There's a growing trend for websites to store more user information (known as personal data) and to download information (known as cookies) to users' devices. The EU's General Data Protection Regulation (GDPR), which applies directly in each EU country, governs how you receive, store and process such information.
At the foundation of the GDPR are six principles that should be followed whenever you receive, store or process personal information. Though there are some limited exceptions, in general, data must be:
(a) Processed fairly, lawfully and transparently
(b) Collected only for specified, explicit and legitimate purposes
(c) Minimised – it must be limited to what's necessary for the specified purpose
(d) Accurate, kept up to date where necessary and erased if it becomes inaccurate
(e) Erased when it's no longer necessary – and stored in a way that makes that possible
(f) Kept secure
The first of those principles is clarified further; processing of data will only be considered lawful if one of these applies:
(a) The individual concerned (the 'data subject') has consented to the processing of their data for the specified purpose
(b) It's necessary for the performance of a contract with the data subject
(c) It's necessary for compliance with a legal obligation
(d) It's necessary in order to protect the vital interests of the data subject
(e) It's necessary for the performance of a task carried out in the public interest
(f) It's necessary for legitimate interests – though in this case the legitimate interest will have to be weighed against the rights of the data subject
All employees should be notified of these principles. Employees and employers (vicariously) attract personal criminal liability for an unauthorised obtaining or disclosure of personal data.
In addition, you must be able to demonstrate that you comply with these data protection principles, in particular by keeping appropriate records of the data you hold and your processing.
The GDPR refers to several 'special categories' of personal data as well as to data relating to criminal convictions or offences.
The 'special categories' are: data that reveals racial or ethnic origins, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of uniquely identifying individuals, data relating to health or data relating to someone's sex life or sexual orientation.
If data falls into one of these special categories there are additional hurdles. For example, if you rely on consent as your justification the individual has to have given explicit consent. Alternatively, you might be justified in processing the information if it's necessary for carrying out certain employment law obligations or to defend legal claims.
The GDPR says that if you process data, you must do so transparently. It also explicitly says that when you collect personal data from individuals you should provide certain information to them about the processing. This is called a privacy notice, and must:
1. Use clear, concise and accessible language.
2. Identify who controls the data – e.g. yourself if you're a sole-trader, or the company you work through. If you have a data protection officer (see below), give their contact details.
3. Explain your purpose for holding and using the data, and the legal justification for it.
4. Identify any other entity that the data might be sent to. Also, if you receive data indirectly from another organisation, state the source.
5. Say if you intend to transfer the information to an organisation based outside of the European Economic Area (EEA), in which case you must also say why you're entitled to transfer the information to that country. (The EEA is the EU plus Iceland, Liechtenstein and Norway.)
6. Say for how long the information will be stored, or how you'll decide, e.g. a bank can't say how long someone will be a customer for, but it can say it'll delete some information when they leave and hold on to other information for legal reasons.
7. Explain people's right:
8. Say if you use automated decision-making in relation to people's data, and explain the logic involved.
In order to be both concise and provide all the required information, you should probably adopt a 'layered' approach: (1) display a privacy notice permanently on your website and link to it on every page; and (2) every time you ask for personal information very briefly say how you intend to use that information, ask for their consent if it's required, and provide a link to the full policy.
In addition, someone whose data you hold has a right to request a copy of that information.
Depending on your business, you may be obligated to designate someone as a data protection officer (DPO). This person doesn't have to be an employee - they could be an external consultant, for example, but you must ensure there's no conflict of interest. Most public bodies are required to have a DPO, and a business is required to have a DPO if its core activities involve the following activities on a large scale:
The DPO's role involves several duties relating to supervising, monitoring and advising on data protection compliance, as well as liaising with the Information Commissioner's Office (ICO) on such matters. The DPO must not be subject to detriment on account of their exercise of these activities. For this reason, there will sometimes be tension between the DPO and the business, and so the DPO should be sufficiently senior, so as to be able to act robustly when it's necessary.
Cookies are text files containing small amounts of information. They are downloaded to a user's device when they visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user's device.
If a cookie, together with other information you have, could allow you to profile a person, it's covered by the GDPR. Briefly, profiling means to use the data to evaluate certain aspects of the person, such as their economic situation, health or behaviour.
Like with other information, before setting that cookie you must display a privacy notice explaining what cookies you use and what you intend to do with the information.
In addition, unless it's essential for a service the website user requested from you, you must not set the cookie unless the user consents to that cookie.