https://developers.google.com/analytics/devguides/collection/analyticsjs/ip-anonymization for help on this.
Example: We ask for your name, email address, physical address and contact number so that we can provide you with a legal invoice when you shop with us. We request your name and email address for our newsletter signup so that we can send you the newsletter and personalise it with your name. We ask for your name, email and a contact number on our contact form so that we can communicate with you quickly.
Note: quite a lot of shopping cart software collects IP addresses - make sure yours doesn't. Or if does, declare it here!
Example: We routinely delete all emails collected from our contact form on an annual basis (or whatever). We keep personal data and order transaction details - name, address, email, phone, products purchased, timestamp, amount spent, etc - for 6 years to comply with revenue purposes.
Example: Our newsletter provider, our payment processor, our webhost, our delivery company. These providers are hired by us to provide services and and are not allowed to use your personal data as they are also bound to data protection requirements.
If you want to understand more about their data privacy policies see this link, this link, this link.
Your personal data may also be provided to relevant third parties in the case of our business being sold, merged or made insolvent.
Example: Your personal data is secured using the most up to date and modern technology. However, no system is fool-proof. If your personal data has been compromised we will notify the DPC within 72h and keep you updated as we assess and manage the incident.
Data breaches that impact a website user's personal data must be notified to the Data Protection Commissioner within 72h (see Breach Notification)
If personal data collected by your website ever leaves the EU, the user must be informed of this fact before they agree to data collection. A good example is Mailchimp, who have no European servers, so even though they are compliant with GDPR, you still have to state that personal data collected for your Mailchimp newsletter will leave the EU. And give a link to the Mailchimp privacy policy, so that users are aware that their data is being stored in the USA.
If you use any data collected on your site to market to users - whether for yourself ("directly") or for others ("indirectly"), then you must declare this before you collect user data and give users a permanent option to opt out of direct/indirect marketing. This is YOUR responsibility under the GDPR.
Marketing is a no-no unless the user has actively opted in. It's an opt-in situation, not an opt-out situation.
In this section you explain to your website visitors their rights wrt the GDPR, and provide a contact email address where they can address their concerns. You would have 30 days to comply with any of the requests made below. And you can't charge money for it, unless the requests are ridiculously onerous.
- You have the right to retrieve a copy of your personal data in machine readable format
- You have the right to transfer your data to another provider
- You have the right to request the removal of your data ("right to be forgotten")
- You have the right to request a restriction from processing your data
- You have the right to withdraw your consent to our use of your personal information at any time
- You have the right to have your request dealt in 30 days of receipt
If you wish to exercise your rights please send details of your request to:
[email address]
Or by post to:
[NAME OF PERSON]
[FULL ADDRESS DETAILS]
In case of a dispute you have the right to contact the Data Protection Authority, please see: https://www.dataprotection.ie