Practical GDPR for website owners

Disclaimer:  I am not a legal professional and this is not legal advice.  I am a working website designer, who has been wading through the official literature, interpretations and general conversations, to piece together a common sense guide to navigating GDPR for small website owners.  

For those who have heard of it, GDPR strikes fear into the hearts of business owners.  There is no one-size-fits-all, copy and paste solution, and, while so many seem to be experts, no one wants to take responsibility.

For others, GDPR is just another annoying acronym that they know they should care about but just don’t have the time to invest in it (you really do need to care – this is a legal obligation and a progressive move towards responsibility for personal data ).

Hopefully, this post will shed some light and help make everyday website owners aware of what is coming on May 25th.

What is GDPR?

If you are asking this question, I recommend you head on over to the Irish Data Protection Commissioner’s specially created website – GDPR & You  – it will give you a great overview of what it is and why it is needed.

Essentially, from May 25th onwards, every business owner will need to be much more aware of what data they hold, why and how long they hold it, and how to keep it safe.  They will need to be able to provide access to that personal data to the individual who requests it, and have a process in place to report any data breaches.

There is a lot to GDPR. You will need to audit all of the data that your company holds – this includes that on staff, sales leads, past customers, clients and anyone who signs up for your newsletter list.  You will then need to establish a “Legal basis” for having this data and document it – see the ICO for more information on the Legal Basis options.  Generally, businesses will be relying on three of the legal basis:

  1. Consent:  If someone has given explicit, granular consent to have their data used and stored by you.  Generally, this is the basis for most newsletter software systems – like Mailchimp.  Read the full ICO guidance on Consent as a legal basis
  2. Contract:  If you are contracted to your client to provide a product or service or they have asked you do do something as a first step towards a contracted service – eg: provide a quote.  Read the full ICO guidance on Contact as a legal basis
  3. Legitimate Interests:  This is the broadest of all the legal basis options – essentially legitimate interest is where there could be a commercial, individual or broader societal benefit to the contact and there is no other less intrusive way to process the data.  An example of this would be cold sales emails and calls – you could argue that the service you provide will be of interest to that person and will be of benefit to them and their business.  If another method of legal basis for data processing is available, it should be used but, if not, this may apply.  Read the full ICO guidance on Legitimate Interests as a legal basis.

What do I need to do to be ready for Friday?

GDPR will be a learning curve for everyone – WordPress only just released their GDPR tools last week, and I am sure there will be further updates.  The important thing is not to panic – as long as you are not engaging in spammy marketing tactics and are making a genuine effort to comply with the regulations, you will be fine.

A bit of common sense goes a long way here – the aim of this legislation is simply to give individuals the rights and tools to control their own personal data, instead of leaving them at the mercy of big data companies.  However, its effects will be felt by all businesses, both large and small, who interact with the data of any individual person located in the EU. This is a good thing for all involved and, although it will cause some short term pain, we will all gain in the long term.

Here are some areas that you should concentrate on this week to begin to be prepared for the GDPR deadline:

1. Mailing Lists

You will need to review your mailing lists (eg: Mailchimp, ConvertKit, Mailerlite etc… ).  If everyone signed up by double opt-in and they all signed up for exactly what you are sending them (eg: “Sign up for our newsletter” and you only send them your newsletter), then you should be fine – just sent out an email with your new or updated privacy policy (See below).  If not, you will need to look at either dropping your subscribers or going for re-consent.  If you use Mailchimp – you can follow this guide to using their GDPR forms.

Re-consent has been one of the more contentious issues in this debate.  It is a hard decision to make, as anyone you send a re-consent email to who doesn’t reply, must be removed from your list.  I choose to look at it in a positive light – only the people who really want to hear from us will be left on our list.

