Overview
Be warned - this one is a long-read. If you want to skip ahead, these are the juicy bits:
Note: This blogpost should not be regarded as legal advice, nor is it necessarily directly applicable to similar websites. In general, I'm covering technical and functional requirements (e.g. consent, data access) - not all of the organisational requirements (e.g. Data Protection Officer role, contracts, internal processes, risk assessment). Remember, a website is only one of many potential touchpoints where GDPR may affect an organisation. Use this as an inspiration for your own audits, not a template.
Conducting a GDPR website audit
When performing a real-life GDPR audit, you'll most likely consult a GDPR expert, who will help you run through a series of self-assessment checklists. These checklists cover all the rights and requirements detailed in the new GDPR regulation, both on a technical and organisational level. This exercise results in a gap analysis report that highlights your current level of compliance, and concrete key steps towards sufficient compliance.
While the full text of the regulation contains 99 articles (descriptions of rights or requirements), not all of these apply to all organisations (depending on your sector of business, and the type of personal data being processed.)
For my demo audit, I will work through the GDPR articles in order, however I will only pause at the articles relevant for this particular website.
In some places, I have made assumptions about underlying technologies/systems on the "QJet" site for the sake of argument and demonstration.
A perfect practise candidate
The demo site "QJet" (edit: demo site is now removed) was made to showcase key features of Episerver CMS - page editing, blocks composition, search facets, responsive layouts and personalisation techniques. It's a website for a fictional airline company, mixing elements from digital marketing, content and commerce.
The site was never meant to be a shining beacon of design, nor a textbook example of security and privacy practices. It also hasn't changed much after it launched back in 2015.
All this actually makes it a perfect candidate to practise a GDPR compliance audit on, as many of its shortcomings are undoubtedly shared by many real sites out there - and site owners who are now scrambling to determine how GDPR is affecting them.
As Episerver developers, this is the sort of task you may well find yourself doing very soon for your clients. Designers, developers and content strategists should all be familiar with the new requirements of the GDPR, to be the best possible advisors when working on new or existing web sites.
An overview of the QJet site's main features
In case you're unfamiliar with the "QJet" demo site:
The primary task of the site is to inspire and enable visitors to book a flight:
Secondary tasks are checking real-time flight status, viewing customer profiles and flight history, and signing up for bonus programs and newsletters:
Personal data is collected for business/commercial purposes, such as:
- Registering customer details when booking and paying for a flight
- Gathering contact details through various user-input forms
- Tracking website usage statistics (although this cannot be traced back to the individual user)
Note: Although the site only has a dummy booking feature, for this audit I'm presuming it's fully implemented and requires a minimum of basic data inputs, such as name, postal/email address and payment information.
Various elements of the site include personalisation techniques (using Episerver Visitor Groups), such as:
- IP-based lookup of the visitor's locatio
- To act as default "from"-location in the flight search
- To determine if they are from places with "bad weather"
- To determine whether to show "winter" or "summer" themed banners
- To show "nearby" and "distant" destinations
- Recommendations based on the visitor's preferences
- Destinations in same part of the world as other destinations preferred by the visitor (e.g. "Europe" or "United States")
- Destinations that offer same activities as other destinations preferred by the visitor (e.g. "sand and sea" or "ski and snowboard")
- Bonus program membership status
- To display default content and sign-up for non-members
- To display promotional content for visitors showing an interest in the bonus program
- To display premium content and offers for existing bonus program members
Note: Recommendations are either derived from the visitor's real-time browsing behavior, or from aggregated data in their customer profile.
Customer profile features include:
- Viewing personal information (name, home base)
- Viewing membership status (membership date, level, travel miles)
- Viewing preferred interests (activities) and destinations
- Viewing flights/booking history
Note: If this was a real site, I'm presuming the customer profiles are stored (unencrypted, but transmitted using HTTPS) in a CRM system, and data is being retrieved on-demand by the CMS.
Submittable forms include:
- Newsletter email subscription (in the footer)
(edit: outdated link removed)
- Bonus program ("QClub") sign-up
(edit: outdated link removed)
- Special offers (personalized email)
(edit: outdated link removed)
- Contact form (name, email, message)
(edit: outdated link removed)
The "QJet" self-assessment audit
I find it's helpful to structure the audit as self-assessment questions, to determine whether an article applies to the site.
In this sense, "we" refers to the QJet organisation.
Chapter 1 (articles 1-4): General provisions
Are we dealing with the personal data of natural persons? (Article 1)
Yes. Our customers are individuals (not organisations), and we process some of their personal information, like their names, contact information and location data.
Are we processing personal data by (partly or wholly) automated means, or storing personal data in a structured format in a filing system? (Article 2)
Yes. Our site includes web forms, as well as semi-automated personalisation and data aggregation techniques. The personal data we collect is stored (unencrypted) as records in a CRM system.
