Blackbox Web Design Website Design for Businesses | Watford, Herts Tue, 08 Oct 2019 14:28:02 +0000 en-GB hourly 1 GDPR: Cookies, notifications and consent – a 2019 update Tue, 08 Oct 2019 14:13:53 +0000 The post GDPR: Cookies, notifications and consent – a 2019 update appeared first on Blackbox Web Design.


Cookie notifications and consent post-GDPR

In this follow-up from our previous article, we’ll look at:

  • The ICO’s updated guidance (July 2019) on the use of cookies
  • The new requirements for user consent
  • The need for Cookie Control Mechanisms on your website

Learn more

The background – PECR and GDPR, cookie notifications and consent

Back at the start of 2018, and before the introduction of the now infamous General Data Protection Regulation (GDPR), we wrote an article on the application of the new regulation to the existing rules on the use of cookies on small business websites.

We updated that article a number of times as some of the murkier areas of doubt became (slightly) clearer, and if you’re looking for a bit of background on the issue – including why it might be relevant to you if you’re running a website for your business – we still think it’s worth a read.

Time has now passed since the implementation of the GDPR, and we remain in what I referred to at the time as a ‘limbo’ period where the rules about cookies are mainly governed by the Privacy of Electronic Communications Regulation (or ‘PECR’, which I like to amusingly to pronounce ‘pecker’), which should, by rights, have been updated by now in order to dovetail better with GDPR.

Well, it hasn’t been updated yet, so we’re still in a situation where the specific rules about cookies come from PECR, but there are ‘bigger picture’ principles from GDPR that in some ways conflict, making life distinctly complicated.

Some clarity

Well, back in July of 2019, we finally got some clarity on the specific issue of the use of cookies via updated guidance from the Information Commissioner’s Office (ICO). And as the ICO are the UK regulator on all things data protection, that should have been a welcome update.

Except, it wasn’t.

Or at least, it wasn’t what a lot of people were hoping for, because the updated guidance is a significant departure from the ICO’s previous guidance on the matter – and it has real implications for people running websites.

What’s changed?

The main point to note is the ICO’s position on the type of consent that required before you can legitimately use non-essential cookies.

In general terms, you have always needed the consent of your website visitors to place cookies on their device, but in the past the concept of ‘implied consent’ was deemed to be ok.

Under implied consent, you could use the old favourite get-of-jail-free-card that said “This website uses cookies. By using the site we assume that you accept our use of cookies”.

So, in fairness, implied consent really boiled down to ‘We use cookies. Get over it”.

We were just notifying the user that cookies were in use – and, chances are, they had already been set by the time the user had seen the notification.

So the purists would probably be justified in saying that there wasn’t any real consent there at all.

Implied consent is now dead. Finito.

The level of consent required for the use of cookies is now the same specific, informed, freely-given consent that is defined within GDPR:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

This means that in all cases where we do something on our website that requires the user’s consent, we must get the user to make some specific, positive action to indicate that consent – and we must do so before the event requiring consent takes place.

This boils down to one important point – which is very relevant to how we design and build websites now and, more to the point, how we may have to redesign existing sites:

Technically, we cannot set any non-essential cookies when people first land on our websites. We have to implement some form of ‘cookie control mechanism’ which blocks all non-essential cookies unless and until the user expressly says that it’s ok.

The exception

For every good rule, there’s always a good exception.

I’ve been careful so far to use the expression ‘non-essential’ cookies when referring to the requirement for specific advanced consent.

That’s because there is an exception to the consent requirement that applies to ‘essential’ cookies. More correctly, cookies that are ‘essential to provide an online service at someone’s request’.

This means that cookies that perform functions like remembering the contents of a shopping cart, or providing security in an online banking transaction – without which the process could not work – are exempt from the consent requirement.

What does this mean for website owners?

For many website owners, this will mean that a review of their site and technical changes will be required if they are to be compliant with the relevant regulations.

It would be pretty unusual for a website not to use any form of cookies, and your site will almost certainly use them to some extent if:

  • They are built on a Content Management System (CMS) framework such as WordPress, or one of the website builder products from the likes of Wix or Godaddy;
  • The site uses Google Analytics (or indeed most other analytics providers)
  • The site has embedded any form of social media content such as Twitter or Facebook timelines, YouTube videos, or social sharing features;
  • You are using social marketing tools such as Facebook pixel, Google Ads or any other mechanism that tracks user behaviour across your site.

To be compliant with the regulations, sites would need some form of cookie control mechanism that ensures that the cookies associated with those functions were not set unless and until the visitor gave their express consent.

A reality check

So, does this mean that businesses and website owners are rushing to adapt their sites so as to be compliant with the new ICO guidance?

In practice, and at the time of writing this, no.

The majority of sites out there are not strictly (or in some cases, even nearly) compliant.

Sure, to a certain extent that’s because it will take time for website owners (and even some designers, developers and web support companies) to fully realise what is required of them.

But there are those who are aware are taking an ‘educated risk’ in not complying with the regulations due to the perceived detrimental impact on the user experience, and the perceived low likelihood of actually being penalised by the regulator.

And I can understand that approach.

Not advocating it, obviously.

The post GDPR: Cookies, notifications and consent – a 2019 update appeared first on Blackbox Web Design.

GDPR – Do I need a Cookie Warning on my small business website? Wed, 03 Jul 2019 07:22:33 +0000 In this article we'll look at the steps small business website owners need to consider relating to cookies and cookie warnings.

The post GDPR – Do I need a Cookie Warning on my small business website? appeared first on Blackbox Web Design.


Do I need one of those awful cookie popups?

In this article, we’ll look at:

  • Why your website might be using Cookies whether you know it or not
  • How the GDPR has made things complicated
  • Whether you need Cookie Control on your site

Learn more

UPDATE NOTICE – Late 2019: Please note that in July 2019 the UK Information Commissioner’s Office (ICO) published updated guidance on the use of cookies.

While the following article has been updated to reflect the new guidance, we have written a complete update on the position as it stands now with regard to cookies, cookie notifications and cookie consent mechanisms.

View the updated article

We’ve all got used to seeing pop-up boxes on websites, notifying visitors about the use of cookies on the site.

You should already have seen ours, but you can take another look here if you’re the masochistic type.

If you’ve been following our series of articles on the implementation of the EU General Data Protection Regulation, you may be rightly asking yourself what impact the GDPR will have on the use of website cookies, and what you need to do to make your small business website compliant.

Well, the truth is that it’s complicated – and in this article, I’ll go onto explain why and, more importantly, what actions you need to take if you operate a website that uses cookies.

We’re going to look at:

  • Why your website might use cookies;
  • Why the new regulation makes the use of cookies particularly confusing;
  • Recommendations for how to approach the use of cookies post-GDPR.
A heads-up: By the end of this article, I will have explained why, for some simple websites it may be completely legitimate not to display any form of cookie warning at all – but that will likely be the exception rather than the rule. You will need to make an informed decision relating to your own website, based on your use of Google Analytics, e-commerce, social media tracking and other cookie-dropping functionality.

Why cookies are important to website owners

If you’re not sure what cookies are, there’s plenty of good content online to get you up to speed, so I’m not going to address that here. You can’t go far wrong with Wikipedia’s article as a starting point.

Suffice to say, it would the exception rather than the rule, for a website not to use any cookies at all – so if you run a small business website (or pretty much any other type for that matter), you want to give this some thought.

Let’s quickly look at some typical uses of cookies so that you’ve got some context on the type of functionality that they enable:

  • E-commerce websites that use a ‘cart’ or ‘basket’ to remember items that the customer wants to buy will use cookies;
  • Any form of personalisation of the website (such as the preferred language) are bound to use cookies to remember the user’s choice;
  • Statistical analytics (such as Google Analytics) will use cookies as the fundamental means of being able to tell one user from another;
  • Social media marketing (such as targeted Facebook advertising) rely on the placement of cookies to work;
  • Content Management Systems, such as WordPress, use a selection of cookies to manage user logins, blog commenting and more.

It’s therefore pretty clear why we need to get a grip on using cookies in a compliant manner – without them, we would lose a number of significant tools.

Why cookies have suddenly got more complicated

The GDPR was never meant to be the be-all and end-all of privacy law – it was always meant to be introduced at the same time as a separate piece of legislation, the Regulation on Privacy and Electronic Communications (or more commonly, the ePrivacy Regulation). Both new regulations were due to replace existing law*.

Whilst the GDPR provides a broad framework of regulation covering a wide range of scenarios, the ePrivacy Regulation was intended to address the specific detail of the regulation of electronic communications, which includes Cookies. The GDPR says virtually nothing about cookies specifically.

You can probably sense that there is a ‘but’ coming.

But – the problem is that the ePrivacy Regulation is not going to be ready in time to coincide with the GDPR, and the GDPR is going ahead anyway – so we’re left in a slightly bizarre limbo situation:

  • The GDPR comes into force on 25th May 2018;
  • The ePrivacy Regulation is unlikely now to come into force until 2019;
  • That means that the existing ePrivacy Directive, which was due to be replaced, is still in force;
  • We do know what the current draft of the ePrivacy Regulation says – so, subject to any changes, we’ve got a reasonable idea what it’s going to say;
  • But as things stand, we’ll be in a situation where we’re trying to comply with two pieces of legislation that were never really designed to work together, and which – in some ways – conflict with each other.


