“My site doesn’t collect personal data.”
Simply by having a website it is almost guaranteed you are collecting data. The EU has substantially expanded the definition of personal data under the GDPR: online identifiers such as IP addresses now qualify as personal data. Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
- If you have a mailing list or a newsletter, this will also hold personal information. If you use a service such as MailChimp or Campaign Monitor and people sign up via your website, you are taking personal data and passing it on to a third party.
- Google Analytics may be installed on your website, in which case you are collecting data.
- If you operate an eCommerce website then you are collecting user data required to complete your orders.
- If you have any contact forms on your website, your user is giving you their data whenever they use those forms.
Both data controllers and data processors must make clear how they collect people’s information, what purposes they use it for, and the ways in which they process the data. The legislation also says that firms must use plain language to convey these things clearly and coherently to people: it’s time to wave goodbye to those confusing, dense privacy policies.
“What does this mean for me?”
- You must ensure any contact forms, signup forms or any other area on your site in which your user inputs their data carries a checkbox where they give you consent to use their data. This box cannot be pre-checked.
- You need to have adequate security on your website to prevent any breaches. Failure to do so would be a violation of GDPR.
Here’s how we can help you: