How we aim to meet the requirements for GDPR compliance on a website with minimal use of personal data, using minimum effort.
*Disclaimer - we are not lawyers, so don’t take any of this as legal advice!
What is GDPR?:
- GDPR is the EU “General Data Protection Regulation”.
- It is more detailed and specific than the UK Data Protection Act 1998.
- It will be enforced from 25 May 2018.
Compliance for simple cases like ours appears to be mainly about implementing effective privacy notice(s) and reveiwing how you ask for, manage and record consent. But you will also need procedures for executing individual requests, for example deleting personal data, and accepting cookies.
Get a comprehensive understanding of GDPR from the Information Comissioners Office (ICO):
ICO Guide to the General Data Protection Regulation (GDPR)
How we are doing it:
- Part 1: Identify what personal data might be collected, where and when.
- Part 2: Design the Consent form and process.
- Part 3: Draft the Privacy Notice and strategy for use
- Part 4: Add a cookie-consent plugin & update your cookie policy
- Part 5: Review
Our use case is minimal and probably fairly common:
- We ask for users email for site engagement.
- We use cookies on the website, including for google analytics.
Part 1: Identify what personal data might be collected, where and when.
Do a detailed data protection impact assessment (DPIA) if approporiate.
Here is our summary DPIA:
DATA PROTECTION IMPACT ASSESSMENT (summary)
We collect the following data:
Source Type Legal basis “Register & subscribe” form Personal data Consent “Contact Us” form Personal data Consent Browser cookies Log data Legitimate interest Server logging Log data Legitimate interest Error reporting Log data Legitimate interest Data we do not collect:
- special category data (personal data which the GDPR says is more sensitive, and so needs more protection)
- personal data about criminal convictions or offences
- data relating to minors (under the age of 13)
Processing:
- we do not transfer personal data outside the European Union
- we do not share information with partners or advertisers
In our case a detailed DPIA is NOT required because we dont do anything that is of a high risk to individuals’ interests, nor do we undertake the types of processes that necesitate a detailed DPIA.
Part 2: Design the Consent form and process.
Ensure that the right information is clearly available at the right time(s)
In our case:
1 Obtaining Consent
Via the “Register & subscribe” form:
- Include a link to the Privacy Notice
- Add text: “By registering, you are allowing us to store your email address for the sole purpose of enabling us to send you automated emails, or should we need to contact you regarding this service. You are subscribing to {thing}. Once you complete your registration you will be able to manage your profile and subscriptions at any time. Please review our Privacy Notice for full details.”
Via the “Contact Us” form:
- Add text: “By entering your email address, you are allowing us to use your email address for the sole purpose of providing a response. We will not store your your email address nor will we use it for any other purpose.”
2 Storing Consent
Record who, when, what, how
- records should include the ID and the data submitted online together with a timestamp. Also keep a copy of the version of the data-capture form and any other relevant documents in use at that date.
To achieve this we are saving a digest of the Terms, Privacy Notice and cookies policy text when the user signs up:
# app/models/user.rb
...
private
def do_after_initialize
# GDPR: record versions of relevant documents in use at the time
self.terms_digest = get_file_digest( "app/views/pages/terms_of_service.html.md" )
self.privacy_digest = get_file_digest( "app/views/pages/privacy_notice.html.md" )
self.cookies_digest = get_file_digest( "app/views/pages/cookies_policy.html.md" )
end
def get_file_digest( file )
sha256 = Digest::SHA256.file file
sha256.hexdigest
end
...
3 Managing Consent
- A user can already manage their profile and subscriptions online, provided they are logged in.
Part 3: Draft the Privacy Notice and strategy for use
The Privacy notice(s) should:
- be displayed when appropriate and with the right level of detail
- be available as a complete document, including the additional content required by GDPR
- be clear and well written.
Take note of how other websites are updating their Privacy Notices, for example here is Pinterests' updated Privacy Policy.
In our case, the following is based on Pinterests’s policy:
DATA PRIVACY NOTICE
Thank you for using MyWebApp.org. This Notice is to help you understand what information we collect, how we use it and what choices you have about it.
