GDPR: Website SOS

GDPR: Website SOS

The Basics

So What Counts as Personal Data?

Any data that can be used to identify a living person directly or indirectly.

For example:

  • Name
  • Address
  • Phone Number
  • Email address
  • Location data
  • IP address

What Rights Do Data Subjects Have Under GDPR?

As explained by the ICO, data subjects have the following rights concerning their personal data:

  1. Information
  2. Access
  3. Rectification
  4. Erasure
  5. Restrictions on processing
  6. Data portability
  7. Objection
  8. Revision of automated decisions or profiling

The GDPR refers a lot to data processing. This simply refers to any operation that is performed on personal data – collection, storage, amendment, deletion etc.


Consent must be collected when no other legal basis applies. e.g Contracts, Expenses etc

  1. Data Capture Forms
  2. Privacy Statement
  3. Data Processing

Consent must be:

Given freely – no-one should be tricked or coerced into supplying their personal data.

Explicit – if you want to add email addresses from a contact form to a mailing list, you can’t use a pre-ticked checkbox automatically opting them in.

Specific and separate – if there are multiple processing purposes, consent must be obtained separately for each one. So if they were to opt-in for a competition, you would also need the second checkbox to join your mailing list.

  1. Yes to enter the competition under its terms and conditions.
  2. Yes to receiving email marketing.

Named – state your company name and any others that will be processing the data.

Able to be withdrawn at any time – if someone wants to opt out later, you must allow them to. You should make it easy to do this.

  1. Include a clear opt-out on email marketing, SMS or notification settings in-app.
  2. Include a form on your privacy statement page or direct users to a point of contact to request information on the data you have stored on them.

You need to record:

  1. What someone has consented to.
  2. When they consented.
  3. How they did it.
  4. What they were told about how their information would be used.

A Compliant Website

The minimum requirement for a compliant website covers 3 areas:

  1. Compliant Forms (Active Opt-in, Unbundles Terms, Consent Statement & Link to Privacy Policy)
  2. Compliant Privacy Policy (What data you collect & How you use it)
  3. Compliant Records of Consent (CRM Records storing IP address, consent statement, date & time)

Data Collection Grade A+

Forms: Active Opt-In

Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You will need to check your forms to ensure this is the case.

As an example, Boots registration form used pre-ticked opt-in boxes, forcing the user to actively opt-out. This is naughty & must be changed.

Unbundled Opt-In

The consent you are asking for should be set out separately for accepting general terms and conditions, and acceptance of consent for other ways of using data.

In this example, Sainsbury’s clearly set out the acceptance of their terms and conditions, and separately set out the active opt-in for their contact permissions.

It’s a shame Sainsbury’s didn’t get the option to be more granular in terms of communication opt-in preferences (email, SMS, post).

Granular Opt-In

Users should be able to provide separate consent for different types of processing.

In this example, ABC Awards are asking for specific permission for each type of processing (post, email, telephone) and also asking permission to past details onto a third party.

Privacy Policy & UX Examples

Age UK

The charity’s privacy policy is partly shown below and was updated in April 2017. I like the layout of information. It looks well prepared for next year’s regulation and includes information about updating your details, security precautions, any transfer outside of Europe and any profiling that may take place. Check it out here.


Another superb prototype from the ICO, also useful in mobile UIs particularly, is the just-in-time privacy notice.

As you can see in the GIF below, when the user engages with a data field, relevant information is displayed at that time with a pop-up style hint.


Do you need support updating your website forms and processes to become GDPR compliant? Speak to our team today to see how we can help.

Chris Nutbeen

Founder of Nuttifox and digital geek. Chris likes data proof, beautiful UX and clients with miracle allowing budgets.

Leave a Reply

Your email address will not be published. Required fields are marked *