Perhaps you have a “brochure site” and want to upgrade it or are developing your first website and want avail of the online trading voucher grant.

The data protection risks of a brochure site are minimal. A brochure site is like a flyer with some details and contact information that you leave in a public place hoping that someone interested in what you have to offer happens by, picks up the flyer and domain you. The risks are minimal but so are the likely returns.

The conditions on the online trading voucher require that your site is marketed and capable of at least basic e-commerce transactions. You will need to consider the ePrivacy and data protection requirements to meet these goals. As a new endeavour for your company the GDPR will requires that you conduct a Data Protection Impact Assessment.

In the following sections, I will discuss some of the areas that you need to consider. The list is not exhaustive. A DPIA should be facilitated by a data protection expert to protect both your business as the data controller and your suppliers as data processors.

ePrivacy

The DPC has focused this year on the ePrivacy directive and ensuring that companies implement cookie and tracking solutions that are compliant with the requirements of the ePrivacy Regulations and GDPR. In April they issued guidance, and they commenced enforcement on the 5th October. Your site must, at launch, comply with this guidance. If you have a “brochure style” legacy website, the risk of non-compliance is low.

The conditions for the online trading voucher require you to use the website to drive e-commerce activity for the business, whether this is selling products directly or taking bookings and deposits for services. The online trading workshops also place a strong emphasis on marketing the website to ensuring your drive attention to your property. The site must be more than just a flyer that you put where you know your prospects will see it.

The technologies required to meet these requirements will frequently want to place cookies in your customer’s browser or use other means to track your customer through your website. However, the ePrivacy regulations are very clear about the limited legitimate reasons for placing data in web browsers. Consent is the only lawful basis to install any additional data or tracking. GDPR requires that consent is informed, freely given, explicit and can be withdrawn.

The interaction between your website and its visitors is a business process. It is a best practice to measure business processes. You need to consider carefully how these metrics are collected to ensure that your solution is compliant with the requirements of the ePrivacy Regulation. The Regulation allows for the use of cookies to support the necessary communications to complete the business processes; it does not allow for the analytics tracking without the consent of the visitor.

Contact Forms

Contact forms are a popular way of collecting the information from prospects visiting your website. The form can collect contact details such as phone numbers or email addresses and a description of the reason why the visitor wishes to contact you. Collecting this information falls within the process of providing the products and services that the visitor is interested in and therefore does not require collecting (or managing) consent from the visitor.

The data collected are specific to the visitors intent at when completing the form, the particular product or services in the enquiry. You cannot use it for any other purpose without getting consent. If you wish to collect contact information for, say, a newsletter, then you would need to ask for specific consent to use the details for this additional purpose.

Consider how you will secure the transfer of data from the browser to your business. You should also identify copies made during the transfer; for each copy, you should document the storage and retention of these data.

As an example you can look at my contact form.

Payment

The objective for many online trading voucher sites is to sell and collect payment for products or services provided by the business. The collection of fees through a website requires the use of the payment processor. You must have a clear understanding of how this process operates. You will need to be transparent with your customers about the process and who is collecting and storing the information they provide through the process.

While GDPR does not consider financial information such as credit card numbers to special category, in practice, financial information is a sensitive topic. You need to ensure that you understand the transparently communicate the processes involved, carefully identify and analyse the risks to your customer’s data and implement appropriate technical and organisational measures to mitigate the risks identified.

Terms and Conditions and Policies

You may wonder if this should have been the first thing. However, it is essential to understand all of the services and data processing activities provided by the website before finalising the terms and conditions, privacy policy and cookies policy. You will need a detailed understanding of the website to provide accurate and sufficient documents.

There may also be an opportunity to use the privacy policy as a public statement of the privacy policy for the company. Offline data processing processes can then reference the document on the website for policy information.