The specific issue with cookies

So that leads us to our specific issue in relation in cookies.

Under the GDPR, most cookies are going to fall into the category of ‘personal data’ because they are capable of identifying an individual and can be used to provide website personalization and even profiling of individuals.

As a result, you are going to need a legal basis for processing the data contained within those cookies – and that legal basis is most likely going to be the CONSENT of the individual.

Under the previous rules, the idea of ‘implied consent’ was ok.

It is implied consent that makes it acceptable to say something like ‘This website uses cookies. By using the site you are agreeing to the use of cookies’. The principle was that as long as you told people about the use of cookies, it was ok to use them, regardless of whether they really agreed or not.

The GDPR mandates that implied consent is no longer valid.

Instead, consent must be explicit and indicated by an ‘affirmative action’ on the part of the individual. Therefore for consent to be valid, you have to give the individual the choice of whether to consent, before any cookies are used.

This creates two immediate problems if you want to use cookies that require consent:

  1. Website development: Your website must be developed in such a way that no such cookies are used when the person first lands on the page. The cookies can only be set when they have ticked an ‘I consent’ box or something similar. Technically, this can be quite complex, and it is likely to result in a less-than-ideal user experience when they visit your site;
  2. Where’s the incentive?: There is generally very little perceived incentive for the individual to actually consent. Let’s be honest, often enough the reason you want to use cookies is for your benefit (e.g. analytics, social media marketing), and not the individual’s.

It’s not hard to imagine a scenario where we’re all forced to make (potentially complex) changes to our websites that force visitors to make decisions about whether to allow cookies or not before they even get to see our precious, carefully designed homepages.

And then, given that we’re likely to want to use cookies to enable website analytics or social media marketing, the effectiveness of those things will be hugely undermined by the fact that by default, they won’t work! They will only kick in if somebody goes out of their way to check the consent box(es).

Is consent necessary?

So far in this article, I’ve already made specific references to ‘cookies that require consent’.

I’ve done that because you should not assume that all cookies DO require consent.

Guidance that has been issued from the ICO since the implementation of the GDPR has helped to clarify this issue somewhat. What we now know is that:

  • When it comes to the placement of cookies on a website, consent is the only relevant lawful basis (you cannot, for example, rely on one of the other GDPR lawful grounds such as Legitimate Interest). So, yes – unless your cookies fall into the exception that I describe below, consent is necessary;
  • Where consent is necessary, you have to gain that consent before any cookies are set;
  • There is an exemption for cookies that are considered ‘essential’ in order to perform a particular online service on someone’s behalf. For these types of ‘necessary’ cookies, no specific consent is required. An example of such ‘essential’ cookies would be cookies that are used to remember basket items during an online shopping process.

It is therefore possible to use cookies on your website without consent, but only in the scenario where all of the cookies in use on your site can (legitimately) be considered as ‘essential’. It’s pretty clear that cookies for the purpose of analytics or social marketing are not going to be considered as essential.

So, as things stand, the situation would appear to be this if you want to be compliant:

  • You need to determine exactly what cookies are in use on your website – this is going to be essential in any event;
  • You’ll need to make a determination (one that you’re prepared to stand by) about which, if any, of those cookies are ‘essential’ and therefore do not require consent;
  • If any of the cookies in use on your site do require consent, then you will either need to:
    • Remove them; or
    • Add some form of cookie control functionality to your website to ensure that the cookies are only set in the event of the user actively consenting.

Both of these actions will involve some sort of technical development, so unless you’re into that sort of thing yourself, you’re going to need to speak to whoever looks after your site.

We’re going to move on to address some of the more commonly used types of cookies, with a proposed approach to each.

E-commerce carts and baskets

In previous legislation, including the existing ePrivacy Directive, there is an exemption to the requirement to gain consent for cookies that are ‘strictly necessary’ for the purpose of fulfilling the user’s request.

Cookies are essential to provide this type of functionality, and therefore their use is seen as legitimate under the prevailing ePrivacy Directive. There is no reason to believe that that will change under the ePrivacy Regulation.

From a GDPR perspective, we would also suggest that the use of such cookies is legitimate as part of fulfilling a contract to which the individual is party. This is an additional lawful basis for processing the data (Article 6(1)(b)).

Therefore, cookies used for this purpose shouldn’t cause you any additional concern. That said, you should still highlight the use of such cookies in your Privacy Policy, even if you’re not relying on consent.

Website Analytics

The use of website analytics, and Google Analytics in particular, is the category of cookies that will arguably affect the largest proportion of small business websites.

When the GDPR was first implemented, there was a distinct grey area around whether the general rules relating to cookies – and in particular the need to gain consent in advance for their use – would really apply to the types of cookies placed by analytics tools.

Essentially, I think we were all hoping beyond hope that they wouldn’t. Because if you need to ask a website visitor whether it’s OK for you to track their visit in your analytics, then inevitably your analytics will only ever give you part of the picture of your site’s performance. It undermines the very purpose of using analytics in the first place.

Guidance subsequently issued by the UK ICO has given significant clarity to this issue – it’s just not the answer that many people were hoping for:

Essentially, under the privacy regulation (PECR) and the GDPR, there is no specific exemption for analytics cookies, and so the same rules requiring specific, valid consent apply.

Technically, therefore, we must ensure that a visitor to our website has expressly consented to the use of analytics cookies before we can run the relevant scripts to track their visit.

Incidentally, there are some broader privacy considerations that should be borne in mind when using analytics (usually Google Analytics):

  • You do not, intentionally or inadvertently, send any data to Google Analytics that allows the identification of an individual. Not only would this be a privacy issue, it is also a breach of the Google Analytics Terms of Service. The most common situation in which this occurs is when personal data is included dynamically within a page URL
  • Your Google Analytics tracking code includes the optional ‘optimizeIp’ declaration, which has the effect of partially obscuring the user’s IP address.

These are both clearly technical configuration issues – if they don’t mean anything to you, you will need to discuss them with whoever looks after your analytics.

Analytics summary: It is now clear that, technically, in order to comply with all of the relevant regulations and legislation, we must actively gain the consent of our website visitors before any cookies are set for the purpose of analytics. This will require some form of cookie control mechanism to be implemented on websites, in order to ensure that all cookie scripts are ‘held back’ until the user actively gives consent – and that mechanisms are put in place to allow users to withdraw that consent at a later stage.

I’ll repeat my previous disclaimer: this is not legal advice, and you need to make your own informed decision about how you handle these cookies.

Social Media Marketing

The use of social media marketing, most commonly Facebook targeted advertising, represents a somewhat complex situation from a privacy perspective.

The majority of the data collection and processing happens on the Facebook platform, and Facebook is Data Controller for the majority of such services. Therefore Facebook has significant GDPR obligations, including making their own terms and privacy policy GDPR compliant.

As part of this obligation, the Facebook advertising Terms of Service for advertisers includes a requirement that all advertisers display a ‘clear and prominent notice’ about the use of the cookies and other technologies that are required for such advertising.

So, any website that uses the Facebook (or similar) pixel to allow the profiling of web visitors (e.g. for the purposes of targeted marketing campaigns) requires the consent of the individual for the placement of the cookies that are associated with that functionality.

In the past, this consent could be based upon the ‘implied consent’ model but, as we have seen, such implied consent will no longer be valid under the GDPR.

As a result, if you plan to continue to use social media marketing, including the Facebook pixel for targeted ads, you will need to ensure that your website meets this consent requirement.

You cannot load the pixel code that generates the cookies until the individual has provided a clear, affirmative action confirming their consent. Very few websites are currently configured to work in this way, so this will likely require your attention.

Functionality-based cookies

It is common, especially for sites based on a CMS like WordPress, to use cookies to provide particular types of functionality – for example, on a multi-lingual site, it is likely that a cookie will be used to store the user’s language preference. Or, on a site that uses popup windows, a cookie might be used to track that a user has already seen the popup, and prevent if firing repeatedly.

These types of cookies, especially when they are generated by a software plugin, can be a little more complex to deal with from a privacy perspective – because it may be necessary to adjust the code that delivers those cookies to ensure that they are only set when an individual has given their consent.

Whether this is possible or not will depend on the exact nature of the cookie itself, and it is therefore likely that you will need to speak with whoever looks after your site.


As you can no doubt tell, getting the cookie control and privacy policy right is likely to be a challenge for many small business websites.

In my opinion, there will be plenty of simple websites out there that, if managed properly, will not need any specific cookie control functionality or annoying cookie warnings.

The wisest approach is:

  • to thoroughly audit your site so that you definitely understand what cookies are in use;
  • challenge yourself whether those cookies are really necessary, and remove any cookie-dropping functionality that you don’t really need – after all, data minimisation is always going to be your best bet here;
  • make sure you have a good justification (documented in your privacy policy) for the use of any cookies for which you say you don’t need consent;
  • speak to whoever looks after your website to work out your options for blocking any remaining cookies that do need prior consent.

And if it feels like a pain in the arse, that’s because it is.

I’ll repeat my disclaimer from the beginning of this series of articles – the responsibility for data privacy within your business is ultimately with you, the data controller. The information provided here is an attempt to help people short-cut what can be a daunting task – but none of it should be considered to be legal advice.

You can contact me via here if you have any data privacy needs relating to your website, or for specific legal advice relating to your particular business, I would always recommending speaking to a specialist legal professional.

