GDPR – Are you ready?

Disclaimer: Any advice in this article is intended for general information purposes, we are not lawyers and it does not constitute as legal advice!

Time’s ticking, there’s now only a week left until the GDPR deadline. If you’ve left things a little late we’re going to share with you some of the tools we’ve used in order to get ourselves prepared for the new GDPR changes.

GDPR

What is GDPR?

Before we dive right in, just in case you don’t already know, we’ll explain a little about GDPR. GDPR (General Data Protection Regulation) aims to give EU citizens more control over how their personal data is used and make organisations change their approach to how they handle this data. Companies will have to be more transparent and about what kind of data they are collecting, how they are intending to use it and how long they will keep it for. The user who is providing the data (the data subject) will also have greater powers to request what personal information a company holds on them, as well as being able to ask a company to update it if it’s wrong. Your users are also be able to request that a company deletes personal data they hold if they no longer what them to use it. There’s much more to GDPR but for this very brief overview, it’s a bit out of scope.

Where to begin?

Don’t just rush into this blind, there’s a bit of ground work to be done before you can start using some of these tools. Firstly you need to audit what data you’re collecting and what is being done with it. This was probably the most time consuming part of the process for us, as you suddenly start to realise all the different ways that you’re collecting different data. We used Cookiebot to audit our site to see what cookies were collecting data. Next was to start investigating if any of our plugins were collecting data and how they use this, fortunately many of them had already released information in relation to GDPR and how their plugins collect/use data.

Audit done, now what?

Okay, so you’ve completed your data audits and you’re now ready to start getting your site ready. We found a great plugin called the GDPR Framework. While this plugin comes with a disclaimer saying it won’t guarantee your site will be 100% GDPR complaint, it’s been written in partnership with a large legal firm in Europe so we felt it should be solid enough. There’s a handy setup wizard that will ask you to input basic company information in, the regulatory body for your country (In the UK it’s the ICO) and it will start to piece together a privacy policy for you. There will still be parts for you to go through and complete; but it’s certainly a great start.

As well as drafting your privacy policy it will create a privacy tools page for you. This page can be used by your data subjects to request what data you currently hold on them. For the data subject to complete the SAR (Subject Access Request) they enter their email address associated with your site, and any data connected to that email will be available for them to download. There’s various settings about notifications surrounding these requests, we chose to be notified whenever one is requested.

Cookies

By now the majority of sites when you first visit them will have a banner or pop up saying something like ‘By using our website, you accept our cookies…’ – this is classed as implied consent. When it comes to GDPR this doesn’t count any more. You have to gain valid explicit consent from the user that they are happy to opt in; for example via selecting a check box or button. Basically, there has to be a way for the user to accept or refuse cookies – there also has to be a way for the user to change their mind at a later date should they want to withdraw their consent.

To help manage our cookies we’ve used the GDPR cookie compliance plugin. This handy tool puts a customisable banner across the bottom of your site asking a user to consent to all the sites cookies through the use of an ‘Accept’ button. If the user doesn’t want to accept them all there’s a link in the banner they can follow that opens a modal window you can brand to toggle certain cookies on/off. Should the user change their mind at a later date this same screen can be used to withdraw their consent.

Data policies

We’ve never collected a large amount of data on our users but during our audits we found that there was data we collected that we probably didn’t actually need. An example would be our contact form that logged all the messages we received as a backup. As we’ve never actually had to refer to these stored messages, we felt like this was storing data we didn’t need. The practice of storing only the data you actually need will not only benefit you during the auditing/getting compliant stage, but should the worst happen and a data breach occur then there’s less data to leak!

Wrapping things up

GDPR is certainly a bit of a minefield, arguably it’s causing some of the most drastic changes regarding data protection in the last 20 years. We hope this article and the tools outlined in it helps you on the path of getting your site compliant.

Like we said at the start, we’re not lawyers, everything in this article has been intended as (hopefully helpful) general information, it doesn’t constitute as legal advice.