GDPR Compliance

Ah… what a dry subject! The EU decided to create some laws which are fantastic for future privacy protection but have put us website owners and small-time bloggers in a flap about being arrested or fined a gazillion Euros. Heres what I did to this website for GDPR compliance (obviously I can only hope it is compliant as I’m not a lawyer and though I did a ton of reading I didn’t read every. single. word)!

This blog post is intended for other small website and blog owners and is not intended for general interest. It’s pretty hard to make this stuff interesting!

GDPR = General Data Protection Regulation implementation 25 May 2018

I created a terms page

I should have had this in place already really, but I created a terms of service, privacy policy and cookie policy page all rolled into one. I placed a link in my footer and a link in every form introduction paragraph. Specifically for GDPR I made sure the following issues were covered:

  • How collected data is stored
  • If/how data is moved or shared
  • How collected data is used
  • How the user can access and view the data stored about them
  • How a user can be ‘purged’ from stored data i.e. the ‘right to be forgotten’
  • Actions in the event of a security breach or system failure

I ‘introduced’ my sign up forms

Each form now has an introductory paragraph to make it crystal clear what the person is doing when they submit the form, I don’t have a ‘contact me’ form on this website but if I did I’d have to have an introductory paragraph there too.

The copy must make it so that:

  • there is explicit consent from the user before data collection takes place
  • this is in plain English and not buried in amongst other text
  • the ‘consent’ is not pre-selected i.e. a checkbox that already has a tick in it
  • the user is informed of the policies that you use to hold and manage their data and how they can exercise their rights – note this can (and is usually) be via a linked privacy policy page.

My paragraph reads like this:

This form collects your name, email and sign up location so that I can add you to my newsletter list for (hopefully awesome) updates. Check out my Terms of Service & Privacy Policy for full details on how I protect and manage your submitted data.

and my explicit consent form contains a check box with the following wording:

I have read, understood and agree to the Terms of Service & Privacy Policy

I wrote the terms page in plain English

I wrote each section of the terms page in as simple language as I could. I’m quite proud of how I organised it so that it doesn’t look like a plain boring Terms and Conditions page! If you’ve read this far it’s worth taking a peek.

I considered whether I needed to ask my current subscribers for permission again

You’ve probably had loads of emails asking you to re-sign up for mailing lists. Thats because if your consent wasn’t 100% explicit, and/or if the company can’t say exactly when and where you explicitly signed up, then they’re holding your data illegally. I know that all my mailing list subscribers knew they were signing to an email mailing list and I have the data for when and where they did – so I had no reason to annoy them with another email!

I reviewed the rest of my site’s privacy issues

Whilst I was at it, I reviewed how my site was handling cookies. In May 2011 the EU gave a directive that individuals had the right to refuse cookies that reduce their online privacy. Non-compliance with the law can risk a fine from the Information Commissioner’s Office. To comply with this law you have to:

  • Do a cookie ‘audit’ to see what cookies your site uses. You might be surprised at how many there are! You can see cookies and info on them quite easily by using the Chrome browser.
  • Tell visitors how you use cookies (i.e. in a cookie policy section in your terms page)
  • Obtain consent from each visitor before using cookies. For consent to be valid, it must be “informed, specific, freely given and must constitute a real indication of the individual’s wishes”.

I hate obtrusive all popups and also dislike the cookie consent sections at the top of websites but to comply with the law I think it’s fairly clear that the cookie consent must be visible straight away within the first loading of the site – i.e. within the borders of the browser window. I installed a plugin (GDPR Cookie Consent) that brings the consent section in at the bottom of the page relatively elegantly. A user can refuse cookies (by exiting the site) or accept them to get rid of the banner. They can also click through to the terms page where there is a special link which can remove the cookie if they accidentally clicked accept (or if they’ve changed their mind).

Finally, I listed the cookies used as per the guidelines directed by the EU. Theres a really good chance that the cookies my site uses are exempt from these laws, as many cookies are, but frankly the jargon is so complicated and I don’t understand the 3rd party cookies well enough. Why run the risk?!

One more thing…

If you’re looking at the way I’ve written my form paragraphs and terms page it’s worth bearing in mind that you’ll need to go into a bit more detail if you have a simple contact form on your site. This is because you’re likely to be storing personal details yourself when someone contacts you – whether thats just in your email program or if you note business or blog contact details in another system somewhere you’ll need to write that up in your terms page because people have the right to know where their data is stored.

 

Kim Debling is a Hampshire, UK based designer and Director of her own company Kestrel Design Ltd. She is mum to Rose and Harvey and wife to her best friend Steve.  She’s fighting off Stage 4 Lymphoma and sharing her story along the way, mainly via YouTube. Kim is passionate about being happy, mental wellbeing and in particular art and creative pursuits as therapy during tough times. She teaches online at Udemy, has published books and has art and printables available for sale.

GDPR Compliance was last modified: July 21st, 2018 by Kim Debling