1. How we collect information:
a) When you give it to us or give us permission to obtain it
When you sign up for or use MyWebApp.org, you give us certain information voluntarily. This includes your email address.
b) We also get technical information when you use MyWebApp.org
Whenever you use any website, mobile application or other internet service, certain information gets created and logged automatically. The same is true when you use MyWebApp.org. Here are some of the types of information we collect:
- Log data. When you use MyWebApp.org, our servers record information (“log data”), including information that your browser automatically sends whenever you visit a website, or that your mobile app automatically sends when you’re using it. This log data includes your Internet Protocol address, browser type and settings, the date and time of your request, how you used MyWebApp.org, cookie data and device data.
- Cookie data. We also use “cookies” (small text files sent by your computer each time you visit our website, unique to your MyWebApp.org account or your browser) or similar technologies to capture log data. When we use cookies or other similar technologies, we use session cookies (that last until you close your browser) or persistent cookies (that last until you or your browser delete them). For more detailed information about how we use cookies, please review our [Cookies Policy].
- Device information. In addition to log data, we collect information about the device you’re using MyWebApp.org on, including type of device, operating system, settings, unique device identifiers and crash data that helps us understand when something breaks. Whether we collect some or all of this information often depends on what type of device you’re using and its settings. For example, different types of information are available depending on whether you’re using a Mac or a PC, or an iPhone or Android phone. To learn more about what information your device makes available to us, please also check the policies of your device manufacturer or software provider.
c) Partners and advertisers DO NOT share information with us
We DO NOT advertise on the MyWebApp.org so your data is NOT shared in this way. However we DO obtain data from other publicly available sources.
2. What we do with the info we collect:
We use the information we collect to provide the Service to you. We commit to showing you content that’s relevant, useful and personal to you. In order to do that, it’s necessary for us to use your information to:
- Identify you when you use MyWebApp.org, and process your transactions.
- Respond to your questions or comments.
In addition and for similar reasons, we have a legitimate interest in using your information in these ways. It is also fundamental to the nature of the Service we provide. In short, it’s necessary for us to do these things in order to make the Service relevant, useful and personal to you, and it’s in both of our interests for us to do that.
We also have a legitimate interest to improve MyWebApp.org, maintain our relationship with you, and protect users. We both benefit when we use your information to:
- Conduct analytics on who is using MyWebApp.org and what they are doing. For example, by logging how often people use two different versions of a feature on MyWebApp.org, we can understand which version is better.
- Improve MyWebApp.org and offer new features.
- Send you updates and news by email or push notification, depending on your settings. For example, we send weekly updates that you can subscribe to. You can decide to stop getting these notifications by updating your settings.
- Work with law enforcement and keep MyWebApp.org safe. We may get requests for account information from law enforcement authorities like the police or courts.
3. Transferring your information:
By using MyWebApp.org, you authorize us to transfer and store your information outside your home country for the purposes described in this policy. The privacy protections and the rights of authorities to access your information in these countries may not be the same as in your home country.
Your information is stored in the European Economic Area (EEA).
4. Choices you have about your info:
Our goal is to give you simple and meaningful choices regarding your information. If you have a MyWebApp.org account, many of the choices you have on MyWebApp.org are built directly into MyWebApp.org or your settings. For example, you can:
- Edit information in your profile at any time.
- Edit your subscriptions at any time.
- Close your account at any time. When you close your account, we’ll deactivate it.
You also have choices available to you through the device or software you use to access MyWebApp.org. For example:
- The browser you use lets you control cookies or other types of local data storage.
- Your mobile device lets you choose how and whether your data is shared with us.
To learn more about these choices, please see the information provided by your device or software provider.
5. How and when we share information:
Some of the ways we use your information require us to share information with third parties, so we can provide your MyWebApp.org experience, make sure our customization is effective and comply with laws that apply to us. We share your information with:
- Law enforcement agencies or government agencies. We only share information if we believe that disclosure is reasonably necessary to comply with a law, regulation or legal request; to protect the safety, rights, or property of the public, any person, or MyWebApp.org; or to detect, prevent, or otherwise address fraud, security or technical issues.