Can our operation be considered a "personal or household" activity, or dealing with "national and common security" (in which case, the GDPR would not be applicable to us)? (Article 2)
No. We're a private, commercial enterprise dealing in commodity services.
Is our data processing taking place within the European Union? (Article 2)
Yes. The "About us" section lists QJet headquarters in Chicago, USA (which is decidedly outside the EU) and in London, UK (which is inside the EU, at least until Brexit takes effect in 2019).
However, the question was where the actual data processing is taking place, and the first point of contact is the website.
An nslookup of the qjet.episerverdemo.com domain reveals that it's cloud-hosted on Microsoft Azure, from a data center in Dublin, Ireland (which is within the EU). So the answer is: Yes, our data processing is taking place within the EU.
Are we offering our products/services to (and consequently, processing the personal data of) citizens within the EU? (Article 3)
Yes. Our visitors/customers are based all over the world, including EU countries.
(
Article 4 skipped, as it just contains definitions.)
So far so good - we've determined that we're affected by the GDPR, and that we need to attain compliance.
Always good to get that out of the way first!
Chapter 2 (articles 5-11): Principles
Is personal data being collected for legitimate purposes (and not further processed in a manner that is incompatible with those purposes) ? ('Purpose limitation' - Article 5.1b)
Yes. Collection of personal data is required to complete the customer's objective of booking and paying for a flight, and for QJet's ability to offer services relevant to the user's interests.
In other areas of the website, we are collecting various pieces of information, either directly (e.g. email address, by the user volunteering this information in a webform), or indirectly (e.g. activity/destination preferences, gathered automatically from the user's browsing behavior.) The purpose of gathering this additional personal data is to limit communication and offers to what we believe is relevant to the interests of the data subject.
Are we only collecting personal data that is adequate, relevant and limited to what is necessary for our purposes? ('Data minimisation' - Article 5.1c)
Yes:
- For the booking process, we only ask for personal information required by international airline regulations - first name, last name, date of birth and country of residence.
- For the newsletter feature, we only ask for their email address.
- For the contact form, we only ask their first and last name, their email (along with their inquiry text).
- For the QClub signup, we only ask their name, email and phone number.
Are we processing personal data in a lawful manner? (Article 6.1)
Yes, we claim our processing is lawful on the following grounds:
- the data subject has given consent to the processing (Article 6.1a) - the newsletter signup, contact form and QClub signup require active, consenting participation from the data subjects.
- for the performance of a contract to which the data subject is party (Article 6.1b) - bookings cannot be completed without the user's personal info.
- for compliance with a legal obligation to which the controller is subject (Article 6.1c) - the airline is required by international regulations to identify their passengers.
- for the purposes of the legitimate interests pursued by the controller (Article 6.1f) - by analyzing individual and aggregated customer data, our customers will get more relevant business offers in terms of personalized direct marketing and content recommendations. We believe this is in accordance with reasonable expectations for a business relationship with our customers
Are we relying on the consent of our data subjects for processing their personal data? (Article 6.1a)
Yes, we are relying on their consent (requiring active participation) for the following features:
- The QClub membership signup form (email, phone).
- The Special Offers email subscription form.
- The newsletter subscription in the website footer.
- The contact form on the "Contact Us" page.
Note: All of these features lack a reference to QJet's privacy policy, describing in detail how the data will be processed.
We are NOT relying on data subjects' consent for processing personal data in the booking part of the website, as that processing is lawful on other grounds (see 6.1b and 6.1c).
Are we keeping records of the data subjects' consent to processing? (Article 7.1)
Yes, for the features where we rely on consent, we are storing their consent in their customer profiles:
- Newsletter signup: Timestamp and consent type (email - newsletter).
- Contact inquiries: Timestamp and consent type (email - contact).
- Special Offers signup: Timestamp and type (email - special offers).
- QClub signup: Timestamp and consent types (email and phone).
Note: All of these features require active user participation by design, and for most of them (special offers, newsletter and contact form), email is the only implicit consent being asked - therefore, those don't require a dedicated checkbox for consent (but consent type must be explicitly reflected in their customer profile).
However, the QClub signup collects both email and phone, which would require separate consents to be recorded (via separate checkboxes) - this is missing (see 7.2).
Note: The QJet demo site does not actually demonstrate that consent is stored in the underlying CRM - I'm presuming it for the sake of argument.
Tip: Check out more examples on unbundled consent and checkboxes, and how to store consent information with your Episerver Forms for GDPR compliance.
