What most sites need to do if you are the Controller.

1. Controllers and Processors in a nutshell


Controller: A Controller is an organisation that determines how personal data will be used, this would generally be the client/website owner

Processors: Is the organisation that processes personal data on behalf and on the instructions of the Controller.

In most cases, Web Torque is the Processor and our clients are the Controllers, you can be both Processor and Controller in certain instances. 

2. Obtain clear consent to use cookies and have a cookie policy.

Does your site use cookies? If yes, 

The GDPR states cookies constitute personal data, as they can be used to identify an individual. You must obtain clear, specific consent from users to place cookies and track them. 

Cookie Policy should include: 

  1. What types of cookies are set
  2. How long they persist on your user’s browser,
  3. What data they track,
  4. For what purpose (functionality, performance, statistics, marketing, etc.),
  5. Where the data is sent and with whom it is shared,
  6. How to reject cookies, and how to subsequently change the status regarding the cookies.

Example sites
https://www.cookiebot.com
https://www.onetrust.com
https://gdprprivacypolicy.org/cookies-policy/ 

What you need to do. This could be handled by a popup on a user’s first visit that allows users to consent to or decline cookie use and have a clear link to our cookie policy. No cookies should get served if the user opts out.

3. Personal data with forms

Does your site have online forms that collect information that could identify someone and is held in your SilverStripe CMS. If yes,

All forms where personal data is collected, this can be as little as email address, need to have opted in consent and must be separate from terms and conditions. They need to be either:

Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.

Opt-in: Pre-ticked opt-in boxes are invalid – All users must opt-in.

Granular: Give granular options to consent separately for different types of processing wherever appropriate.

Easy to withdraw: Users have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.

Examples
https://www.userzoom.com/ux-design/6-examples-of-gdpr-ready-opt-in-forms/

What you need to do. Opt-in for each form on your website where you are collecting user data.

4. Update your privacy policy

    1. use clear, straightforward language;

    2. adopt a simple style that your audience will find easy to understand;

    3. not assume that everybody has the same level of understanding as you;

    4. avoid confusing terminology or legalistic language;

    5. draw on research about features of effective privacy notices when developing your own;

    6. align with your house style. Using expertise, for example, in-house copywriters can help it fit with the style and approach your customers expect;

    7. align with your organisation’s values and principles. Doing so means that people will be more inclined to read privacy notices, understand them and trust your handling of their information;

    8. be truthful. Don’t offer people choices that are counter-intuitive or misleading;

    9. follow any specific sectoral rules as well as complying with data protection law, for example in advertising or financial services sectors; and

    10. ensure your privacy notices are consistent across multiple platforms and enable rapid updates to them all when needed. Privacy notices can be managed using content management systems (CMS).


Example Sites
https://www.iisri.com/privacy.php
https://www.cookiebot.com/en/privacy-policy/

What you need to do. Update your privacy policy.

5. Individual User Rights

Right of access: The right of access is the right of individuals to request information about how their data is being used as well as a copy of the data itself.

Right to rectification: Individuals are allowed to contact a Controller to correct inaccurate personal data.

Right to be forgotten: Individuals can request that their data be erased under certain specific circumstances. Data is no longer needed for the reason it was collected and the individual withdraws consent or the data was unlawfully obtained.

Right to restriction of processing: Individuals have the right to restrict how their data is processed in certain circumstances.

Right to data portability: individuals have a right to receive their personal data for the purpose of using it somewhere else.

There are some circumstances where the above does not apply if it is being used for scientific, historical and statistical collection for reasons of public interest. Legal and health data are a couple of examples. It would not be a good idea to delete historical health data for example.

What you need to do. You can either have a system in place so this can be done by you or the individual requester automatically or this can be done manually, depending on how big your website/functionality it has, this could take some time. You have 1 month to comply with the individual requester's request.