Great Big Lake Design - Peace of mind, thoughtful design

Creative, thoughtful branding, website design, and graphic design for small businesses, professionals, and entrepreneurs.

What is the GDPR and will it affect me?

What is the GDPR and will it affect me?

By

This GDPR material was presented by Jules Webb and Sue Baily Weaver on 05/16/2018 at the Pullman/Moscow WordPress Meetup. Photo by Tommy Lisbin on Unsplash. Tommy Lisbin

NOTE: Jules Webb and Sue Baily Weaver are NOT lawyers and the information shared here should not be considered legal advice. Please consult your lawyer for specific advice about your unique situation.

The Idea is Simple

“General Data Protection Regulation” (GDPR) summary according to the European Commission

In (very) short. GDPR states that if a website collects, stores, or uses any data related to an EU citizen, the entity that owns the website must comply with the following:
  • Tell the user: who you are, why you collect the data, for how long you will store the data, and who will receive/process the data.
  • Get a clear consent from users, before collecting any data
  • Let users access their data, and take it with them
  • Let users delete their data
  • Let users know if data breaches occur
Cite: http://ec.europa.eu/justice/smedataprotect/index_en.htm

What is the GDPR?

The GDPR stands for General Data Protection Regulation, which is coming from the EU and associated countries. Its purpose is to finally make good on a legal question from several years ago about how personal data is used and whether individuals own the data that they create by interacting with websites online. The courts ruled that individuals are the owners of their data, not the corporations (or websites) that collect the data. Therefore, data must be deleted on a regular basis so that customers don’t have to constantly contact websites they may have visited and ask them to delete their data. Who should delete that customer data? Good question. The ruling was specific to EU customers, so while it impacts European businesses quite significantly, the majority of American businesses didn’t even know it was happening. Cite: https://www.searchenginejournal.com/what-is-gdpr/251087/

What is Personal Data?

Examples: an email address like “name@wherever.com” or an IP address is considered personal data because it can reveal a user’s location. Basically, GDPR affects anyone who collects or processes personal data associated with EU citizens. Here are some examples of situations that require collecting personal data:
  • collecting email addresses for a newsletter or marketing list (“name@wherever.com” is personal, “info@wherever.com” is not considered personal)
  • having a shopping cart installed for taking orders
  • using Google Analytics to analyse website traffic (IP addresses used)
  • having comments turned on for pages/posts on your website, etc.
  • storing photos of people (would apply to wedding photographers, membership sites – like Facebook)
  • using a plugin on your website that uses cookies / sends data to other places
Cite: (see Suzanne Dibble’s videos for more specifics) https://suzannedibble.com/what-is-gdpr/

It’s not Obvious who is an EU Citizen

There is no really good way to know if you have collected personal data from EU citizens. Example: a German graduate student studying at WSU could sign up to receive your newsletter with an email address like “name@gmail.com” and you would have no way of knowing that they were from Germany. 

Why is GDPR a Good Thing?

  • It is basically writing “permission based” marketing into law
  • It is meant to reign in the big corporations, not hurt small businesses
  • Less spam means that there’s less noise
  • Keeping people on your email list who care about your content and losing the rest will cost less to maintain

From Seth Godin’s Recent Blog:

GDPR and the marketer’s dilemma (click to read entire post) “On the twentieth anniversary of Permission Marketing, the EU has decided to write the basic principles of that book into law… “…Talk to people who want to be talked to. “Market to people who want to be marketed to. “Because anticipated, personal and relevant messages will always outperform spam. “And spam is in the eye of the recipient. “In two simple words: Ask First…” Seth Godin
Cite: http://sethgodin.typepad.com/seths_blog/2018/05/gdpr-and-the-marketers-dilemma.html