2. Privacy Policy

Yes you need one and it needs to be in the footer of your website, so it is easy to access.  The good news is that, if your website was built using WordPress, they now have a Privacy Policy Generator.  Simply go to Dashboard Menu > Settings > Privacy and you can add or edit your new Privacy Policy.  It will not address every eventuality but it is a good starting point. It also takes the privacy information from the plugins you have installed, if possible (not all plugin developers are complying just yet).

You should use the WordPress privacy policy tool to get you started but you will also need to consider 3rd party software integrations, like Google Maps, YouTube, Google Fonts and countless other pieces of software that may be installed on your website and could be generating cookies or gathering data.  Google Analytics and Facebook Pixel are two popular examples of this.  We have decided to anonymize our Google Analytics tracking code and we do not use Remarketing with Google Pixel.  If you do, you might need to get advice from an advertising professional on how they are handling the legislation.

Other great resources are Privacy Policy Generator (we just trialled the free version) and also the free Attacat Cookie Audit Tool extension for Chrome, which enables you to see what cookies are running on your website and then generates a cookie policy.

Using these resources, you should be able to get your first Privacy Policy draft together – however, of course, we have to recommend that you should speak to a professional in relation to this, if possible.

One great thing about this legislation is that it has been deliberately asked that privacy policies are kept simple – no fancy, flowery legal jibber jabber, that is impossible for the every day folk to understand.  Don’t just copy and paste anyone else’s Privacy Policy – everyone’s business is different and you genuinely need to understand your own privacy policy, so engage with it and make it yours.

3. Website Security

A huge part of protecting data is making sure it is secure.  When it comes to your website, this means making sure that the core files, plugins and themes are updated regularly.  You can do this yourself or you can get a company to maintain your website for you.  We wrote a post some time ago on why we recommend website maintenance contracts.

Of course, just keeping your website secure is not enough – you will have data stored on your computer, in paper files and on hard drives.  If this is an area you are worried about and, especially, if you are dealing with data from the “Special Categories” (Sensitive data), you should speak with a GDPR consultant and/or legal adviser.

4.  Subject Access Requests

One of the areas of GDPR you might not be familiar with is the right of access.  Data subjects need to be able to access the personal data that you hold on them, and this is referred to as a subject access request.  It can be made verbally or in writing but, regardless of the method, you will be obligated to respond to any requests within a month and cannot charge any fee for dealing with the request.

Thankfully, again, if you are using WordPress, they have provided a tool to export personal data from Dashboard Menu > Tools > Export Personal Data & Erase Personal Data.  This may not cover data you have stored on this individual outside of your website, but it does take care of the difficult technical task of mining information from your website’s database.

5.  Data Breaches

Finally – as they say – s**t happens.  If you have done everything in your power to reduce the data you hold, secure it in so far as possible and a breach still happens, well then you have 72 hours to report the breach to the relevant supervisory authority.  “If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay”.  Again, I am going to reference the ICO for this guide to Personal Data Breaches.  For Ireland, the breach will need to be reported to the Data Protection Commissioner within 72 hours.

What now?

You will need to put a day aside this week to audit what data you keep under the new GDPR guidelines and to create your Privacy Policy.  Hopefully, access to GDPR practitioners will become more available as more people get a hang of the legislation, and we see it in practice but, for the moment, it seems that accessing reliable, consistent, specific advice is difficult.

If you have a legal consultant who is proficient in this area – lucky you – get their advice.  For everyone else, read the GDPR & You guide, as well as the excellent UK ICO’s guide.  Get to grips with the legislation but be wary of the hype.  Another really great resource I have found is Suzanne Dibble’s Facebook Group –  GDPR for Online Entrepreneurs (UK, UK, CA, AU).  She has a lot of free videos and content that has been very helpful.  She also offers a GDPR pack for about £200, which we have not purchased, so we can’t comment on it.

While you may need to speak with your Website Designer / Developer about some of the technical aspects of this legislation, they cannot make you GDPR ready – it is a business wide issue, so you will need to take the time to understand the legislation and implement it for your business.

Mentioned Links & Recommended Reading: