The General Data Protection Regulation (GDPR) comes into affect on 25th May 2018. It replaces the current Data Protection Act in the UK and is the biggest overhaul of data protection legislation for 25 years.
If your website collects personal information then GDPR affects you. An obvious example is a website that invites visitors to subscribe to a newsletter but even a simple contact form which captures just the enquirer's name and email address still requires GDPR consideration.
The whole business is not strictly about websites at all - it is about what you do with personal information you receive through any means and ensuring you have permission to do that. Even if your website has no contact form at all it probably still shows your email address so you need to think about what you do with the email addresses of your enquirers. Responding to the enquiry is obviously a legitimate use, but gathering all these addresses into an email list and mailshotting them periodically with marketing is very unlikely to be a legal use of this personal information under GDPR.
This guide has been created to help customers of WebHealer as opposed to those who have merely enquired about our service. As a customer you will have broadly two types of concern.
As indicated in the overview above we are not in a position to offer "GDPR Compliant Websites" as compliance is more a matter of your own procedures than how the website is constructed. We have however given a lot of thought to how we can can simplify the work you need to do to make your website GDPR compliant. Even more important of course is that we do not create any barriers to your website being GDPR compliant.
This guide will be updated as May 25th draws near and will hopefully address whatever concerns you have.
11 May 2018 All WebHealer clients can now create their Privacy Notice via the special Privacy Notice section in their Administration Area and then activate the notice via the Privacy Features section. Access both these sections from the Administration Area menu under Site Management.
We are still trying to find out more information about GMail and its compliance status. It is quite possible there will be no clarification before May 25. Many aspects of the legislation are not as explicit as people would like and its very possible that norms of best practice will become established which people tend to follow in the absence of definitive direction. All we know for now is that after May 25th a very large number of businesses will still be using a free Gmail account. We haven't updated our systems to support the officially compliant GSuite yet but it will be done next week.
8 May 2018 If you have created a Privacy Notice using the system we have provided (see below) and you are using the Mobile ColourMax design you can now make the Privacy Notice active in the same way as explained in the note immediately below. Clients using all remaining designs including older non mobile-friendly designs should be able to activate their privacy page by the end of this week.
30 April 2018 As the GDPR deadline approaches many businesses are still getting their house in order and unfortunately that leaves a lot of grey areas. One of the grey areas that has concerned some people recently is Gmail and whether it will be safe to use Gmail for business purposes after May 25th. On the one hand Google do say that overall they comply with important and relevant EU/US legislation for GDPR but they are not yet saying definitively that GMail is GDPR compliant. Instead they are saying that their chargeable GSuite service (which includes a commercial version of GMail) is safe for GDPR. We'd be very surprised indeed if Google would leave tens of millions of small EU businesses in the lurch by not making the free version of GMail compliant with GDPR. We'll keep you updated as we find out more but we have also been making preparations for those WebHealer clients who feel unsure about this and want to switch to GSuite. Our systems can't support GSuite at present but we are working on some updates and hope to have this option in the next week or so.
24 April 2018 Today we have enabled a feature for all WebHealer customers to help them prepare for GDPR. Every WebHealer website now includes an extra page that can be edited just like a normal page but is dedicated to holding a Privacy Notice. If you log into your WebHealer website and scan down the menu on the left you will see the option Privacy Notice in the Site Management section. You can start using it right now. In a few days we will enable features to link to it from within your pages and from the website footer. Keep an eye on this guide for more details.
WebHealer respects privacy. One of our fundamental principles is that no-one should receive a communication from us that they do not expect and might perceive to be unwanted. As this is at the heart of GDPR our compliance activities primarily involve ensuring we have the necessary documentation and have carried out checks on our suppliers. We have engaged a company lawyer to assist us and we are currently documenting our procedures and writing the necessary privacy notices. We are also in discussion with our suppliers who will inevitably be in discussion with their own suppliers. This chain of dependency means that it is likely to be well into May before we can say we are GDPR compliant, but rest assured it is a very high priority for us.