In case you’ve missed any of our previous articles, you can check them out here:

The post GDPR – Do I need a Cookie Warning on my small business website? appeared first on Blackbox Web Design.

GDPR Small Business Action Plan – Part 4: Implement a process for ongoing compliance Fri, 30 Mar 2018 13:25:36 +0000 How to make sure your business becomes and stays compliant, including how to write a Privacy Policy

The post GDPR Small Business Action Plan – Part 4: Implement a process for ongoing compliance appeared first on Blackbox Web Design.


GDPR Action Plan Part 4

How to be GDPR compliant on an ongoing basis

In this article, we’ll look at:

  • Identifying and rectifying your data privacy weaknesses
  • How to write a Privacy Policy
  • Some further resources

Check it out!


In our previous articles, we’ve looked at:

The natural conclusion to this process is to pull everything together so that:

  • You have identified any weaknesses in your data privacy processes – including understanding whether anything you currently do would constitute a breach under the GDPR;
  • You can confidently assert your legal basis for processing your different types of personal data;
  • You have a specific plan for rectifying any issues you discover;
  • You can create a Privacy Policy that is effective in informing your data subjects and protecting you as a business.

Let’s crack on.

Identifying and rectifying weaknesses and potential breaches

The principle here is pretty straightforward – by identifying how you are processing individuals’ personal data, and establishing the lawful basis for doing so, you will naturally discover any situations where you are unable to justify (in GDPR terms) the processing that you undertake.

Some examples might include:

  • Where you process a type of data without the level of consent that the regulation requires, and where there is no other lawful basis that you can rely upon – such as continuing to use an ‘implied’ consent model;
  • Where you collect more data than is required to carry out the purpose for which it was collected;
  • Where you are holding onto old (and probably out-of-date) personal data that you no longer have a legitimate reason for keeping;
  • Where you are unsure where a type of electronic data is stored, or who therefore has access to that data;
  • Where more people have access to personal information than is required, or the data is other non-secure.

There are probably many other examples, but the point is this:

In order to have a chance at GDPR compliance, you need to fix these issues – either by changing your internal processes to address the specific issue, or by stopping the ‘offending’ processing and securely removing any data that you have collected in that manner.

Pragmatically, the time to do that is before the GDPR comes fully into force on 25th May 2018 – because even if you have a plan to rectify the problem, if you continue to store data you have collected unlawfully beyond that date in May, you are technically committing a breach.

How you go about rectifying any issues is obviously going to vary between businesses, and it will be dependent on the type and scale of the issue.

The types of things that small businesses are most likely going to have to do will include:

  • Creating a compliant Privacy Policy, and making it conspicuously available to people whose data you collect (we’ll move onto Privacy Policies later in this article);
  • Changing the way your website forms work to ensure that there is a suitable ‘consent’ checkbox, with links to your Privacy Policy – and a process of tracking who has consented, and to what;
  • Prior to the enforcement of the regulation at the end of May
  • , businesses may choose to contact their existing customers to secure their valid consent to things like marketing emails and newsletters – otherwise you may be in a position where you can no longer use that data;

  • Speak to whoever looks after your company website to ensure that you fully understand the site’s use of cookies, where the website servers are physically located, and who has access to them.

Now is the time to start addressing those things.

Create a plan to ensure ongoing compliance

This is where all of the hard work that you’ve put in up to this point all comes together. The output of this stage of the process will be a Privacy Policy that documents, among other things:

  • What data you collect, how you process it and the measures that you take to make sure that the data is secure;
  • The rights that individuals have to the data that you hold about them – including how people can withdraw consent or object to how you process their data;
  • Who is responsible for data privacy within your business, and how they can be contacted.

You will also need to ensure that everybody within your business is aware of the importance of personal data privacy, so that your best-laid plans are not undermined by others simply not following them.

Your Privacy Policy

Creating a compliant Privacy Policy is one of the few obvious ‘must haves’ that comes out of the GDPR. It is hard to see how any business can possibly be compliant without one – because it is your main opportunity to demonstrate that you are being open and transparent about the data you collect.

The exact details of what a privacy policy should say will vary between businesses, so I can’t tell you precisely what should do into it for your business, but the format I describe below should most definitely get you onto the right track.

Introduction & Commitment to data privacy

Whether this actually achieves anything tangible is up for debate, but it seems logical that a good place to start with a privacy policy is to state outright that, as a business, you are committed to maintain the privacy and security of the data you collect from individuals.

It serves as a good introduction to the rest of the document, and explains that collecting data is something that is necessary in order to run your business. It sets the context.

Identify yourself

It is important that you identify your business and clearly provide the contact details of who should be contacted for any data privacy matters. If you operate as a limited company, you should give your full company name and any trading names that you operate under.

Larger companies (over 250 employees) are likely to need to designate a specific Data Protection Officer (DPO), and this brings with it a whole raft of other requirements for record keeping and so on. Small businesses will most likely not require a DPO, but you still need to provide a clear statement of how people should contact your business with any data issues.

If this is in the form of an email address, you need to make sure that it is one that is regularly monitored – you do NOT want to inadvertently miss a privacy issue or complaint because there are timeframes in which you need to respond.

Describe what data you collect, how you use it and what your legal basis is for doing so

This might seem laborious, but if you’ve been following our suggested method for creating a Personal Data Log, you should already have all this information: you need to give a clear, plain-English description of the types of data you collect, why you collect it and what your legal basis for doing so is.

You might, for example, state that:

“if you send us a message via our website’s online contact form, we need to collect certain data from you (your name and email address). We need to use this information to respond to your request – but we will also always ask for your consent to process this data before you submit the enquiry, and you will see a link to this Privacy Policy. We will not use this data for any other purpose unless you have given us your additional permission to do so. We will not share this information with anyone outside of the organisation. The data may be held for up to 12 months (although this may be extended if you choose to create an account with us or purchase products/services from us).”

You will need to create a similar statement for each of the different data inputs that you have identified in your Personal Data Log.

Please note that if your business operates a website, you will need to include references to whether your website stores cookies on the user’s device and if so, what those cookies are. The details around Cookies are deserving of an article in their own right and we will address that separately.

Who you share the data with

Individuals will rightly want to know whether the data that they give you is kept entirely within the confines of your business, or whether it is shared with anyone else.

This is an opportunity to explain that you will never sell or otherwise share the personal data with a 3rd party for any reason other than the ones that you outline here.

How the data is protected

It is important to make it clear what steps you take to ensure the security of the data that you process. This might refer to the physical security of paper documents, or the username/password based restrictions that are placed upon electronic data.

The rights of the individual

The GDPR makes a number of clear statements about the new rights that individuals have over the data that you collect about them. Whilst this is public domain information, you must restate those rights within your Privacy Policy.

They are:

  1. The right for the individual to require you to confirm whether you hold any personal data about them;
  2. The right for the individual to require you to provide them with a copy of all of the data you hold about them, in a format that is meaningful to them;
  3. The right for the individual to easily withdraw any valid consent that they have previously given;
  4. The right for the individual to require you to rectify any incorrect or incomplete data that you hold about them;
  5. The right for the individual to require you to erase any personal data held about them (the ‘right to be forgotten’).
  6. For any data that you collect based on a lawful basis other than consent, the individual has the right to object to that processing, and you have a responsibility to consider that objection. The individual also has the right to require you to prevent any further processing of that data until their objection is dealt with;
  7. The right for the individual to make a complaint to the relevant data protection authority (which is the Information Commissioner’s Office in the UK)
  8. Generally, individuals can exercise these rights without paying you a fee.

Once you’ve digested these rights, you will realise that these are not trivial matters. Could you locate and erase all information relating to a particular individual if you needed to? And could you do it without deleting information relating to others?

When an individual contacts you to exercise any of these rights, we will generally refer to this process as a Subject Access Request (SAR). In general terms, you have one month to provide the information or take the action required within a SAR.

Summary & Next Steps

It’s important to get your ongoing process for GDPR compliance, and your Privacy Policy, as complete and ‘right’ as it can be from the outset. Your policy may well change over time, but changing your privacy policy will likely give rise to some more headaches.

After all, if someone has consented to your processing their data based on the information in your privacy policy today, you cannot change the details of that policy tomorrow and expect their consent still to be valid.

But that said, you should find that (painful though it might have been) the process that you’ve been through to this stage should have been central to you getting a grip on the personal data privacy processes within your business.

If you’ve had to make changes to become compliant, they might feel like a royal pain in the a*se today, but you will be running a better, more credible business as a result.

And as I said at the start of this series of articles, customers love that.

I hope this series of articles has been useful in giving you a good grounding in how to make your small business GDPR compliant. The reality is that we’ve done more than just scratch the surface, but there is much more to learn – and we’ll all be learning as the regulation comes into force.

I’ll repeat my disclaimer from the beginning of this series of articles – the responsibility for data privacy within your business is ultimately with you, the data controller. The information provided here is an attempt to help people short-cut what can be a daunting task – but none of it should be considered to be legal advice.

You can contact me via here if you have any data privacy needs relating to your website, or for specific legal advice relating to your particular business, I would always recommending speaking to a specialist legal professional.

I will be publishing further articles on the subject of GDPR which will look at some of the more specific thorny issues that businesses might face, so please watch this space.

In case you’ve missed any of our previous articles, you can check them out here:

The post GDPR Small Business Action Plan – Part 4: Implement a process for ongoing compliance appeared first on Blackbox Web Design.