6. How long we keep your information:
We keep your information only so long as we need it to provide MyWebApp.org to you and fulfill the purposes described in this policy. When we no longer need to use your information and there is no need for us to keep it to comply with our legal or regulatory obligations, we’ll either remove it from our systems or depersonalize it so that we can’t identify you.
7. Our policy on children’s information:
Children under 13 are not allowed to use MyWebApp.org. If you are based in the EEA you may only use MyWebApp.org if you are over the age at which you can provide consent to data processing under the laws of your country or if verifiable parental consent for your use of MyWebApp.org has been provided to us.
8. Your options:
You have options in relation to the information that we have about you described below. To exercise these options, please contact us. If you’re an EEA user, you can:
- Access the information we hold about you. We’ll usually share this with you within 30 days of you asking us for it.
- Have your information corrected or deleted. You can update your information in your settings. If you have problems updating the information or if you would like us to delete it, contact us.
- Object to us processing your information. You can ask us to stop using your information, including when we use your information to send you emails or push notifications to which you have subscribed. We only send you notifications if you’ve agreed to it, but if you’d rather we don’t, you can easily unsubscribe at any time.
- Have the information you provided to us sent to another organization, where we hold this information with your consent or for the performance of a contract with you, where it’s technically feasible.
- Complain to a regulator. If you’re based in the EEA and think that we haven’t complied with data protection laws, you have a right to lodge a complaint with the Data Protection Commission in Ireland or with your local supervisory authority.
9. How to get in touch:
MyWebApp.org is the data controller. This means it decides how your personal data is processed and for what purposes. To exercise all relevant rights, queries of complaints please in the first instance contact MyWebApp.org here: Contact Us.
10. Document Version
We update this Privacy Notice from time to time so please do review it regularly. This version came into effect on 7 April 2018.
Part 4: Add a cookie-consent plugin & update your cookie policy
How the GDPR affects cookie policies
To comply, we are using the excellent cookieconsent.insites.com in conjunction with updated cookie policy text (see below)
- use the ‘Ask users to opt-out of cookies (Advanced)’ Compliance type
- here is how we configured it: initialise https://cookieconsent.insites.com with “Disabling cookies” code
You will need to add a js script to enable / disable the non-essential cookies, which in our case is only google analytics: disable google analytics tracking or perhaps try this if your case is more complex: nicholasruggeri / cookies-enabler
Our updated cookie policy text:
Cookies
Our Privacy Notice describes how we collect and use information, and what choices you have. One way we collect information is through the use of a technology called “cookies.”
1. What is a cookie?
A cookie is a small amount of text in the browser and that text is called a “cookie.”
2. What we use cookies for
Our website, like many others, stores and retrieves information on your browser using cookies.
This information is used to make the site work as you expect it to. It is not personally identifiable to you, but it can be used to give you a more personalised web experience.
Because we respect your right to privacy, you can choose to change your privacy preferences to prevent non-essential cookies being set.
a) Strictly necessary cookies
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as
- Personalization.
- Preferences.
- Logging in.
You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
b) Performance cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.
We use Google Analytics to collect information about visitor behaviour on our website. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on. This Analytics data is collected via a JavaScript tag in the pages of our site and is not tied to personally identifiable information. We therefore do not collect or store your personal information (e.g. your name or address) so this information cannot be used to identify who you are. For more information visit google.co.uk analytics privacy overview
3. Where we use cookies
We use cookies on MyWebApp.com
4. Your options
- We give you the option to accept Performance Cookies when you start using MyWebApp.org. However if you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
- The browser you use probably lets you delete or control cookies or other types of local data storage.
If you want to learn more about cookies, please visit https://cookiesandyou.com.
Effective from 8 April 2018.
Part 5: Review
Review all of the parts above that contribute to compliance. Ensure you continue to comply as you make changes to your service in the future.