Are our requests for consent made in a logical context, using plain and simple language? (Article 7.2)
No. The forms collecting personal data don't actually contain any text asking for consent. All the forms should also link to the privacy policy, and the QClub signup should have separate direct marketing consent checkboxes (unchecked by default!) for email and phone.
Can data subjects withdraw their consent to processing of their personal data "at any time"? (Article 7.3)
No. There is currently no feature on the self-service (My Page) part of the QJet site that lets users withdraw their consent.
While they can certainly contact QJet by email or phone to demand this (and this would technically meet the compliance requirements), most businesses would benefit from allowing logged-in users to self-service this kind of task.
(
Articles 8-9-10-11 skipped, as they aren't relevant to QJet's operations.)
Chapter 3 (articles 12-23): Rights of the data subject
(
Article 12 skipped, as this describes the internal organisational procedures that must be in place to comply with the rights of the data subject - which is important, but falls outside the scope of this exercise.)
For personal data submitted directly by the data subjects, are we providing sufficient information about how we process that data? (Article 13.1)
(For QJet, this would be information such as name, email and phone number.)
No. The website currently lacks an easily accessible privacy policy, which should include information about:
- The identity and contact information for the controller and/or data protection officer.
- The purpose and legal basis for processing.
- Legitimate interests for processing.
- Who has access to the data.
The privacy policy should be referenced both site-wide (e.g. in the footer) and at touchpoints where personal data is collected (e.g. next to signup forms).
For personal data submitted directly by the data subjects, are we providing sufficient information about the rights of the data subjects? (Article 13.2)
No. This should also be in the privacy policy, detailing:
- How long the personal data is being stored.
- Their right to access/request a copy of their personal data.
- Their right to have their personal data corrected/deleted.
- Their right to object to further processing (AUTHORS'S NOTE: This right may be overruled by either legal basis, or legitimate interests for processing).
- Their right to withdraw their consent (e.g. to receive newsletters, special offers).
- Their right to complain to a supervisory authority.
- Whether personal data is collected/retained due to contractual requirements.
- Whether personal data is being used in automated decision-making and/or profiling.
Note: "Automated decision-making and/or profiling" refers to mechanisms that leverage personal data (either directly submitted or indirectly obtained), to make business decisions that results in legal or significant outcomes for the data subject. QJet leverages personal/behavioral data for personalisation (using Visitor Groups), but this does not limit the users' possible outcomes (they are not denied service or forced into obligations in any way.) Website analytics (which primarily is used as a statistical tool), also does not fall into the "profiling" category.
For personal data obtained indirectly by QJet, are we providing sufficient information about how we process that data? (Article 14.1 and 14.2)
(For QJet, this would be data that's aggregated from search/browsing behavior or from booking history, such as home base, interests and top destinations.)
No. This should also be in the privacy policy. In addition to the information listed above for Article 13.1, the policy should also list:
- The identity and contact information for the controller and/or data protection officer.
- The purpose and legal basis for processing.
- Who has access to the data.
- Whether we collect any "special category" personal data (ethnic, racial, sexual, political, religious, health-related or biometric).
- How long the personal data is being stored.
- Legitimate interests for processing.
- Their right to access/request a copy of their personal data.
- Their right to have their personal data corrected/deleted.
- Their right to object to further processing (e.g. aggregating their interests/top destinations, personalizing content on the site.)
- Their right to withdraw their consent (e.g. to receive newsletters, special offers).
- Their right to complain to a supervisory authority.
- The sources (public or internal) from which the personal data was obtained.
- Whether personal data is being used in automated decision-making and/or profiling.
Can our customers access the personal data we have collected about them? ('Right of access' - Article 15.1)
No, not sufficiently. While the My Page section lists all the personal data we have openly collected, the website lacks a privacy policy detailing how we process that data.
Can our customers obtain a copy of their personal data upon request? ('Right of access' - Article 15.3)
No. Technically, we can compile such a copy manually upon request (which would meet compliance), but we lack a procedure to automatically compile an electronic copy (in a common data format) for the data subject upon request. (More on this in Article 20 discussed below.) We also collect more data about the customers than what is actually stored in their profile (real-time behavior data used for Visitor Groups) - which cannot be accessed afterwards by the data subject upon request.
Can our customers have their personal data corrected? ('Right to rectification' - Article 16)
No. Technically, they can contact us by email or phone to have us correct certain data (which would meet compliance, but be a major helpdesk burden), but the personal information on the My Page part of the site cannot be changed by the customer.
Can our customers have their personal data deleted? ('Right to erasure/ to be forgotten)' - Article 17)
No. Technically, they can contact us by email or phone to have us delete certain data (which would meet compliance, but be a major helpdesk burden), but the personal information on the My Page part of the site cannot be changed by the customer.
In addition, there are certain personal data that has been transfered to third parties that cannot be deleted upon request, because retention of that data is required for compliance with international regulations (e.g. passenger information supplied to EU aviation authorities.)