GDPR Small Business Action Plan – Part 3: Is your data processing lawful? Fri, 30 Mar 2018 13:20:38 +0000 Your guide to understand the lawful basis for processing personal data under the GDPR

The post GDPR Small Business Action Plan – Part 3: Is your data processing lawful? appeared first on Blackbox Web Design.


GDPR Action Plan Part 3

Is it lawful to process personal data the way you do?

In this article, we’ll look at:

  • The 6 ‘lawful grounds’ for processing personal data under the GDPR
  • A focus on consent, contract and legitimate interests
  • Some further resources

Check it out!


In our previous article, we continued our in-depth look at a GDPR action plan by determining what your business currently does in terms of processing personal data. How is it collected, stored, used and transmitted.

In this article, it’s crunch time – because we now need to determine whether what we’re currently doing would be lawful under the GDPR – and if not, what we’ve got to do to resolve that issue.

Remember – under the GDPR, businesses can theoretically be fined up to €40million for serious breaches.

Probably worth reading on.

What makes it lawful?

The GDPR states that it is only lawful to process personal data if one or more of the following situations apply:

  1. Consent: The data subject (the person whose data we’re referring to) has specifically consented;
  2. Under contract: processing is necessary to fulfil a contract that the data subject has asked for;
  3. Legal Obligation: processing is necessary because of a specific legal obligation that you (as the controller of the data) are subject to;
  4. Vital Interests: processing is necessary to protect the vital interests of the data subject or another person;
  5. Public Interest: processing is necessary as part of a task carried out in the public interest, or as part of the official capacity of the controller of the data;
  6. Legitimate Interests: processing is necessary for the purposes of the legitimate interests of the data controller.

Please note: I’m paraphrasing the lawful grounds here, in an attempt at clarity.

For most commercial small businesses, c), d) and e) above are unlikely to apply and we’re going to focus on the most likely lawful grounds: Consent, Under Contract and Legitimate Interests.

But to be clear – in general terms, the more lawful grounds you have to process data in a particular way, the better – so don’t discount the legal obligation, vital interest and public interest grounds if you think they might apply.

So, it’s worth us understanding those three lawful grounds a little better.


Consent is always going to be an important factor to whether you can legitimately process somebody’s personal data.

Because if they say it’s ok, it’s ok – right?

Well, yes and no.

The GDPR makes some fairly fundamental changes to the way we need to think about consent. In particular:

  • You will need to be able to prove that somebody has consented;
  • The consent must be freely given;
  • It must be specific;
  • It must be informed and unambiguous
  • It requires a clear, positive action on behalf of the data subject;

This handful of requirements places some pretty significant hurdles in the way of gaining legitimate consent:

Proof – processes will need to be in place to demonstrate that a person has consented to their data being processed. Could you do that right now? Show that a particular person had consented to a particular thing on a particular date?

Freely given – you can’t force people into ticking an ‘I consent’ box by making it a condition of them taking a particular product or service from you, unless it is genuinely required to deliver that service. For example, it wouldn’t be lawful to require somebody to tick a ‘I agree to my information being entered onto your mailing list’ before they purchase a product or take advantage of an offer.

Specific – because consent has to be specific, it is almost certainly not lawful to try to gain ‘blanket consent’ for all types of data processing. You need to tell people specifically what they are consenting to, and that consent will not extend to any other type of processing. To extend the example above – if you were to collect somebody’s email address in order to reply to their request for a quotation, you couldn’t use that email address to send marketing emails to them without further consent.

Informed and unambiguous – people need to understand what they’re consenting to, so when asking for consent, you need to be painfully clear what you mean, and not attempt to hide the consent in reams of jargon or other unrelated matters.

Positive action – this is a big one – the data subject has to make an ‘affirmative action’ to indicate their consent. In particular, this means that the idea of ‘implied consent’ (e.g. “by continuing to use this website you are deemed to accept our T&Cs”) goes out of the window. They have to tick a box, or otherwise make a positive action to confirm their consent. And you’re not allowed to tick that box for them, either!

So what this all boils down to is this:

You need to provide people with all of the information they need to understand precisely what you’re going to do with their data before they consent. In practical terms, this will usually mean having a very clearly defined Privacy Policy in place that people can see before you ask them to consent. And you need to be able to prove what they have consented to.

But before you start worrying about all of the circumstances in which that’s just not possible, remember that consent is not the only option. You might well have a number of legitimate reasons, under the other lawful grounds, for processing their data – and often, those alternatives might be better.

Let’s look at them now.

‘Under contract’

The actual terminology within the GDPR states that the processing of personal data may be lawful if:

“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

So, if a person approaches your business to enquire about a product or a service that you provide, it is legitimate for you to process their personal data to the extent that is necessary to do what they’ve asked you to do.

If someone purchases an item from your online store, then clearly you need to collect, store and possibly transmit their name and address for the purpose of delivering the item to them.

It doesn’t give you carte blanche to do whatever you like with it, though – so don’t go sticking their email address on a mailing list without some other way of justifying it (most likely, consent).

‘Legitimate Interests of the data controller’

This is an interesting one – as, at first sight, it looks like a reasonably broad definition:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

In this case – you, the business that are deciding what data is collected from the individual, are the Data Controller. So, subject to the caveats about fundamental freedoms and data relating to children, the processing may be lawful if it is in your legitimate interest as a business.

There are some clear legitimate uses of this lawful basis such as to prevent fraud or to maintain the security and integrity of a system holding personal data – as those things are clearly in the spirit that the GDPR is trying to encourage.

The regulation itself even goes so far as to say that processing of personal data for direct marketing purposes MAY be regarded as the in the legitimate interest of the business. Only ‘may’, though.

So the ‘legitimate interest’ basis should, I suggest, be used with caution. It is certainly not a general ‘catch all’ for anything that a business wants to do.

Here at Blackbox, we certainly cite the ‘legitimate interest’ ground as a reason why our website may place security related cookies on the user’s device without first asking for their consent. Just use it wisely.

So, what does this all mean?

If we return for a moment to the Personal Data Log that we’ve been slowly creating, we now need to identify – for each and every data input we’ve got listed – which of the 6 lawful grounds for data processing apply.

It might be just one, it might be two or three. But hopefully, it’s not none.

Because if you don’t have a legitimate, lawful reason for processing personal data, then doing so is a breach of the GDPR and you are potentially leaving yourself open to penalties.

You either need to find a lawful basis for doing it (such as introducing a valid consent process), or you need to stop doing it. Now. You would also need to securely dispose of any data that you have collected via this means in the past – because remember – storage is processing.

One final word about Consent

It’s natural to think that consent is the best method of demonstrating that you have a lawful basis for processing someone’s data. And in a lot of cases, that’s probably true.

But. Data obtained via consent is subject to a range of other considerations, including the individual’s right to access the information or even have you delete it. Those same rules do not necessarily apply to data collected under a different lawful basis, such as legitimate interest.

In that situation, a person has a right to object to your processing of their data in that way (and you have a responsibility to consider that objection), but they don’t have quite the same range of rights over it.

So, just because you might seek somebody’s consent to capture certain types of data, make sure that your Privacy Policy also declares your other lawful grounds for processing it.

In some cases, having another lawful ground for collecting data might be a good reason NOT to ask for consent.

Summary, Next Steps & Further Reading

This stage in the process will hopefully have been a bit of an eye-opener, because it is only really now that you start to get a good feel for the impact that being GDPR compliant could have on your business.

You might now have a number of issues that need to be addressed – and whilst that is going to seem like a burden, it is most definitely better to know, and know now.

In our next article, we’ll look at the all important process of developing a plan for your ongoing GDPR compliance, and what your responsibilities are.

GDPR Action Plan – Part 4: Implement a plan for ongoing compliance

In case you’ve missed any of our previous articles, you can check them out here:

The post GDPR Small Business Action Plan – Part 3: Is your data processing lawful? appeared first on Blackbox Web Design.

GDPR Small Business Action Plan: Part 2 – How do you process personal data? Fri, 30 Mar 2018 13:15:40 +0000 What 'processing' means in GDPR terms, and how you are currently using individuals' personal data

The post GDPR Small Business Action Plan: Part 2 – How do you process personal data? appeared first on Blackbox Web Design.


GDPR Action Plan Part 2

How do you process personal data?

In this article, we’ll look at:

  • The GDPR definition of ‘processing’ data
  • How you store, use and transmit data
  • Some further resources

Keep going!


In our previous article, we looked at how to audit the personal data that your business collects. We considered what constitutes personal data under the GDPR, and a process by which you could document all of the circumstances in which that data comes into your business.

If you’re following our process, you’ll know that we recommended creating a Personal Data Log (PDL) – a living document that you can continue to use to keep control over the data you collect.

Now that we know what personal data your business holds, we’ll turn to how you process that data.

‘Processing’ under the GDPR

‘Processing’ is an important concept under the GDPR. The entire regulation is focussed on defining and controlling how personal data may legitimately be processed.

Perhaps ironically, the concept need not detain us too long, because the definition of ‘processing’ is extremely wide.

If you consider that it includes storage, use and transmission of data, you’ll quickly arrive at the conclusion that if you have data, you’re almost certainly processing it.

