Building GDPR compliance into your website build
The full GDPR set of regulations are complex and cover a lot of different requirements that will affect most areas of your business. However most marketers don’t need to know every aspect of GDPR, as their role simply doesn’t have that wide a scope day to day. The guiding principles are vital for all marketers to understand however and they do need to know in detail how GDPR affects them and their role in a lot of detail. If you do need to understand all aspects of GDPR then we’d recommend starting with the Information Commissioners Office (ICO) itself and the Data Protection Network, a really great source of no nonsense independent advice on what it all means and just how to interpret the content on the official sites!
So it’s no surprise that as a specialist web development agency for Drupal 8 our clients are asking us what GDPR means specifically in terms of planning, building and managing their website.
This is our quick guide to get you started:
The controller is responsible for the lawful processing of data in a transparent way. This might be you, your agency, or any person or organisation responsible for deciding how data is collected, stored and used.
The processor is the organization that stores, manipulates or destroys the data. This is often a 3rd party so care must be taken that partners are also GDPR compliant.
The requirement (unless exempted) for companies to get consent for all data being captured. Consent should be at the point of capture and not coerced in anyway.
An option for companies who don’t have implicit consent where it is in the interest of the customer that their data is captured, processed and used.
When there was no explicit consent but it is reasonable to expect that data is captured and processed. For example if you were to sell something online via ecommerce. However it only relates to specific use that relates to the purchase made.
An external entity that supplies, stores or manipulates data on your behalf.
The ability to clearly demonstrate where all data you hold was originated, how it has been used and what consents are attached to the data.
Privacy by design
A principle used by the ICO which states that privacy should be built in to all digital services from the beginning including vitally securing the data from “breaches”
Key decisions for GDPR and your website
Are you B2B or B2C?
This is a very important distinction when it comes to GDPR as the scope of legitimate interest widens considerably for B2B companies. For example Clause 47 of the GDPR legislation clearly states, “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” but remember that it has the important caveat that you also comply with other relevant laws (data protection, EPCR etc.)
How do you capture your data?
Consent, transparency and valid use are the three key factors here.
Firstly you must make sure that you get clear active consent (Customers make an active opt-in choice rather than the widely used opt-out). It must also be freely given and so it shouldn’t be done in order to receive a service. If that is the case then you need to capture the data under another provision such as legitimate interest.
Secondly that you are transparent about why you are asking for the data. This should be at the point of capture and easy to find/read (i.e. not hidden in hard to find T&C’s). If this isn’t clear it invalidates the consent.
Finally you must have a valid use for the data. For example if you don’t need to know when someone is born then you shouldn’t be asking for that information.
There are exceptions to implicit consent that can apply in certain cases. For example, if you are capturing data to fulfil a legal requirement then, then as long as you say so, you don’t need implicit consent to do so.
For more information see the ICO guidelines on consent.
How do you process your data?
Do you know what actually happens to data once you have captured it? Most marketers initially think they do but often they only have half the picture. Especially in larger organizations there are often background processes in place that copy, backup, append and share data into different systems with little or no audit trail. There was usually very good reasons for doing so like having a unified customer record or enabling cross selling across different business areas.
This is not allowed under GDPR. You cannot assume that permission in one area of your business for one specific reason gives you a carte blanche to use that data across your organization.
There are too many ways data can be used or abused to outline them all here, but we would recommend to all our clients that you begin with a proper audit of all our data flows so you really understand how you process data. You might be surprised.
Where and how is your data stored?
Again there is some very significant requirements within GDPR which this article summarizes well. From our perspective we want to highlight one that is often overlooked when building websites - data security.
If you’re capturing data, especially sensitive data then you have an obligation to make sure there can be no data breach. The ICO has already indicated that this is one area which it will be particularly robust on in terms of prosecuting bad practice. Why?
Because once data gets into the wild (offline) its value increases exponentially and the potential for harm increases. Criminals buy and trade data on the dark web and build complete profiles of individuals that they can then use for criminal activity.
