GDPR – or General Data Protection Regulations – has been a hot topic for a while. We’ve been a little quiet on the subject, researching and planning what is involved and what it means for you, the site owner. GDPR is complex as it relates to users and orders as well as other ways user data is commonly collected on a website.
The issue itself is very complex, as it’s all about how organisations deal with data about employees, customers and so much more. We are just concerned with how it impacts your website and your website users.
For your website, it’s all about:
  • Telling the user who you are, why you collect their data, for how long and who receives it.
  • Getting a clear consent (when required) before collecting any data.
  • Letting users access their data, and take it with them.
  • Allowing users to delete their data.
  • Letting users know if data breaches occur.
For online retailers, GDPR is a big deal as it impacts on all business to individual communications and record keeping. It doesn’t have as larger an impact on B2B.

WHAT CAN WE DO AT DESIGN BOX MEDIA?

We’d like to be able to install a plugin and call it done, but unfortunately, it’s really not that simple.

Here are 7 things we can help you with:

  • Cookie notices and GDPR
  • Security audit plugin
  • Changing the text of your privacy policy
  • Changing forms to remove automatic opt-ins
  • The right to be forgotten
  • Where personal data is stored on your site
  • Hosting

If you would like us to update the above we can do so for a one off fee of £99  (If you are on one of our website care plans this is included at no extra charge)

1. COOKIE NOTICES AND GDPR

In May 2012, the EU Cookie Law came into effect. Lots of people panicked and added cookie notices in order to comply, though at the 11th hour, the Information Commissioner said that continued use of a site implied consent to the use of cookies and that was okay for anyone who didn’t use re-targeting ads – e.g. view the site, go to another site and see an ad there (Facebook, Google Ad Network, etc).

With GDPR, that’s all coming back and consent must be required. For some, they are going overboard and listing all the cookies in a pop-up. We don’t think that’s necessary, but cookies should be listed in a privacy policy and a notice should be shown on the first entry to the site that shows a link to the privacy policy.

We can add a plugin for you that points people to your privacy policy. There’s an element to allow users to refuse third party non-functional cookies – e.g. Google Analytics – but it needs to have some code added. We can do that for you, so do let us know. This work is part of your care plan with us.

2. SECURITY AUDIT PLUGIN

We’ll run a security audit of cookies running on your site so you can list these in your privacy policy. Note that if you see a new plugin appear in the plugin directory – if you happen to look – that will be because we’re running that audit.

3. CHANGING THE TEXT OF YOUR PRIVACY POLICY OR TERMS & CONDITIONS

If you have new policies or terms from your legal adviser or your own Data Protection Officer, send them to us and we’ll add them to your site.  What we can’t do – as indicated below – is re-write your policy for you as 1) we don’t know all of your business and 2) we’re not lawyers.

4. CHANGING FORMS TO REMOVE AUTOMATIC OPT-INS

We’re working our way through client forms to remove automatic opt-ins to mailing lists. Please bear with us as we do this. If you have a GDPR audit coming up and you need this done sooner – do submit a support email and we’ll implement it ASAP.

5. IMPLEMENTING THE RIGHT TO BE FORGOTTEN

We’ll contact you about this separately after we’ve done a security audit of your site.  This is particularly relevant to anyone who has registered as a user on your site or left a comment, but not purchased anything.

6. FINDING WHERE PERSONAL DATA IS STORED ON YOUR SITE

We’ll help you with where data is stored and how it’s stored. Form entries are held at:
Forms > Entries – then choose the form from the drop-down at the top left.
Customers are held at: Users – then click on the Customer link to see all customers.

7. HOSTING COMPLIANCE

We will be confirming GDPR compliance with our data centre providers. All our hosting is in the UK and all backup processes run in the UK too.  We will finalise our contract as data processors and get that to you to sign before the May 25 deadline for GDPR compliance.
IMPLEMENTING GDPR BEST PRACTICE
In the UK, the implementation on GDPR comes from the Information Commissioner’s Office, so that’s the first place to turn.
Note that you’ll also need to consult with your lawyer on GDPR related cookie policies and how you may need to change what you currently show on the site, though the information from the Information Commissioner’s Office is very useful.
You can see what they say about privacy policies and how to implement changes to privacy notices.
You may be obliged to register as a data controller with the ICO.  We have registered as we take data protection seriously.

WHAT WE CAN'T DO?

  • General business compliance
  • Re-writing your privacy policy
  • Handling user data requests
  • Auditing third party providers
  • Sourcing and replacing plugins that don't comply

WE CAN'T MAKE YOU GDPR COMPLIANT

We don’t take responsibility for making your website GDPR compliant.  However, we can point you to some of the best information we’ve found. Each company or organisation is responsible for appointing a Data Protection Officer and to ensure that they are compliant with their obligations under GDPR law. We’ve found that the information provided by Suzanne Dibble on GDPR is excellent.  She’s a lawyer currently specialising in GDPR and gives advice on more than just website issues. She has a free checklist for GDPR available with video explanations on a wide variety of GDPR related business issues.

Privacy Policy changes

As we’re a Data Processor, rather than a Data Controller, you are responsible for your own GDPR compliance. You will therefore need to consult with your legal adviser or appointed Data Protection Officer. From there you can provide us with changes to your privacy policy – or a whole new one.
As well as the ICO’s guidance (see above), here’s a useful outline for re-writing your privacy policy.
 

Dealing with requests for user data

Your site has two key methods of retaining user data – through forms – the Gravity Forms plugin and through the shop – WooCommerce.  Under GDPR, users have a right to:
  • Ask for the information you keep on them (including your website).
  • Request deletion of that information. 
We had been looking at plugins that will allow for the request of data, but we’re told by WooCommerce (see link below) that there’s something coming for that.
 

Third party providers

 Dealing with requests for user data, deleting user data, changing settings for individuals and anything to do with what data is stored, isn’t part of the care plan. While we help to integrate with services such as Mailchimp, Zapier, Metorik or other data processors, you would need to check with them as to their GDPR policies and how they handle data for your site users.

Core and non-core plugins

We are assured that WordPress, WooCommerce and NinjaForms have ways to be compliant, so we’re confident that these are robust systems. We will always seek to update core plugins for you.
WooCommerce, owned by the parent company for WordPress, are addressing this in the core of WordPress rather than as an add on to WooCommerce. GDPR is a big deal for them and you can read about how they’re approaching it.
Most plugins don’t retain user data as they exist to help WordPress or WooCommerce to do certain functions.
In the audit, we’ll see what plugins may be an issue, but under the care plan, we can only disable any plugins that may not satisfy GDPR.
We can research a new plugin that would be compliant, but it wouldn’t fall under the care plan as the plan was set up prior to changes in plugins to make them compliant.

Any additional development work to make you compliant also isn’t included. New work to meet any compliance would need to be quoted for. If you find a plugin that you want to use to assist in GDPR compliance, you will need to purchase that and pass to us to be installed.  We don’t expect this to be likely, but want to let you know in advance.

QUESTIONS about gdpr

We’re sure you’ll have lots of questions and we’re available to answer what we can. Do consult with your lawyer on what they advise you to do.
Taken all in one go, GDPR is a bit scary.
The advice we’ve been given is to take it as a process that starts now and continues on after May 25th.
Starting with a plan means you can show that you’re working on compliance and not ignoring it.

Give us a call or email us so we can work together.

 

EXISTING CLIENTS ARE OUR NUMBER ONE PRIORITY

Please note: This service will be offered to website care plan clients first. If you are not on a care plan we can schedule you in the up and coming weeks. Should your website be on business catalyst I’m afraid we can not support sites for this at this stage.