That being the case, I’m going to launch straight into how to identify the different ways in which we process data, and use our Personal Data Log to keep track of it. That will lead us to a position where we can properly understand:

a) whether we have a legitimate, lawful basis under the GDPR to process the data in the way we do;
b) what our responsibilities are for that data.

the GDPR actually defines ‘processing’ as:

“… any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
[emphasis mine]

Identifying how we store, use and transmit personal data

The objective for this stage of our plan is to understand how we process personal data. We have already determined that we collect personal data – we are now going to look individually at storage, use and transmission of data – because these are the broad types of processing that the vast majority of small businesses will be using.

By detailing how we process the data, we are preparing for the following step in the plan, which is to determine whether that particular type of processing is lawful under the GDPR.


Collection and storage of information typically go hand in hand. On any definition of the word, it’s difficult to collect something if you don’t store it in one way or another (given that even writing it down is a form of storage).

For each of our data inputs (i.e. the scenarios in which we collect personal data), we need to be able to answer the following questions as a minimum:

  • How is the data stored? Is it in electronic format, such as in a spreadsheet, email inbox or database? Or is it stored physically, such as on paper in a good old-fashioned filing cabinet?
  • Where is that data stored? For physical (hard copy) data, this is pretty straight forward – but for digital data, things get a bit more complex: for spreadsheets, emails, databases, where is that data physically stored? On the hard drive of your computer in the office or on a USB stick? Maybe. But cloud computing makes it far more likely that the data is actually stored on a server somewhere else – maybe in a different continent. Think Google Drive, OneDrive, Gmail, hosted CRM or email campaign management tools – none of the data in these applications is stored on your device – it’s all stored ‘in the cloud’. Whilst this complicates things, we need to be clear about where that data is – because it also influences who has access to it;
  • Who has access to the data? This will clearly depend on the type of storage. For hard copy documents, perhaps the data is locked away in a physical location to which only limited people have a key. For digital data stored on a system of some kind, perhaps the information can only be accessed by people with a user account and password (and the third party providers of that system – and all their employees??)
  • What protection is in place to keep that data secure? As above, hard copies of information can be physically secured, but digital data is different – it’s protected by user accounts/passwords, and possibly firewalls and encryption. So what protection have you got in place?
  • How long is it kept for? Do you have any processes for deleting/archiving old information when you don’t need it any more? Or does it simply build up and up over time?

For each of the data input rows on your Personal Data Log, you need to be clear on the answers to the above – and now would be the time to enter that information into Columns G to K.

I have no idea


Ok, so this is a pretty broad category – but this is a good time to ask yourself the question ‘what do we use this data for?’.

This process is going to be useful for three main reasons:

  1. You’re likely to discover some data that you collect unnecessarily. The concept of ‘data minimisation’ is going to become increasingly important – if you don’t need it, why take on the responsibility of looking after it? Now would be a great time to stop collecting unnecessary data, and securely disposing of stuff you’ve collected in the past;
  2. You’re going to need to describe how you use data in your Privacy Policy, so you might as well start thinking about it now;
  3. Whenever you rely on the data subject’s consent to use data, that consent under the GDPR is limited to the particular uses that you specify. In general terms, you can’t collect the data for one reason, and then go on to use it in a different way.

Here are a few – perhaps obvious – uses of the data you collect, as a starting point:

  • To be able to respond to a customer’s request for information (e.g. data taken via website contact forms)
  • To deliver the products and services that your business provides (e.g. data collected when a customer places an order or signs up for an account)
  • To provide customer service to existing and prospective customers (e.g. data collected when a customer places an order or signs up for an account);
  • To be able to send newsletters or other marketing and promotional material to customers (e.g. data taken in newsletter sign up forms)
  • To provide employee services such as payroll (e.g. data taken when a new employee starts);
  • To maintain the security and integrity of your systems (e.g. technical data collected when a customer uses your website).

If you’re using our Personal Data Log, you should now go ahead and complete Column F.

Don’t have a clue


We’re looking at transmission of data specifically because it necessarily involves sharing the data that you have collected with someone else – and that brings with it some additional considerations.

Ask yourself the question ‘do we transmit this data to anyone else’?

Some examples of transmission might include:

  • Sending customer address information to your shipping partner/delivery company;
  • Importing customer data into a 3rd party tool such as an email campaign management system;
  • Sharing customer data for marketing purposes – e.g. a marketing agency;
  • Sending customer data to a 3rd party cloud storage facility (e.g. data backups).

In all of these scenarios, you are actively releasing the personal data you hold to a 3rd party – and you are reliant on that 3rd party looking after the data – so you need to be pretty clear who you’re working with, and what controls are in place to ensure that the data stays secure.

I’ve told you, I don’t know

I'm sorry, but I don't have a clue

Why ignorance is no defence under the GDPR

I suspect that this will be the response from a fair number of small business owners. Perhaps you’ve never given any thought whatsoever to where your customer/employee data actually resides. Or whether other people outside your organisation might actually have access to it. Or how secure it really is.

And that highlights an important point that is central to the whole GDPR.

When you consider that individuals’ personal data is a valuable commodity, you have a responsibility to think about these things – if you want to collect it and use it, you need to take care of it.

For years we’ve had a responsibility to think about these things, but the previous legislation, for the most part, let us all get away with it.

The reality of GDPR is that we are all going to have to get properly on top of this – it’s where much of the hard graft is going to happen. For example, if you don’t know where your digital data is stored, how can you argue that it’s secure?

So, I’m afraid to say, you’re either going to need to tackle these things yourself, or get someone to tackle them on your behalf.

Summary, Next Steps & Further Reading

By now, you will hopefully have a pretty good grounding in how to understand the personal data that you collect within your business, and how to determine and document what you currently do with that data.

In our next article, we will turn to thorny issue of whether what you currently do with your data will be lawful under the GDPR – and if not, what you need to do to resolve it. We’ll look at:

  • The 6 lawful grounds for processing personal data within the GDPR
  • The changes to the way consent works
  • Why consent isn’t always your only/best option

GDPR Action Plan – Part 3: Is your data processing lawful?

In case you’ve missed any of our previous articles, you can check them out here:

The post GDPR Small Business Action Plan: Part 2 – How do you process personal data? appeared first on Blackbox Web Design.

GDPR Small Business Action Plan: Part 1 – Understanding your personal data Fri, 30 Mar 2018 13:10:39 +0000 How small businesses in the UK can get to grips with what 'personal data' is, and how they process it

The post GDPR Small Business Action Plan: Part 1 – Understanding your personal data appeared first on Blackbox Web Design.


GDPR Action Plan Part 1

Understanding the personal data you process

In this article, we’ll look at:

  • How to understand what constitutes personal data
  • How to confidently audit your business for personal data
  • Some further resources

Make a start!

The first stage in anyone’s GDPR compliance plan should be to understand what personal data your business is collecting. Only then can you establish whether your collection, storage and processing of that data is legitimate.

In this article, we’ll step through a suggested process for understanding and auditing your personal data.

If you’re short on time, you can skip to the section you’re interested in:

What is personal data?

Short answer: virtually anything that allows you to identify – directly or indirectly – an individual person. And it doesn’t matter if the information is in electronic format or on paper, the GDPR still applies.

Some examples of personal data are obvious – customer names, email addresses, phone numbers – whether they are stored electronically (on a spreadsheet or database) or manually in paper files.

These are going to crop up all over the place:

  • Customer lists;
  • Mailing lists;
  • Customer surveys (or at least non-anonymous ones)
  • Order books;
  • And so on.

Other examples are less obvious, because the regulations refer to ‘identified and identifiable persons’ – so even if you don’t collect things like name and address, if I could use the data to identify you, even indirectly, it falls into the category of personal data. Such as:

  • A customer ID;
  • A photograph;
  • Combinations of non-specific data (such as age, gender and postcode) which, when considered together, potentially allow you to identify a person;
  • Technical data such as IP address (although we’ll come back to this again later).

Once you’ve established that you are collecting personal data (and you probably are), then you can be pretty confident that you are subject to the GDPR, and therefore need to read on.

The GDPR defines ‘personal data’ as “any information relating to an identified or identifiable natural person”. Therefore, the data does not need to directly identify an individual – if, such as the case with a customer ID, the data could allow that person to be identified by other means, it constitutes personal data.

Auditing the personal data you collect

Yes, I know, the word ‘audit’ doesn’t exactly fill anyone with enthusiasm and joy, but it is what it is – you need to audit your business in order to reveal all of the actual personal data that you have collected in the past, and all of the methods that you use to collect such data on an ongoing basis.

But it doesn’t need to be as onerous as it sounds. We’ll look at your current data collection first, then give some thought to data you have have collected in the past.

Get Your Post-Its Out!

Auditing your existing data

1. Identify the circumstances in which you collect data

Quite genuinely, a pack of Post-Its and a wall can really help here – because you can just note things down as you think of them, and then rearrange, group together and de-duplicate later.

The objective of the exercise is simply to start to track all of the existing collections of data that you are holding in your business. At this stage, don’t think about the individual bits of data that you’ve got, rather think about all of the different ways that you collect data about your customers, employees, partners, suppliers etc.

Some examples of what we mean:

  • Information submitted by customers via your company website – contact forms, online purchases, online chat etc
  • Details that you take from customers when they place an order over the phone
  • Employee information that you collect when people start to work for you
  • Contact information you record when you take on a new supplier
  • Details submitted when people sign up to your mailing list
  • Details from business cards that you collect at trade fairs

Hopefully you’ll see the point here – if you can identify the circumstances in which you collect data, you can then move on to drill down into what data you collect, and how you use it (that comes in Part 2).

