We don’t collect personal data, so our website doesn’t need to be GDPR compliant!

This week we attended a networking meeting where we were inundated with people asking us about GDPR compliance for their websites.
And it’s clear there is still a lot of confusion around the issue.

The most common assumption was that if you didn’t get much traffic, or rarely received a contact form, you didn’t need to be GDPR compliant.

The second most common assumption was that a person’s website wasn’t collecting data. One person said “GDPR? I thought that was only necessary if you collected personal data. We don’t collect any!”

By the very nature of having a website, you are most likely collecting personal data, whether you know it or not.

Let’s unpack that a little more.

In their pdf, “An introduction to the Data Protection Bill”, the ICO state that personal data is defined as any data that “[relates] to an identified or identifiable living individual.”

So it’s not all about credit card numbers and tax codes! Basically, simple and basic information such as someone’s name and email is considered to be personal data.

Here are five ways you may be collecting data:

  • You have a contact form and people leave either their telephone number or email as a form of contact for you to get back to them.
  • You offer a newsletter subscription service where people give you their email address
  • Visitors can buy a product or service through your website
  • Visitors can make a booking through your website
  • You allow comments on your posts or pages which ask for email address or you allow people to log in with their social media profiles

Likewise, if your site uses cookies, which can identify an individual in some way, it is considered personal data.

Even though there is a lot of controversy around cookies, they can be very useful and help make browsing your site a more relevant and enjoyable experience for your visitors.

So what’s a cookie?

Cookies are simple text files. When you visit a site that uses cookies for the first time, a cookie is downloaded onto your PC. The next time you visit that site, your PC checks to see if it has a cookie that is relevant and sends the information contained in that cookie back to the site.

The site then ’knows’ that you have been there before. In some cases the site will then tailor what you see – for example, an abandoned shopping cart, your social media logins so you can comment easily, knowledge that you have signed up to a mailing list, so it doesn’t pop up again or other preferences that tailor the content to your interests.

Your website uses cookies if you:

  • Run Google Analytics or similar
  • Have social media ‘like’, ‘share’ buttons or plugins
  • Show YouTube videos on your site
  • Run your site through cloudflare or similar Proxy

Websites have been running cookies for years, but until now most people haven’t been aware of them working in the background and it’s been the individual’s responsibility to either block or allow cookies using settings in their internet browser.

But now the responsibility is on you, the site owner.

The new EU law requires all sites that use cookies to seek express permission from visitors to store and retrieve data about their browsing habits.

So take a look at the lists above again. If your site uses any of these features, you need to ensure your site is GDPR compliant.

If you’re still confused, read through the information on the ICO website. https://ico.org.uk/ or seek legal advice.

Posted in