Its therefore vital that when planning digital services that you bake in security from the get go. From choosing the right technology (Its one of the reasons that Drupal is so widely adopted by the security conscious, including https://www.whitehouse.gov/), to making sure you have robust and frequent testing in place security should be front and centre.
You also need to plan for regular updates and patching as security is a moving target with new techniques and/or weaknesses arising all the time.
How do you manage your data?
Companies often take a capture then milk dry approach to data, often linked to spray and prey marketing techniques. Even companies following some aspects of best practice in terms of data usage fail when it comes to data management.
One key aspect of GDPR is that consent is time limited. Consent must expire. That means if you capture data you must have a valid use for that data AND that use must have a time limit. What that time limit is will vary depending on circumstance.
For example if you captured data around a sale event then when that sale ends your consent should end. On the other hand if you captured data around insuring a product for 24 months then you can probably argue that 24 months of consent is reasonable. However you approach it assuming unlimited consent is no longer an option.
Can customers easily access the data you hold on them?
One aspect of GDPR that’s often overlooked is the right of customers to access, amend and delete any data held on them (with some exceptions where it’s a requirement of the service your provide).
While this access has been available previously (Data protection, right to be forgotten etc.) awareness post GDPR is likely to be much higher and requests increase significantly. There are data activist groups who have publicly stated that they will be “testing” how companies comply.
Clearly you need to make sure this process is not a burden on your business and while there are many ways to manage this requirement we advise most of our clients to look at enabling self-service by creating online access to their “account”. This has a lot of advantages over and above simply administrating data. For example it lays the building blocks for creating or expanding new digital services and business models. The best companies don’t see GDPR as a limiter and instead see it as an opportunity to invest in technology that will in turn drive business growth.
Do you understand the rights of your customers
Its valuable to reiterate that customer rights are at the heart of the GDPR legislation. According to GDPR all data should be:
- processed lawfully, fairly and in a transparent way
- collected for a specified, explicit and legitimate purpose
- kept up to date
- limited to what is necessary
- not allow for the identification of an individual for longer than needed
- be stored and processed in a secure way
These golden rules match closely the principles listed above but they are important to list separately as these 6 points are what will be messaged to consumers post launch and what their expectations of you as a business will be.
Wider guiding principles to consider
There are three other principles that we think are key even if they are not explicit in the actual law.
1. Direction of travel
The ICO has indicated that for most companies direction of travel is more important that 100% compliance come May 2018. This is not a ticket to complacency. You will need to have processes in place to properly capture, protect and allow access to your data going forward and you will need to have assigned roles such as a data controller for direction of travel to be a legitimate defence. Where the ICO seems to be indicating some time for full compliance is around historical data/partnerships/audit trails etc. which they understand can be complex.
2. Being customer centric
Great companies and great marketers already understand that customers should be a the heart of any data strategy and that holding customer data is a privilege not a right. If you genuinely think about your customers first (who doesn’t want to only share the data that’s needed, wants to give permission before doing so, wants to know it’s going to be used only for that purpose, will be stored with care and can be accessed when requested!)
Be customer centric on all things data and you won’t go far wrong in terms of compliance with GDPR. Your customers, your business and your profits will all thank you too.
3. Future proofing
This is unlikely to be the last data/privacy legislation coming down the line. PECR we already know is being replaced by new ePrivacy regulations in the next 12 months and there will be updates as the operating environment changes. For this reason if no other its vital that companies take a proactive approach to data and see it as an opportunity to deliver world-class digital services and not as a quick win to drive sales volume from quarter to quarter.
We’re very much from the camp of opportunity when it comes to GDPR. Smart companies make smart decisions with data and use it as a competitive advantage and don’t see it as just another set of administrative tick boxes. Customers respond positively to transparency.
Want more information on how GDPR can be baked into your next web project then get in touch and we can show you in more detail how we can help get your business working smarter with data.