So, whip out your fresh new pack of Post-Its, and start jotting down all the circumstances in which you collect data that relates to individuals. If you’re not sure about one, write it down anyway, and review later – just don’t lose that thought!

2. Confirm that this is ‘personal data’

This is where it’s worth doing a quick sanity check that we are really talking about ‘personal data’ in GDPR terms. Remember, the GDPR defines personal data as any information relating to an identified or identifiable natural person.

So, if any part of the data you collect identifies a person, or would be capable of identifying a person if it was used in combination with other information, then you are best to assume that this is personal data.

Frankly, it’s a bit difficult to think of too much data that wouldn’t qualify as ‘personal’ but here’s a couple that we came up with:

  • Information relating solely to a company or other organisation – because a company is not a natural person. But contact information is still personal data, even if it refers to somebody’s work phone number or work email address;
  • Completely anonymous data – if you collect feedback forms in your restaurant, and the information is completely anonymous, this is probably not personal data, assuming that you can submit that information anonymously. But be careful – if you ask people to submit feedback online, you might be tracking information about them (such as their IP address) that you don’t realise.

3. Create a Personal Data Log

This is the time to crack out Microsoft Excel (or whatever your personal spreadsheet software of choice is), and start to create a Personal Data Log for your business.

The objective of the Personal Data Log is to provide an ongoing record of the data that you collect – not only will this be a useful reference for you, it also represents an important part of your overall compliance process because it can be used to demonstrate your compliance efforts.

The log is going to start simple, with just a column that lists all of the personal data inputs that you have identified in your post-it exercise above. As we progress, you will add more columns to this spreadsheet – the end result will be one centralised record of your personal data types, along with details of who has access to the data, how long the retention period is, what your legal basis for each data type is and so on.

This should be a living document – as things change within your business, you update this log. The image below shows an example log – you can ignore Column B onwards for now, we will be completing these next.

You can download this sample Personal Data Log as a starting point if you wish.

a snapshot of a suggested GDPR personal data log

It goes without saying that this PDL needs to be as comprehensive as you can possibly make it because we recommend using it as a starting point for your entire compliance effort. If you miss a source of data at this stage, then the chances are you will continue to overlook that data in the future.

Sole traders and one-man-bands should take time to reflect on this Personal Data Log to ensure that they can see the wood for the trees, and they’re not missing anything. Larger businesses should ensure that they consult with staff across the organisation, and sanity check the information carefully.

4. Getting specific about the data

Having identified the various circumstances in which you collect potentially personal data, it’s now time to start getting specific about the actual categories of data that you collect. For many businesses, this will be relatively straightforward (it might just be name and email address in many cases) – but for others, it will get more complex.

The purpose of identifying these categories of data is fourfold:

  1. To confirm that you have a real grip on the exact data that your business is asking people for
  2. To provide information that will ultimately end up in your Privacy Policy
  3. To check whether any of the data you collect relates to children under the age of 16, for which there are additional requirements in relation to parental consent
  4. To check whether any of the data you collect falls into a range of Special Categories defined by the GDPR, for which there are additional regulations and constraints

If you’re using our sample Personal Data Log, then now’s the time to complete Columns C, D & E.

Special Categories
The GDPR specifically mentions a number of types of data that it considers to be Special Categories of data. In general terms, the regulation prohibits the processing of such data unless the person to whom the data applies has given explicit consent for one or more specified purposes.

This effectively means that consent is the ONLY lawful basis for collecting such data – and the implication is that the consent must gained be very carefully and specifically.

The GDPR Special Categories of data are:

  • Racial or ethnic origin
  • Political opinions, religious or philosophical beliefs
  • Trades Union membership
  • Genetic or biometric data
  • Health or data concerning a person’s sex life or sexual orientation

If your Personal Data Log reveals that you are collecting data falling into any of the Special Categories, then your consent processes will need to be watertight.

Summary, Next Steps & Further Reading

If you’re following our suggested process through, you’d should now have a pretty firm grip on the data that you collect within your business that is likely to be considered ‘personal data’ under the GDPR.

In our next article, we will turn to the question of what you do with that data:

  • How do you use it?
  • Who has access to it?
  • How is it protected?
  • How long do you keep it for?

GDPR Action Plan – Part 2: What do you do with your personal data?

In case you’ve missed any of our previous articles, you can check them out here:

The post GDPR Small Business Action Plan: Part 1 – Understanding your personal data appeared first on Blackbox Web Design.

Small Business GDPR Action Plan Fri, 30 Mar 2018 13:05:41 +0000 An outline of our plan for how small businesses in the UK can approach becoming GDPR compliant

The post Small Business GDPR Action Plan appeared first on Blackbox Web Design.


Small business GDPR Action Plan

A step-by-step, actionable strategy for GDPR compliance

In our previous articles, we’ve looked at some of the background and the basic principles behind the new EU General Data Protection Regulation, or GDPR.

In this, the start of a series of follow-up articles, we will look at the specific steps that you can take to make your small business GDPR compliant.

We’re going to break this down into 4 actionable steps:

  1. Determine what ‘personal data’ your business handles
  2. Identify in some detail what you do with that data
  3. Determine whether your current use of the data would be considered lawful under the GDPR
  4. Implement a plan to ensure ongoing compliance with the regulation

1. What ‘personal data’ do we process?

Perhaps the most important part of the process of making your business GDPR compliant is understanding your use of personal data in the first place. It’s very much in your interest to get a real grip on the concept of what constitutes personal data before you progress to the next steps – after all, this is not a process that you will want to have to repeat unnecessarily.

In our article on identifying ‘personal data’, you will discover that the GDPR’s definition is very broad – almost certainly broader than a normal everyday interpretation – and therefore it’s probably wise to start from the position of assuming that all data relating to an individual is going to be considered as ‘personal data’ unless you specifically determine otherwise.

We’ll look at a suggested process of how to audit your business for personal data, and then use that information as the starting point, not only for the next steps in becoming GDPR compliant, but also as part of your ongoing process for demonstrating your compliance.

Go to Step 1: Identifying personal data

2. What do we do with that personal data?

Once you’ve established the types of information your business collects and processes that are likely to be considered ‘personal data’ under the GDPR, the next stage is to fully understand what your business does with that data.

For example:

  • Where is it stored?
  • How is it stored?
  • Who has access to it?
  • How long do you keep it?
  • And so on

It’s only when you can confidently state how your business processes data that you can go on to ensure that the processing of that data is lawful under the GDPR.

Go to Step 2: Determining how you process data

3. Is our processing of this data ‘lawful’ under GDPR?

The GDPR is quite clear that you must have a legitimate ‘lawful basis’ for processing people’s personal data.

The regulation goes on to list six different categories – effectively the acceptable grounds for processing the data – and you will need to ensure that for every different type of personal data you process, you can point to one (or more) lawful basis that legitimises the way you are processing data.

Conceptually, some are obvious – most notably, that you have the data subject’s specific consent to process that data. But be warned, there are some hoops to pass through before any consent is seen as valid, so don’t think it’s an easy way out. Sometimes, it will be in your business’s interest to demonstrate another lawful basis for processing data.

In our article on determining the lawful basis for processing your data, we will look at what we consider to be the lawful bases that small businesses are most likely to rely upon, as well as the pitfalls to avoid.

Go to Step 3: Understanding the lawful basis for processing data

4. A plan for ongoing GDPR compliance

We strongly recommend that you don’t look at this as a one-off ‘box ticking’ exercise. GDPR compliance is going to be a mindset challenge for a lot of small businesses, because one of the key objectives of the new regulation is to encourage ‘privacy by design’ – i.e. building privacy considerations into all of your business processes from the outset.

In our article on ensuring ongoing GDPR compliance, we’ll look at your continuing responsibilities under the new regulation, how to deal with your organisation’s Privacy Policy and how to address Subject Access Requests.

It’s this type of planning that will not only help you towards GDPR compliance, but also towards operating a more streamlined, credible business more generally.

Go to Step 4: Ongoing GDPR compliance

The post Small Business GDPR Action Plan appeared first on Blackbox Web Design.

GDPR 101 – An introduction to the General Data Protection Regulation Fri, 30 Mar 2018 13:00:08 +0000 An introduction to the EU's General Data Protection Regulation (GDPR) for small businesses

The post GDPR 101 – An introduction to the General Data Protection Regulation appeared first on Blackbox Web Design.


"Data is the new oil"

In this article, we’ll look at:

  • The basics of the new GDPR regulations
  • What it means for small businesses
  • Some further resources for the details

Read more

The big picture

I’m a big believer in getting the general principles – the bigger picture – clear from the outset. So, let’s have a crack at that:

Data is now a commodity, and a valuable one at that. Data about our web browsing history and online shopping habits are used to market products to us. We use our private data as a means of identifying and authenticating ourselves. And, our social data can even be used (allegedly) to influence who’s elected as leader of the free world.

As a result, our data – along with who has access to it, and what they’re permitted to do with it – is an extremely hot topic.

Granted, most of us aren’t dealing with data on a scale that could possibly influence whether Kim Kardashian becomes the next US President – but the effects of a general tightening of controls over how data is used is most definitely trickling down to even the smallest businesses.

What’s it all about, Alfie?

