This guide has been created to help you understand your GDPR responsibilities as well as to notify you about how we look after your data as a customer of WebHealer.
In terms of your responsibilities if your website collects personal information then GDPR affects you. An obvious example is a website that invites visitors to subscribe to a newsletter but even a simple contact form which captures just the enquirer's name and email address still requires GDPR consideration.
The General Data Protection Regulation (GDPR) came into affect on 25th May 2018. It replaced the current Data Protection Act in the UK and was the biggest overhaul of data protection legislation for 25 years. Despite being an EU initiative it has been incorporated into English law and so is independent of the UK's relationship with the EU.
This guide serves two purposes. Firstly as you are a customer of WebHealer we need to inform you how we look after your privacy and process your personal information. Secondly we will explain the measures we have taken to help you with your responsibilities to be GDPR compliant with respect to your WebHealer website.
We respect your privacy. One of our fundamental principles is that no-one should receive a communication from us that they do not expect and might perceive to be unwanted. This principle is at the heart of GDPR but we also have responsibilities for documentation and to carry out checks on our suppliers.
If your website collects personal information then GDPR affects you. An obvious example is a website that invites visitors to subscribe to a newsletter but even a simple contact form which captures just the enquirer's name and email address still requires GDPR consideration.
The whole business is not strictly about websites at all - it is about what you do with personal information you receive through any means and ensuring you have permission to do that. Even if your website has no contact form at all it probably still shows your email address so you need to think about what you do with the email addresses of your enquirers. Responding to the enquiry is obviously a legitimate use, but gathering all these addresses into an email list and mailshotting them periodically with marketing is very unlikely to be a legal use of this personal information under GDPR. As this guide may prompt a number of questions we have prepared an FAQ section which should answer most of your questions.
Although we can't tell you how to be GDPR compliant, we have given a lot of thought to how we can can simplify the work you need to do to make your website GDPR compliant. We have created a number of special features which simplify the process of adding privacy notices to your website as well as giving your enquirers necessary notifications.
WebHealer clients can create their Privacy Notice via the special Privacy Notice section under Site Management in the Administration Area. Once you have written it you can activate it by going to Special Features (also under Site Management) and scrolling down to the Privacy Features section.
Once you activate your Privacy Notice, as explained above, a link is automatically added to your footer which enables website visitors to easily access the page if they wish. The link looks like this.
When visitors contact you via your Email Contact Form (ECF) a higher level of awareness about your Privacy Notice is provided through the addition of a link automatically built into the ECF which looks like this below.
This type of Privacy Notice notification is generally considered adequate when your usage of the enquirer's email is purely to facilitate communication about the delivery of a service. If however you wish to retain the email and use it to send marketing messages then the checkbox method explained below may be needed.
Note also that the automatic addition of these notifications only applies to the standard Email Contact Form which is provided free with every website. If you are using the PHD Forms service with customised fields for capturing different types of information (age, mobile phone numbers etc) then these contact forms do not automatically include Privacy Notice links. The business partner who builds your form will need to include them.
The tickbox is a higher level of active confirmation by your website visitor. It is designed to confirm that they have seen your Privacy Notice and agree to you processing the information in the manner you explain in your Privacy Notice. Your Privacy Notice may for example say that you will contact them periodically with updates on your service or special offers. Of course this may put people off so only do this after due consideration. There is no point telling people that you may do it, but never get around to it as you will put people off for no gain.
You can enable this for Email Contact Forms just like the Privacy Notice link above within the Special Features section of your Administration Area. Just tick ECF Active Confirmation Tickbox. The ECF is then displayed with this kind of notification.
This very much depends on how you use your website and any personal information you obtain through it. This link provides a well written and clear explanation of the areas that will be of most relevance to our customers. It is rare for customers of WebHealer to be engaged in online or offline direct marketing campaigns, so for most the concerns will be about ensuring that your visitors are notified about how you will use their personal information when they contact you (via a Privacy Notice) as well as how we process enquiries that come via your Email Contact Form.
Enquries submitted through your contact form are sent directly to you by email and then deleted from our systems. They are retained only until we are confident they have been successfully delivered.
The important thing is to draw attention to your Privacy Notice that states how you will use any information provided. See above for how to add a Privacy Notice and how to link to it from your contact form.
This is beyond our area of expertise as all customers will make individual choices, however we would recommend contacting your professional association who should have good general guidelines relevant to your type of acitivities.
Unfortunately we aren't able to provide an example privacy notice. Its a little like asking for an example tax return as privacy notices are intended to reflect the way you use personal information and this varies even between therapists. We have retained a lawyer to help us write our own but that wouldn't be suitable for you. That isn't cheap of course but your professional association should be able to give some guidance for someone in your particular area of work.
Unless you intend to use emails for marketing it is not clear to us that there is a strict requirement that an enquirer positively confirms they have read a notice thought it should still be fairly visible. Once your Privacy Notice is activated links will be automatically added to it from your website footer, however to be more cautious you could modify all your email links to be links to your Email Contact Form.
A standard email contact form only captures an enquirer's name and email address along with IP address of the computer used to make the request. No cookies are captured.
If you have added this yourself you will need to contact the supplier of the mailing list service and ask them. Any reputable service will have made arrangements for GDPR so they may automatically update their plugins with the necessary changes or provide options for you to update the plugin according to the way you will use the data. If you have had assistance from a WebHealer business partner to add the mailing list feature you should contact the business partner for assistance in updating it as required.
Firstly cookies and personal information for GDPR purposes are very different things. It is very rare that you will have access to personal information through cookies so unless you have a special plugin that does give you personal information you are not processing personal information and you won't need a Privacy Notice for it.
When you activate your Privacy Notice you will see a modified footer including a link to a cookie page whatever design you are on. This privacy page again references social media cookies as a catch all in case you have used them on an older design.
The only other cookies that might get used by your website are as a result of 3rd party plugins that you may have used on your website such as online booking tools. If you have used these you should contact the supplier and ask for advice on the privacy implications.
We recommend seeking the advice of your professional association who will understand the typical working practices and data usage of someone in your profession. For more general information about GDPR you may wish to visit the Information Comissioner's Office GDPR page.
To enable this feature within your Email Contact Form go to the Special Features section in your Administration area. There is an option under Privacy Features to enable a tickbox. If you are using a bespoke designed PHD Form you will need to contact the business partner who made it and they will be able to modify the form.
The whole business of GDPR is quite complex and is fundamentally about your own business and procedures. We're seeking advice from a lawyer about our own particular circumstance so I'm afraid we can't really say whether your notice is right for you or covers everything or is in some way "right" or "compliant". All we can say in terms of reassurance is that we are advised that the businesses that get in trouble for GDPR are likely to be those that have given no thought to it at all or decided to play "fast and loose". If you are a small business and have given proper consideration to what you do and written a privacy notice in good faith you are likely to be OK. If you need more reassurance than this then we would advise seeking the advice of your professional association or a commercial lawyer.
Prior to the launch of GDPR there were some concerns that standard GMail might not be GDPR compliant. We raised this with our legal advisors and received the following reassurance "This privacy notice is compliant with GDPR and has clearly been designed with GDPR in mind. The privacy notice will have been sent to all Gmail users within the EU and makes it quite clear that the rights extended by that policy apply across Google as a whole".
Please see this link for our latest terms and conditions, however these are likely to change before May 25th 2018