Disclaimer: I am not a legal professional and this is not legal advice. I am a working website designer, who has been wading through the official literature, interpretations and general conversations, to piece together a common sense guide to navigating GDPR for small website owners.
For those who have heard of it, GDPR strikes fear into the hearts of business owners. There is no one-size-fits-all, copy and paste solution, and, while so many seem to be experts, no one wants to take responsibility.
For others, GDPR is just another annoying acronym that they know they should care about but just don’t have the time to invest in it (you really do need to care – this is a legal obligation and a progressive move towards responsibility for personal data ).
Hopefully, this post will shed some light and help make everyday website owners aware of what is coming on May 25th.
What is GDPR?
If you are asking this question, I recommend you head on over to the Irish Data Protection Commissioner’s specially created website – GDPR & You – it will give you a great overview of what it is and why it is needed.
Essentially, from May 25th onwards, every business owner will need to be much more aware of what data they hold, why and how long they hold it, and how to keep it safe. They will need to be able to provide access to that personal data to the individual who requests it, and have a process in place to report any data breaches.
There is a lot to GDPR. You will need to audit all of the data that your company holds – this includes that on staff, sales leads, past customers, clients and anyone who signs up for your newsletter list. You will then need to establish a “Legal basis” for having this data and document it – see the ICO for more information on the Legal Basis options. Generally, businesses will be relying on three of the legal basis:
- Consent: If someone has given explicit, granular consent to have their data used and stored by you. Generally, this is the basis for most newsletter software systems – like Mailchimp. Read the full ICO guidance on Consent as a legal basis
- Contract: If you are contracted to your client to provide a product or service or they have asked you do do something as a first step towards a contracted service – eg: provide a quote. Read the full ICO guidance on Contact as a legal basis
- Legitimate Interests: This is the broadest of all the legal basis options – essentially legitimate interest is where there could be a commercial, individual or broader societal benefit to the contact and there is no other less intrusive way to process the data. An example of this would be cold sales emails and calls – you could argue that the service you provide will be of interest to that person and will be of benefit to them and their business. If another method of legal basis for data processing is available, it should be used but, if not, this may apply. Read the full ICO guidance on Legitimate Interests as a legal basis.
What do I need to do to be ready for Friday?
GDPR will be a learning curve for everyone – WordPress only just released their GDPR tools last week, and I am sure there will be further updates. The important thing is not to panic – as long as you are not engaging in spammy marketing tactics and are making a genuine effort to comply with the regulations, you will be fine.
A bit of common sense goes a long way here – the aim of this legislation is simply to give individuals the rights and tools to control their own personal data, instead of leaving them at the mercy of big data companies. However, its effects will be felt by all businesses, both large and small, who interact with the data of any individual person located in the EU. This is a good thing for all involved and, although it will cause some short term pain, we will all gain in the long term.
Here are some areas that you should concentrate on this week to begin to be prepared for the GDPR deadline:
1. Mailing Lists
Re-consent has been one of the more contentious issues in this debate. It is a hard decision to make, as anyone you send a re-consent email to who doesn’t reply, must be removed from your list. I choose to look at it in a positive light – only the people who really want to hear from us will be left on our list.
3. Website Security
A huge part of protecting data is making sure it is secure. When it comes to your website, this means making sure that the core files, plugins and themes are updated regularly. You can do this yourself or you can get a company to maintain your website for you. We wrote a post some time ago on why we recommend website maintenance contracts.
Of course, just keeping your website secure is not enough – you will have data stored on your computer, in paper files and on hard drives. If this is an area you are worried about and, especially, if you are dealing with data from the “Special Categories” (Sensitive data), you should speak with a GDPR consultant and/or legal adviser.
4. Subject Access Requests
One of the areas of GDPR you might not be familiar with is the right of access. Data subjects need to be able to access the personal data that you hold on them, and this is referred to as a subject access request. It can be made verbally or in writing but, regardless of the method, you will be obligated to respond to any requests within a month and cannot charge any fee for dealing with the request.
Thankfully, again, if you are using WordPress, they have provided a tool to export personal data from Dashboard Menu > Tools > Export Personal Data & Erase Personal Data. This may not cover data you have stored on this individual outside of your website, but it does take care of the difficult technical task of mining information from your website’s database.
5. Data Breaches
Finally – as they say – s**t happens. If you have done everything in your power to reduce the data you hold, secure it in so far as possible and a breach still happens, well then you have 72 hours to report the breach to the relevant supervisory authority. “If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay”. Again, I am going to reference the ICO for this guide to Personal Data Breaches. For Ireland, the breach will need to be reported to the Data Protection Commissioner within 72 hours.
If you have a legal consultant who is proficient in this area – lucky you – get their advice. For everyone else, read the GDPR & You guide, as well as the excellent UK ICO’s guide. Get to grips with the legislation but be wary of the hype. Another really great resource I have found is Suzanne Dibble’s Facebook Group – GDPR for Online Entrepreneurs (UK, UK, CA, AU). She has a lot of free videos and content that has been very helpful. She also offers a GDPR pack for about £200, which we have not purchased, so we can’t comment on it.
While you may need to speak with your Website Designer / Developer about some of the technical aspects of this legislation, they cannot make you GDPR ready – it is a business wide issue, so you will need to take the time to understand the legislation and implement it for your business.
Mentioned Links & Recommended Reading:
- Irish Data Commissioners GDPR & You
- UK Information Commissioner’s Office Guide to GDPR
- GDPR for Online Entrepreneurs (UK, UK, CA, AU)
- Mailchimp’s Guide to Collecting Consent With GDPR Forms
- Attacat Free Cookie Audit Tool