Can our customers place restrictions on our processing of their personal data? ('Right to restriction of processing' - Article 18)
Yes, partially. While the site does not have a self-service option to register such restrictions, they may contact us at any time by email or phone to place their restrictions (which would meet compliance, but be a major helpdesk burden). We will then assess whether we're at fault regarding the accuracy of the data we've collected, or the lawfulness of our processing, and halt such processing until the matter has been resolved. Such processing includes personalisation techniques (like Visitor Groups).
However, some processing (namely the transfer of passenger data to EU aviation authorities) cannot be restricted by the data subject.
(
Article 19 skipped, as this describes the internal procedures that must be in place to notify third parties about a request to rectify or delete personal data, or an objection to processing.)
Can our customers easily port their personal data to another controller? ('Right to data portability' - Article 20.1)
No. Technically, we can compile such a copy manually upon request (which would meet compliance, but be a major helpdesk burden) , but we lack a procedure to automatically compile an electronic copy (in a common data format) for the data subject upon request.
Note: Producing an electronic copy does not necessarily have to be a built-in feature of the website, but businesses would benefit greatly from having this feature either in the internal systems (e.g. CRM), or as a self-service feature for logged-in users.
Are we prepared to transmit a copy of data subjects' personal data to another controller upon request? ('Right to data portability' - Article 20.2)
Yes, we will transmit the (manually compiled) electronic copy to another controller upon request, in a common, machine-readable format (e.g. Excel or XML.) None of the personal data we collect is of a sensitive nature.
Note: While Article 20 states that data subjects can request that the controller transmits the electronic copy directly to another controller, doing so in an automated, seamless way (e.g. direct conversion via API) is not always technically feasible.
Can the customers object to our processing of their personal data? ('Right to object' - Article 21)
Yes. While the site does not have a self-service option to register such objections, they may contact us at any time by email or phone to lodge their objections (which would meet compliance, but be a major helpdesk burden). We will then remove the data subject from any personalisation segmentation (Visitor Groups), essentially rendering them anonymous as far as the site is concerned.
The email newsletters we send out also have an easily accessible unsubscribe link, which will automatically record their objection to processing (direct marketing via email) in our CRM system and exempt them from future newsletter mailings.
However, some processing (namely the transfer of passenger data to EU aviation authorities) cannot be objected to by the data subject.
Are visitors to the QJet site subjected to automated decision-making which have legal or significant effects for the data subject? (Article 22)
No. The QJet site only uses personal data to provide content recommendations and fulfill marketing functionality based on consent. Our (semi-)automatic processing is not limiting their freedoms or imposing any legal or significant effects on them.
(
Article 23 skipped, as this only describes possible legislative restrictions and safeguards applicable to Member States of the EU.)
Chapters 4-11 (Articles 24-99)
In short, the rest of the GDPR regulation is outside the scope of this exercise.
Articles 24-99 cover overall responsibilities of the controller/processor (which are described in detail in earlier chapters), responsibilities regarding data breach notifications, responsibilities of supervisory authorities, cooperation between supervisory authorities, penalties for breach of the GDPR regulations, and how the new GDPR regulation supersedes previous regulations.
That's right - you can more or less skip almost 75% of the GDPR regulation, as long as you've done thorough work in articles 1-23 (this is where the heavy lifting gets done, anyway.) This should be enough to perform a pretty thorough audit of how a site like QJet meets the technical requirements of the GDPR. But as I said in the intro, don't take this as legal advice!
However, there are still organisational requirements that must also be in place in order to meet GDPR compliance. These procedures are most prominently featured in articles 15-22, where the rights of data subjects often lead to the controller having to perform some kind of data transfer, processing restriction or information relay to other parties.
Audit summary
Obviously, the QJet site is not GDPR-compliant as it stands. The audit revealed the following shortcomings:
Must be fixed, in order to meet base compliance:
- The site has no privacy policy.
- The input forms (signup/contact forms) must have a reference to the privacy policy.
- The QClub signup form should have separate checkboxes (unchecked by default) for consent to direct marketing via email and phone.
- Users are unable to easily withdraw their consent to direct marketing.
- Users are unable to access all the personal data QJet has collected about them.
- Users are unable to rectify their own personal data.
Should be fixed, for a smoother customer experience, and/or to relieve helpdesk:
- Users should be able to download a copy of their own data, in a standardized, machine-readable format (e.g. XML or JSON).
- Users should be able to register an objection to processing of their personal data or being subjected to profiling.
- Users should be able to register a request to have some/all of their personal data deleted.
- There must be a way to omit users from being profiled on-site (e.g being excluded from real-time Visitor Groups personalization.)