Creating a better UX (User Experience) for your website

Website loading times larger

Navigating to a business’s website is akin to walking through the doors of their physical building. You need to know you’ve come to the right place. You should feel welcomed and be guided intuitively to achieve the intended result of your visit.

The General Data Protection Rules (GDPR) relates to collecting, processing and use of personal data, and it will impact any business handling personal data from people residing in the European Union.

It will:

  • Introduce new legal rights so individuals can better protect their personal data;
  • Extend the responsibilities for organisations that use or handle personal data and;
  • Enhance the punishments for those that breach the regulation.

It will be enforced as of 25 May 2018.

But I’m in NZ. Will I need to comply?

GDRP will impact all international business. Even those without a physical presence in the EU will have to comply with these new rules. We recommend updating your privacy policy if you:

  • Sell goods or services to anyone who lives in the EU; 
  • Collect any personal data anyone who lives in the EU; or
  • Monitor the behaviour anyone who lives in the EU. (This includes use of Google Analytics.)

Note that GDPR require controls that are not part of New Zealand (NZ) privacy act, meaning that complying with NZ privacy law doesn’t ensure that you are complying with GDPR.

What is personal data according to GDPR?

According to GDPR, personal data is all type of information related to a person, who can be identified directly or indirectly. It can include:

  • Personal details such as the person’s name, address, email;
  • Financial details such as how much the person earns, credit ratings;
  • Medical details about a person’s mental or physical health;
  • Details about a person’s ethnicity, political opinions, religious beliefs, or sexual activity;
  • Images or voice recordings of a person;
  • Employment details;
  • IP address of a person that visits a website;
  • Criminal records or alleged offence;
  • Biometric data; or
  • Location data.

* source New Zealand Law Society

How are you collecting personal data?

You may be collecting data from different sources, such as voluntarily, for free services (i.e. social networks and search engines) or collected automatically through cookies, web analytics and sensors.
After 25th May, consent must be “freely-given, specific and unambiguous, and needs to cover all intended processing activities”.
Note that pre-ticked boxes, inactivity or silence are not a form of valid consent.

Businesses will need to be clear about why personal data is being processed, and need to have legal grounds to do it.

According to GDPR legal grounds for processing personal data are:

  • To perform a contract;
  • The individual concerned has given consent;
  • The data controller has a legitimate interest;
  • Statutory obligation to collect and retain information (eg, employers);
  • To perform the lawful function of a public authority; or
  • For the protection of vital interests of that person.

* source New Zealand Law Society

Note that if the personal data collected is to perform an online sale or to answer an online query it cannot be used for marketing reasons, unless with specific and clear authorisation from the person.

Final Tips

  • Seek legal advice if your business directly or/and indirectly may target European residents.
  • Make sure that when you collect data you communicate clearly how you will store and use the data.
  • You do not comply with GDPR just because you have a privacy policy on your website. Depending on your specific case, GDPR requires other controls. Even if you don’t target European residents directly, but you provide services through your website worldwide you will need to comply with GDRP rules. Even if you transfer the responsibility to a marketing agency that collects and analyses website data, you will remain as the data controller, therefore you will need to comply with GDPR rules.

For more support around this email Dora