GDPR affects how all websites targeting Europe must behave. Everyone involved in a Europe-oriented project must understand the core tenets of GDPR and help to keep our clients our of trouble.
Here's our basic structure for each client/project:
- Together with a lawyer (also known as a DPO)
- Website details - We meet with you and give you a tour of the full websites(s), what they do, what they store, and where - Cantilever will fill in the details around the website and how data is stored/transported within the website.
- Downstream Audit - Meet with Client and Cantilever and you to determine and document what the client does with the data after the data is stored on the website
- The lawyer provides a consolidated punch list of requirements for each site to be compliant. They send to us and the client.
The lawyer will in most cases be a lawyer that we hire for the task. The client might choose to work with a different lawyer and work with them separately.
Key questions to answer |
Who the company / organization is (client’s contact details, and those of client’s DPO if any); |
Why the company/organisation will be using their personal data (purposes); |
Whether the data will be used for other purposes – if yes, then state them; |
The legal justification for processing their data; the client’s company must collect and process only the personal data that is necessary to full that purpose; |
The types of personal data that will be collected; |
For how long the data will be kept; |
Who else might receive it; |
Whether their personal data will be transferred to a recipient outside the EU; if yes, where will it be transferred to; |
What this means for the users of the website / product:
- Website visitors need to be able to read a privacy statement that clearly what personal information is stored and how long it will be held as well as who can view the data.
- The website needs to indicate how users can make a request for their information to be edited / removed.
- Any forms inviting users to share information must actively require opt-in. This rule applies to cookie consent and subscriptions to mailing lists or notifications.
- Consent to store personal information must not be bundled with other options.
- In this case, separate tick boxes must be provided for different types of consent. Suppose the client needs permission to contact a user by phone and or email. In that case, each communication method requires a separate confirmation. In the case the client passes data to third parties, each of those parties must be listed for separate consent.
- The website should make it possible for the users to opt-out marketing emails. It is normal practice for this to be possible either under the user’s profile page or on the privacy policy page.
- Cookie consent cannot be implied or gained by a failure to opt-out. Instead, the user must be specifically asked for their permission to store cookies on their computer. How the website uses cookies should also be detailed in the privacy policy.
- Cookies used by anonymous tracking software, like Google Analytics, should also be mentioned in the privacy policy.
- The IP address of a computer is personal information under GDPR, so if a site collects and stores IP addresses, this should also be mentioned in the privacy policy. Occasionally, some third-party plugins or extensions installed on the website may collect IP addresses. For example, some affiliate programs log the IP address of visitors, as do some blog commenting apps, all of which will need to be disclosed in the privacy policy.
- GDPR does not explicitly require an SSL certificate. However, GDPR does state that websites should take appropriate technical measures to ensure the security of personal data. So, broader security requirements of the legislation will be met by implementing an SSL certificate.
- The users’ payment details may be stored, even if the website uses a payment gateway. If that is the case, this must be stated in the privacy policy.
Data might get collected through:
Analytics software and any software tracking pixels both rely on the use of cookies and will include data that is personally identifiable (eg. IP addresses).
- Enquiry forms
- Newsletter signups
- User account registration
- Comment boxes
- Social media integrations
The best examples here are Hubspot or Salesforce.
- Plugins
Overview of the process
- We provide an estimate for items that affect the website and get it approved.
- We do the work.
- We walk through the changes with the client and show them how things have changed or what has been added. In case of a new website, this happens during step 1.
- The lawyer provides a letter of assurance that to the best of their knowledge, the site is in compliance with EU privacy laws.
Because being compliant is a process which changes as a company grows and modifies its operations, the website needs to be updated accordingly. The lawyer can work with clients on how they manage the data once it reaches their own computers / databases.
If the client wants us to work with a different lawyer than our own, we assume that the lawyer will charge the client separately. As a general rule, we would bill separately while we would be the lead with each client.
More information on the best GDPR practices can be found here 👉 https://gdpr-info.eu