This very much depends on how you use your website and any personal information you obtain through it. This link provides a well written and clear explanation of the areas that will be of most relevance to our customers. It is rare for customers of WebHealer to be engaged in online or offline direct marketing campaigns, so for most the concerns will be about ensuring that your visitors are notified about how you will use their personal information when they contact you (via a Privacy Notice) as well as how we process enquiries that come via your Email Contact Form.
A lot of vendors are promoting SSL as a positive contribution towards compliance however our advice so far is that SSL is not strictly needed. If you would like your website to use an HTTPS secure connection (i.e. SSL) then please contact us as we are already in the process of upgrading clients to this at no charge.
Enquries submitted through your contact form are sent directly to you by email and then deleted from our systems. They are retained only until we are confident they have been successfully delivered.
The important thing is to draw attention to your Privacy Notice that states how you will use any information provided. We are developing new features for WebHealer websites to help with GDPR and these include a new free page specifically for your Privacy Notice and a link to this with suitable explanation on your Contact Form.
This is beyond our area of expertise as all customers will make individual choices, however we would recommend contacting your professional association who should have good general guidelines relevant to your type of acitivities.
Unfortunately we aren't able to provide an example privacy notice. Its a little like asking for an example tax return as privacy notices are intended to reflect the way you use personal information and this varies even between therapists. We have retained a lawyer to help us write our own but that wouldn't be suitable for you. That isn't cheap of course but your professional association should be able to give some guidance for someone in your particular area of work.
It is not clear to us that there is a strict requirement that an enquirer positively confirms they have read a notice but it should be fairly visible. We will be adding a link to your standard Privacy Notice in the footer of your website, however to be more cautious you could modify all your email links to be links to your Email Contact Form as that is being updated as explained above.
A standard email contact form only captures an enquirer's name and email address along with IP address of the computer used to make the request. No cookies are captured.
If you have added this yourself you will need to contact the supplier of the mailing list service and ask them. Any reputable service will have made arrangements for GDPR so they may automatically update their plugins with the necessary changes or provide options for you to update the plugin according to the way you will use the data. If you have had assistance from a WebHealer business partner to add the mailing list feature you should contact the business partner for assistance in updating it as required.
Firstly cookies and personal information for GDPR purposes are very different things. It is very rare that you will have access to personal information through cookies so unless you have a special plugin that does give you personal information you are not processing personal information and you won't need a Privacy Notice for it.
When you activate your Privacy Notice you will see a modified footer including a link to a cookie page whatever design you are on. This privacy page again references social media cookies as a catch all in case you have used them on an older design.
The only other cookies that might get used by your website are as a result of 3rd party plugins that you may have used on your website such as online booking tools. If you have used these you should contact the supplier and ask for advice on the privacy implications.
We recommend seeking the advice of your professional association who will understand the typical working practices and data usage of someone in your profession. For more general information about GDPR you may wish to visit the Information Comissioner's Office GDPR page.
To enable this feature within your Email Contact Form go to the Special Features section in your Administration area. There is an option under Privacy Features to enable a tickbox. If you are using a bespoke designed PHD Form you will need to contact the business partner who made it and they will be able to modify the form.
The whole business of GDPR is quite complex and is fundamentally about your own business and procedures. We're seeking advice from a lawyer about our own particular circumstance so I'm afraid we can't really say whether your notice is right for you or covers everything or is in some way "right" or "compliant". All we can say in terms of reassurance is that we are advised that the businesses that get in trouble for GDPR are likely to be those that have given no thought to it at all or decided to play "fast and loose". If you are a small business and have given proper consideration to what you do and written a privacy notice in good faith you are likely to be OK. If you need more reassurance than this then we would advise seeking the advice of your professional association or a commercial lawyer.
Please see this link for our latest terms and conditions, however these are likely to change before May 25th 2018