Implementation: Overview of Steps to Take to Prepare for GDPR Compliance

The idea is simple. The implementation is what gets convoluted.” Jules Webb (thanks for the quote, Jules! – – Sue)
  1. Auditing Personal Data You Collect
  2. Privacy Policy
  3. Cookies –  add checkbox to give consent to collect their data and accept privacy policy
  4. For Member Based Websites – new signups – add checkbox to give consent to collect their data and accept privacy policy
  5. All Forms (Contact, Comments, ect) –  add checkboxes to give consent to collect their data and accept privacy policy
  6. Newsletter Subscribers
    1. Current subscribers – re-opt-in
    2. New subscribers – add checkbox to give consent to collect their data and accept privacy policy, and to accept marketing and/or product offers
  7. Google Analytics
    1. New default setting will be “User and event data retention” set at 26 months
      1. Google Analytics > Admin > Account Settings > Tracking Info > Data Retention
    2. Anonymize IPs while tracking (done manually or via plugin settings)
    3. Enable support for user opt-out (done manually or via plugin settings)
  8. Process for Data Deletion Request
  9. Signed Processor Agreement
  10. Update your Business Insurance Policy

(1) Auditing Personal Data You Collect

Set up a spreadsheet so that you know what, where, and how to comply with a request to delete a person’s information.
Tool Type Personal Data Data Processing Agreement GDPR Compliant? Checklist User Data Request
Salesforce CRM Name, Email Address, Phone
Google Drive Office Backups
AWS CDN, Offsite Bkup Backups
Dropbox Office Backups
Gmail Email Emails
Google Analytics Analytics UserID
MailChimp Email Marketing Email, Name
WordPress CMS User Profile
HostGator Hosting Service Email, Name, Database
Flywheel Hosting Service Email, Name, Database
Freshbooks Accounting Email, Name, Address, Phone
PayPal Payments Email, Name, Address

(2) Privacy Policy

Be transparent about what information the user is giving to you and how it is being used. Make sure you have a Privacy Policy. Put a link to it on every page of your website in the footer. (For the easiest option, see iUbenda.com)

(3) Cookies (used by many WordPress plugins)

When cookies can identify an individual, it is considered personal data. You need to disclose to users that your website uses cookies and get consent—usually via a pop up form. It’s also recommended to add a link to your cookie policy in the footer of every page of your website.

(4) Member Based Websites

Set up a process/workflow/checklist of where to look and what to do in order to clear a person’s data from your system. WordPress has just rolled out functionality to help us with this.

(5) Forms (Contact, Comments, etc.)

Update forms to include a checkbox for users to agree to the storage and handling of their data as well as a checkbox to accept marketing emails if you are planning on marketing to them. Having them double opt-in is also recommended. Do Not Use a Pre-Ticked Box – For consent to be valid under GDPR, a customer must actively confirm their consent, such as ticking an unchecked opt-in box. Pre-checked boxes that use customer inaction to assume consent aren’t valid under GDPR.

Form Checkbox Example Text

By using this form you agree with the storage and handling of your data by this website.

(6) Newsletter Subscribers

Newsletter Checkbox Example Text

Again, DO NOT use pre-ticked boxes. Add a link to your Privacy Policy with required checkbox to say that users have read it. ✅ By using this form you agree with the storage and handling of your data by this service (MailChimp, etc.). I agree to receive email containing helpful information and offers for products and services. I have read and agree to [Company]’s Privacy Policy. (link to privacy policy) Keep consent requests separate from other Terms & Conditions – Under GDPR, email consent needs to be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services, unless email consent is necessary to complete that service. Turn on double opt-in – I don’t think this is required by GDPR, but it is a best practice so that some malicious person can’t sign someone else up for your list. It is also better proof that a user has given consent and it’s just polite. Make it easy for people to withdraw consent—and tell them how to do it.​  All major email laws, including CASL in Canada and CAN-SPAM in the U.S., require brands to give their subscribers the opportunity to opt out from receiving emails. Each promotional email you send must include an option to unsubscribe. If you are already compliant with current Canadian, American, or European email laws, you may not have to change much when it comes to this requirement for GDPR compliance. Re-Opt-in for Existing Newsletter Lists – Get your existing EU subscribers to re-opt-in (called ‘Permission Passing’). In simple terms, you need to get explicit permission from your EU email database to email them after the 25th of May 2018, once the GDPR takes effect. Cite: 5 Things You Must Know about Email Consent under GDPR https://litmus.com/blog/5-things-you-must-know-about-email-consent-under-gdpr

