How To Assess Privacy Risks In Regard To Your Organisation’s Website.

Updated: Feb 10











So, you have a website, or maybe you want to have one for yourself or for your company. Of course, you want to make sure you are sticking to the law and protect the privacy of your visitors – you want to make sure your website is GDPR compliant. But you don’t want to read a book (or, god forbid – the Law!) on the matter. We’ve got your back. This is what you need to know.

Consent: Cookies

To use analytics software such as Google Analytics, you most times need to place cookies. In the pre-GDPR era, businesses that used websites aimed at EU visitors were required to simply give notice about the website using cookies. Since the enforcement of GDPR, this has changed. So, what is needed to make sure your website is privacy compliant? It needs to:

Inform visitors about what tracking technologies are used through the website, what data it collects, and for which purposes. You should inform visitors about their rights.

Alternatively, you can include this information in your privacy policy on your site, with a link shown to visitors immediately upon entering your website.

Only load strictly necessary cookies loading until the visitor has given consent.

Only positive action counts as consent, sentences like “continue to use the site as normal if you agree to the use of cookies” or already checked boxes do not. ‘Strictly necessary’ means essential to provide a service explicitly requested by the visitor and does not mean essential for your own purposes, like analytics.

Let visitors reject all but strictly necessary cookies and still use the website. Enable visitors to withdraw their consent at any moment. Include a log, with all given consents. Other opt-ins

You might need consent at other places on your website, such as when asking contact information, sending newsletters or making a purchase. Again, only positive opt-in counts.

Here, you need to:

Make sure you only ask for the minimum of personal data for providing the service. (I’ve seen some strange forms in my days. Please don’t ask for race, age etc. when sending a parcel of pens. That’s weird. And illegal.) Have a link with your terms and conditions, privacy notice and other legal documents. Get your customers to positively opt-in to these legal documents when making a purchase. When sending newsletters, recipients must be able to opt-out of their subscription at any moment. (You’ll see a link at the bottom of most newsletters for this purpose) Have a log, with all given opt-ins (and opt-outs!).

Privacy policy for website

With the enforcement of the GDPR and the EU ePrivacy directive, a proper privacy policy is obligatory for websites in the EU and websites that have EU-citizens amongst their users. Other countries worldwide have similar rules. There are specific requirements as to what must be included in a privacy policy in the GDPR, among other things, yours should have:

Name and contact details of your organisation (and representative/DPO). The purposes of the processing. Lawful basis for the processing.

The legitimate interests for the processing (if applicable).

Categories of personal data obtained (if the personal data is not obtained from the individual it relates to). The recipients or categories of recipients of the personal data. Details of transfers of the personal data to any third countries (if applicable). Retention periods for the personal data (when are you going to delete it?) Rights available to individuals in respect of the processing (access, deletion, etc) The right to withdraw consent (for instance, for cookies). Right to lodge a complaint with a supervisory authority. Source of the personal data (if personal data is not obtained from the individual). Details of the existence of automated decision-making, including profiling (if applicable).

Hosting, Analytics, CMS, CRM, Payments

First, you need to store and run the files that constitute your website somewhere, don’t you?

You might also need analytical software so your business can collect information for optimizing your website. A Content Managements System (CMS) is an application with which you can manage and publish web content without having to ask a developer. While a Customer Relationship Management (CRM) system helps you manage customer data. Payment software helps you manage… payments. What do these have in common? They are operated by someone else, possibly somewhere else (outside the EEA).

So please be mindful of:

Would the supplier get access to personal data? If so, how will they use this personal data? The types of personal data do they have access to? Which personal data would they get access to if integrated with other, currently used tools? In which country are they from? And where do they store said personal data? Will other third parties (such as subcontractors: “subprocessors”) get access to this data? If so, where are the third parties from? Where do they store the data? Whether any data is handled, stored, or accessed outside the EEA, and do the terms and conditions include the EC Standard Contractual Clauses and other measures? Or is it free to send the data based on an Adequacy Decision?

PrivacyPerfect, is one of the first high-end privacy compliance software providers on the market.

This article does not constitute legal advice.

The opinions expressed in the column above represent the author’s own.

Start managing your legal needs with Zegal today

BECOME A ZEGAL REFERRAL PARTNER

READ MORE: GDPR: What Are the Changes and How To Keep Your Business Up To Date

FURTHER READING: Schrems II ruling

Founded in 2013, Zegal is the fastest growing LegalTech company operating across Asia Pacific and Europe. Today, business users and lawyers across the globe trust Zegal’s software to solve legal problems in an affordable and efficient way.

Zegal is led by a talented team of 60 employees and has offices in Hong Kong, Singapore, Nepal, Australia, New Zealand, and the UK.

Zegal has been featured in the New York Times, Forbes, and Huffington Post, and was recently recognised in the South China Morning Post as an emerging LegalTech company in the artificial intelligence space.

Register here for your monthly Asia legal updates