What are the new regulations trying to achieve?

The EU’s General Data Protection Regulation, or GDPR, comes into force on 25th May 2018 – and essentially, the regulation is attempting to give individuals far greater control over their personal data. It reaffirms that the protection of individuals in relation to their personal data is a fundamental right to which we are all entitled.

At a high level, the GDPR aims to protect this right in a number of ways:

  • By forcing businesses to be open about when they collect personal data, and how they propose to use it – so that we have a meaningful choice about whether to release our data to them or not;
  • By encouraging businesses to keep the data they do collect secure;
  • By giving us a range of rights in relation to the data that is held;
  • By allowing the application of eye-watering financial penalties for serious non-compliance.

More specifically, the regulations are there to reinforce the importance of treating personal data with respect and value, and in a way that is compatible with our own individual basic rights of privacy.

They require people and organisations who collect and process this personal data to:

  • Take all reasonable, proportionate efforts to protect that data, and control who has access to it;
  • Be open and honest about what data they’re collecting, why, and setting limits on how they are going to use it up front;
  • Make sure that the information is accurate, and only hold the information for as long as there is a justifiable reason to do so;
  • Take responsibility for the personal data, and treat it like the valuable commodity that it is.

So, from the perspective of our own individual rights to privacy, most people would agree that the principles behind the regulations are pretty sound.

Glass half full?

It’s probably best to look at this as an opportunity rather than a problem.

Yes, the GDPR imposes rules, obligations and (potentially) penalties – but the principles that it seeks to enforce are sound. If we commit a little time and effort to understanding the regulations, then we will undoubtedly end up running more efficient, credible and reliable businesses.

Customers love that.

So what does it mean for my business?

I guess it depends on your current approach to data privacy. If you’ve never actively given it any thought, you’re going to need to now. This doesn’t need to be hard, but it does need to be well thought through.

If, on the other hand, you’ve worked in the past to ensure that you’re compliant with the rules of the Data Protection Act and other privacy directives, then this shouldn’t be a big deal. The general goal posts haven’t moved that much.

In my opinion, one of the biggest issues with the previous legislation was that most small businesses didn’t take it seriously, and in for the most part, that didn’t make any difference – I don’t know, or know of, any small business that has been penalised for mishandling customer data. But I know of plenty that, in reality, do exactly that.

Businesses got used to paying lip service to data privacy, at best. A privacy policy was something that you copied wholesale from the internet. Boxes ticked, job done.

So perhaps the biggest, and most beneficial change to make is one of mindset. Treat the GDPR like a box-ticking exercise, and it will probably feel like a burden. Treat it like an opportunity to run a better business, then everyone’s a winner.

Ok, fine. But specifically, what do I need to do?

You need to think about all of the ways that you collect ‘personal data’ in your business, and ask yourself the following questions:

  • Why do we collect this?
  • How do we store it?
  • Is it secure?
  • What do we do with it?
  • How long do we keep it?
  • Who has access it?
  • Why is it ok to store and process this data?

When you can answer those questions, you’re well on your way to understanding what, if anything, you need to do to get in line with the new regulations.

Typically, businesses are going to need to:

  • Work out where their weaknesses are, and resolve them – most of it is common sense;
  • Define a policy for how you collect and process personal data;
  • Make that policy conspicuously available to the people whose data is covered by it;
  • Stick to it. And make sure your employees stick to it too.

Further reading

We’ve created a series of GDPR articles, in which we’ll delve further into more of the detail of what this really means for small businesses, including specific processes you can use to get yourself GDPR ready – in particular, check out our Small Business GDPR Action Plan below – a suggested step-by-step process for getting your data ‘house in order’.

The time to take this seriously is now – you can thank yourself for it later.

GDPR Small Business Action Plan

The post GDPR 101 – An introduction to the General Data Protection Regulation appeared first on Blackbox Web Design.

Small business websites, data privacy and why we really need to start caring Fri, 30 Mar 2018 12:55:44 +0000 A look at why small business owners need to start thinking very carefully about data privacy, in the light of new European data protection legislation

The post Small business websites, data privacy and why we really need to start caring appeared first on Blackbox Web Design.


A data privacy revolution? Maybe.

In this article, we’ll look at:

  • The 2018 data privacy revolution: GDPR
  • Why all businesses need to have a plan
  • Some further resources for the details

Why does this affect me?

It’s easy to be a bit hypocritical about data privacy.

As individuals, we all object to the idea of our identity being stolen, our credit cards being cloned, or our information being abused for the purpose of spam texts, emails and phone calls.

But the same individuals – those of us who run a business that handles other people’s data – have a responsibility in this ‘bigger picture’, and it’s all too easy for that to get overlooked.

What’s that got to do with my website?

Well, everything and nothing, really.

I’m only using websites as an example, because that’s the business I’m in – but the principles extend to all areas of your business. Let me expand my example:

If you’re not very careful indeed, a small business website is a prime example of where the data privacy issues can arise.

Chances are that:

  • Your site uses an online contact form to enable customers to contact you;
  • You’re probably running Google Analytics to track visitors;
  • You might be promoting your business using social media, such as Facebook marketing;
  • You might be using shared web hosting from a 3rd party company such as Fasthosts, 1&1 or Godaddy;
  • You might be using a CMS like WordPress to power the site.

And there’s nothing the matter with any of that – except that all of the factors above come with data privacy issues that must be addressed. Perhaps more often than not, these things are not even on the radar.

And that’s a problem – because May 2018 sees the introduction of the EU’s General Data Protection Regulation, and it’s a bit of a gamechanger.

Data privacy ain’t sexy

People who start up their own businesses are entrepreneurs – they’re passionate about what they do, or at the very least they’re passionate about the lifestyle and work/life balance that self-employment or business ownership can bring.

But that alone is not enough.

When you start out small, you will often find yourself having to be the marketing person, the legal department, the tech guy, the HR rep – and often enough, what you’re really focused on it the product, or the service – and making sure your mortgage gets paid.

To my mind, this often means the planning of the less ‘sexy’ parts of running a business get overlooked. And believe me, data privacy ain’t sexy.

What this means for a lot of new startups and small businesses is a focus on ‘doing’ rather than ‘planning’.

Mañana, mañana. I’ll deal with it tomorrow.

It’s understandable, but it has its problems.

In particular, we end up with work processes that evolve as a result of what is convenient or cheap, as opposed to ones that are thought through in advance.

The end result? Information scattered across different spreadsheets or scribbled down on post-its. Data that you can’t find because it was on that old laptop that you’ve just upgraded. A USB stick that ‘was definitely on my desk last night’.

They’re just small examples, but they all red flags. They’re trying to tell you something – and that something is that you don’t have control over your data processes.

That is about to become a bigger issue.

If you run a business – however small – or you operate a website of any kind, and you only take one thing from this article, please let it be this:

2018 is a turning point in relation to data privacy in the EU (and that includes the UK, regardless of Brexit). You will have obligations. They may be simple, they may be more complex, depending on your business.

But in any event, you need to have a plan …

… even if that plan is simply to gain a broad understanding of your obligations and make a conscious decision about how you’re going to address them. Ignoring it will not make it go away.

Ok, so what’s changing?

We have, for many years, had laws and regulations in the UK concerning data privacy. They trickle down from EU rules, and in general terms, we think they fall into the category of ‘quite a good thing really’.

But the issue of data privacy has become, understandably, a real hot topic in recent years – mainly because of the sheer volume of high profile data breaches (where systems are hacked and thousands of customers have their personal data stolen and abused) and the associated rise in cyber crime.

As a result, new data privacy laws come into force across the European Union in 2018 that have a much more direct, and potentially onerous, effect on businesses in the UK. And don’t think that Brexit will save us – the rules will apply whether we’re in the EU or not.

In particular, I’m referring to the EU General Data Protection Regulations (GDPR) and ePrivacy Regulation. The GDPR is, technically, already in force – but will only become enforced in May 2018. The ePrivacy Regulation was due to come into force at the same time, but that is looking unlikely.

What does the GDPR mean for small businesses?

Ok, this is really top-level (and we’ll be going into more detail in later articles), but they key things to take away from this are:

  • Even for small businesses, this is worth taking seriously – mainly because the penalties for non-compliance are literally eye-watering. There is an awful lot of misunderstanding and misinformation doing the rounds at the moment – and while there are some very limited exceptions to businesses employing fewer than 250 staff, there is no general exemption for small businesses;
  • Becoming compliant isn’t necessarily difficult – but if you don’t understand your obligations, you don’t have a chance;
  • The GDPR applies to anybody who collects or processes personal data in any vaguely commercial or business context – and it applies to offline data (e.g. paper records) as well as online data;
  • The definitions of ‘personal data’ are so broad that it is safest to assume that you will be collecting/processing relevant data until you can confidently establish otherwise – if you’ve got a contact form on your website, you’re processing personal data;
  • It applies to any business that collects data relating to EU citizens – regardless of whether the business is based in the EU. So unless you know for a fact that nobody outside the UK will ever visit your business website, that’s why this affects the UK pre- and post-Brexit;
  • At the very least, your business will need a clear Privacy Policy that describes what personal data you collect and how you use it. And no, it is not good enough to copy someone else’s or get one of those automatically generated ones off the internet;
  • Customers whose data you hold now have much broader rights in relation to that data, so you need to have a plan for how you will deal with any requests for access to it. As was the case when Freedom of Information requests were introduced, it’s inevitable that some people will want to exercise their rights simply because they can.