(7) Google Analytics

Google Analytics uses cookies to track the number of users coming to your website, where they are from, and where they go. You may be required to do one or more of the following:
  1. Use the new Google Analytics (GA) default setting for “User and event data retention” (26 months)
    1. To view, go to: Google Analytics > Admin > Account Settings > Tracking Info > Data Retention
  2. Anonymize IPs while tracking (done manually or via plugin settings)
  3. Enable support for user opt-out (done manually or via plugin settings)

(8) Process for
Data Deletion Request

Set up a process/workflow/checklist of where to look and what to do in order to clear a person’s data from your system. If asked by someone for their data, you will have 30 days to comply.

(9) Signed
Processor Agreements

“Data Controllers” (business/website owners) need to get signed “Processor Agreements” from any individual “Processors” (web developers, marketers, etc.) that they hire to process personal data (of EU citizens) and make sure that they are GDPR compliant (also, use GDPR compliant services for processing data—you don’t need signed agreements from GDPR compliant services that you use like MailChimp, etc.).
  • Website owner is the “Data Controller”
  • Web developer/agency or marketer that processes personal data is a “Processor”
  • Subcontractor hired by web developer/agency is also a “Processor”
  • If a subcontractor is paying their own taxes, you (the web developer/agency who hired them) should have them sign a “processor agreement” as well and make sure that they are GDPR compliant
  • Processors must only process personal data with WRITTEN INSTRUCTIONS from Data Controllers
  • Web agencies, etc., who hire subcontractors as processors need permission to hire them from the Data Controller
Here’s a great article from NYU that covers the responsibilities of processors: https://wp.nyu.edu/compliance_enforcement/2017/12/11/the-general-data-protection-regulation-a-primer-for-u-s-based-organizations-that-handle-eu-personal-data/

(10) Update Your
 Business Insurance Policy

Check with your business insurance provider to see if you need to make changes to your policy, especially if you are marketing to EU citizens or handle sensitive data (demographics, health related, etc. – we didn’t even touch on sensitive data!).

Summary
(Breathe…)

It is early—many companies are just getting their act together. Others (especially individuals, sole proprietors, etc.) have not even realized that this legislation affects them. Many services are scrambling to create tools to help us be compliant. New articles are coming out daily. A few months from now this process will probably be easier and more understood. Watch the news and follow a website like WP Tavern so that you hear about what is happening with the GDPR and other websites. Try not to freak out :), but do your best to comply. Be trustworthy. Don’t misuse people’s data. Don’t collect data you don’t need. Ask for permission to market. Keep records and have a plan in place in case you need to provide or delete a user’s personal information. If you are trying to comply and are found to be non-compliant, most likely (if you are a small business) you will be asked to make corrections and given time to fix your processes (this is the unofficial opinion of Suzanne Dibble, lawyer in the UK and GDPR expert).

More Resources/References

Nice Video Overview:

General Articles:

Privacy Policies/Cookie Policies:

More on Cookies:

WordPress Specific Articles:

  • GDPR for WordPress (official roadmap from WP; Today’s WP Core update addresses GDPR compliance)
  • This GDPR article from Kinsta is a great overview and easy to read. It also has many helpful links that are specific to particular plugins used on WordPress websites:

WordPress GDPR Plugins (many for Cookie Compliance):

GDPR Articles Concerning Companies/Services:

Processor Agreements and other Legal Forms:

Suzanne Dibble – Lawyer from the U.K. (legal documents for purchase):

There is a free Facebook group run by a U.K. lawyer named Suzanne Dibble that focuses on the GDPR. She has created many free videos discussing GDPR compliance on a variety of topics. Suzanne stresses that we don’t overreact/panic, but she also recommends that we take the regulations seriously and do our best to comply. She has a packet of GDPR legal documents for sale that includes a “Processor Agreement”: https://suzannedibble.com/what-is-gdpr/