Theory vs reality

One of the key issues with the existing data privacy laws, in my opinion, is that people have become very blasé about the whole thing.

Some business websites have privacy policies, many websites have those irritating ‘Cookies’ popups – but at the same time, most do not. Big businesses (with big budgets and big legal departments) tend to be pretty good at it, but we’ve probably got used to expecting less of smaller businesses.

And I, for one, don’t know of any small business that has been fined, or otherwise inconvenienced, by failing to meet the existing rules.

So why bother?

  1. It’s distinctly possible that the authorities will take a far tougher stance on this when the regulations are ‘harmonised’ across the EU. The maximum fines for non-compliance are €20million. Yep, you read it right.
    1. These changes to the law are likely to gain some significant attention in the media. So as soon as BBC Breakfast News starts telling viewers about their new rights, expect people to start exercising them;
  2. More than all of that, it’s the right thing to do. This forces us to think about how we are managing customer data, and falling into line with the regulations will generally encourage us to run better businesses.

That said, the GDPR regulations themselves are – like most EU documents – extremely dry, extremely long, and completely impenetrable in places. Some of the individual rules leave me thinking they cannot possibly mean that I have to do ‘x’, or surely that doesn’t apply to ‘y’.

And right now, we don’t have all the answers. So (in my opinion, this absolutely is NOT legal advice) the best we can do is start making plans to comply with the letter of the law where it is clear, and the spirit of the law where it is not.

Am I the only business that’s not prepared?

Absolutely not.

Because of the potential impact on my own business, and the businesses of my clients, I’ve been spending a lot of time researching the impact of GDPR. If I’m honest, it’s been keeping me awake some nights.

Why? Because despite the fact that we are a very short time away from the full application of the GDPR, it still feels that not enough people are talking about it. It doesn’t seem like there is a great deal of useful, practical guidance out there, and many of the regulations themselves seem ambiguous.

There is absolutely still time to get your business’s ducks in a row. And I believe that if you do that before May 2018, you will be far better prepared than the majority of small businesses out there.

We’ve created a series of articles that are intended to provide practical, actionable information for how to comply with the GDPR as a small business.

The guides provide some specific focus on small business websites and what changes might be required as a result of the GDPR, but the principles all apply more broadly than that.

For more information, see our next articles: ‘GDPR 101’ & ‘A Small Business GDPR Action Plan’

The post Small business websites, data privacy and why we really need to start caring appeared first on Blackbox Web Design.

4 reasons website owners need to be thinking about SSL Thu, 26 May 2016 10:40:04 +0000 The post 4 reasons website owners need to be thinking about SSL appeared first on Blackbox Web Design.


computer screen showing https web address

Granted, this doesn’t sound like the most exciting of topics.

But if you run your own website, or your business relies on a website, I’d encourage you to read on.

Firstly, what is SSL?

Whether you’ve realised it or not, you see SSL in action every day. Every time you’ve visited a website, and the web address shows up as or you see the little padlock symbol in the address bar, you’re seeing SSL in action:

a web address with https prefix

SSL stands for Secure Sockets Layer – but don’t let that put you off, the key word is secure.

It’s a method of keeping the internet connection between your website and the people who use your website more secure.

And that’s gotta be a good thing, right?

OK, so what does SSL do?

I’m assuming you don’t want to know the technical details. To be honest, no-one does.

But at its essence, an SSL Certificate (the thing that allows you to use SSL) does two things:

  1. It allows you to encrypt all of the data that passes between your website and the person using your website;
  2. It provides a level of proof or validation that the website in question is ‘who it claims to be’, as opposed to a scam website trying to pass themselves off as someone else.

So that leads me on to our 4 key reasons why you need to think about using SSL …

No1: Security

OK, so this is a real, tangible benefit.

Just think quickly about what happens when you look at a website:

You either type in a website address, or click on a link to the site, right? Fine. When you do that, you are sending a request to that website to send you back the information on that page. Your browser (e.g. Chrome, Safari or – God forbid – Internet Explorer) then displays that information.  With a standard (non-SSL) connection, all of this data is sent over the internet connection in an unencrypted form – i.e. it is possible for other people to intercept and read that information, if they were so inclined.

Now for many websites, that’s not a problem – after all, the information’s not secret, right?

But think about some of the other things you do when you’re using a website:

Say you want to interact with that website. Maybe you wanted to request a quote or a callback, and the website asks you to enter your name and phone number.

When you click ‘send’, you are sending your own personal information over the same, unencrypted connection. Now it’s a little bit more worrying that someone else could get their hands on it.

Things get really interesting when you are sending (or receiving) genuinely sensitive information – personal data that should stay personal, or financial information like credit/debit card data.

With a connection that’s secured (properly) by SSL, all of this data is sent in an encrypted form, and you can rest assured that nobody else can access or read it. And that has to be a good thing.

So, from a security perspective, the questions to ask yourself are:

  • Is my website exclusively public domain information?

If so, you probably don’t need SSL from a security perspective (but read on for more reasons why it might still be a good idea).

  • Do my customers need to send me any personal information via the website? Or does it allow them to log in to the website using a username/password?

Now you’re in the territory where an SSL certificate becomes a good idea from a security perspective alone. Got a contact form that asks people to enter their email address or home address? Worth thinking about.

  • Does any genuinely sensitive data pass between your website and your customers?

No ifs, no buts – you need SSL. The website will probably work without it, but you are putting your data – and your customers’ data – at risk without it.

No2: Trust / Identity

OK, so this is a little less obvious.

For you to get an SSL certificate (the thing that allows you to use SSL) in the first place, you need to provide some level of proof of who you are. In its simplest form, it boils down to this: I couldn’t get an SSL certificate for the BBC website, because I do not own or administer that site.

Therefore, it would be impossible for me to run an SSL website that claims to be

What this means is that when you visit an https:// website, you have some assurance that the website ‘is who it claims to be’.

Now, it doesn’t follow that it is necessarily a legitimate or safe website – but it does mean that it is not a scam or spoof website that is pretending to be something it’s not.

Website visitors are getting more and more used to seeing the https:// prefix and the padlock symbol (both of which are evidence of a secure connection) in their browsers. As a general rule, people are more likely to trust the website, and therefore more likely to want to do business with you.

Good news all round.

No3: Google likes SSL

The Holy Grail for most commercial website owners is to ‘rank well in Google’. That is, they want their website to feature prominently in Google search.

Now, in the world of Search Engine Optimisation (SEO), there are myriad different factors that influence whether Google will rank your website favourably – and that could form the basis of a hundred different blog posts.

But one thing we DO know is that, all other things being equal, Google favours SSL websites over non-SSL websites.

For now, the advantage that it brings is ‘lightweight’.  But it is an advantage nonetheless, and Google has hinted that it will become a stronger ranking factor in future, because they want to encourage the security benefits that inherent within SSL sites.

So, an SSL website can be used as part of your plan for getting one over your competition.

No4: Imminent changes to PayPal

This is a bit specific, but it applies to a lot of small commercial businesses who take payments on their website via PayPal.

There are good reasons why most small business websites start of by taking all payments via PayPal. For many, it is realistically the only option as they would not qualify for the merchant accounts that are required for other payment processors.

Perhaps the most tangible benefit, though, is the fact that all of the sensitive data handling (i.e. credit/debit card transactions) actually take place on PayPal’s website, and no sensitive data is ever entered onto the store’s website itself. This is why so many people use PayPal Payments Standard – it keeps life (relatively) simple.

But .. but … but ….

PayPal have recently announced a general move towards https connections and – in some cases – an SSL connection will be required for PayPal payments to work fully – and a particular type of SSL certificate, at that.

PayPal’s plan was, originally, that after 30th September 2016, all websites that use the PayPal IPN (Instant Payment Notification) functionality would have to be secured by SSL.

It looks like that date might be moving back into 2017 (to give webmasters time to make the changes), but it does seem inevitable that it will happen.

IPN is the functionality that allows your website to communicate with PayPal in real time. This enables, for example, websites only to complete an online order when confirmation has been received that the payment was fully successful.

So, if your website has any form of payment/e-commerce functionality (including donations), you need to know how this change is going to affect your site. For new websites using PayPal we will be recommending using SSL from the start as it’s just easier that way.


Implementing an SSL certificate is a technical process, there’s no way around it. How easy that technical process is to achieve comes down to what type of hosting you use. Some shared hosting providers are very good and will make the process pretty straightforward.

At Blackbox, when we create client sites on our own hosting, we can manage the SSL process for you entirely, including securing and renewing the SSL certificates as required.


In general terms, you have to pay for SSL certificates, and they have to be renewed periodically.  There are a number of different certificate types, with varying levels of cost. The most expensive ones involve very detailed validation of your business, and allow you to use the much-sought-after ‘green address bar’ that you will see on major sites:

ssl green bar

Most sites will not require this level of validation, and in many instances the validation process is very straightforward. There are some free SSL options.


I said at the start that it’s not a very exciting subject. But it is important.

If you’re a website owner, or thinking of having a website created, I hope it’s given you some insight into the things you need to consider.

If you’d like to discuss this, or any other website requirement, simply drop us a line via the website. On an SSL-secured form, of course …

The post 4 reasons website owners need to be thinking about SSL appeared first on Blackbox Web Design.