The Impact of GDPR On Your Website

Note: This transcript was auto generated. As our team is small, we have done our best to correct any errors. If you spot any issues, we’d sure appreciate it if you let us know and we can resolve! Thank you for being a part of the community.

Verbatim text

Lee Matthew Jackson:
Welcome to episode number 127 of the agency trailblazer podcast. So today, it is you and me, and we’re gonna be tackling a really big subject. That is GDPR. Specifically, GDPR for websites. The purpose of this episode is to serve as a way of educating you as well as helping you build a framework for tackling compliance with your website or with the websites that you build for other people. So before we carry on, I’m gonna have to throw in a disclaimer. I am not a legal expert. This episode is based on research that we have made as a business, and what we have understood through helping other companies action their GDPR strategies.

Lee Matthew Jackson:
You should undertake your own research to validate this information as it is for general information purposes only and does not constitute legal advice. Okay. So now we’re clear, and now we’ve got the awkwardness out of the way. What is g d p r? GDPR will replace the UK Data Protection Act of 1998, and it looks to provide better control over how businesses use and store people’s data. This includes covering areas such as consent, clear policies, security, and much more. Businesses found to be in breach of GDPR could be fined up to 4% of their global revenue. So that is a kicker. Now if you are not in the EU, then why on earth would you care and even listen to the rest of this episode? Well, article 3 of the GDPR says that if you collect any data on someone in an EU country, that your company is subject to the requirements of GDPR.

Lee Matthew Jackson:
Be sure to check out the notes for a brilliant Forbes article that unpacks this in more detail. Also, if you are offering services, be they web development, marketing, etcetera, to anyone inside of the EU, then they’re gonna be leaning on you to help them with their own GDPR compliance. So it’s pretty wise to be aware of and as educated as possible on this. If you have a SaaS product and it’s used by companies in the EU, you’ll need to ensure compliance as you could see the withdrawal of businesses from EU companies seeking a platform that does offer them GDPR compliance. GDPR is extremely high on people’s agenda. As the implementation date is looming, it’s the 25th May of 2018. So a lot of companies have left a lot to the last minute. And they are starting to panic.

Lee Matthew Jackson:
And they are finding everything quite overwhelming. So GDPR for websites. GDPR covers a wide range of data points. And you’ve likely heard the biggest worry being the collection of emails from lead captures and the traceability of consent for that data. In fact, many industries are just focusing on email collection, their email marketing, whilst the other essential areas are being forgotten. So other areas would include, but not limited to, your IT infrastructure, backup software you are using, third party software as a service tools, network and device security, as well as websites. GDPR has been established to help avoid the massive data breaches of the past. Thus, it goes much further than simple email consent or a cookie policy.

Lee Matthew Jackson:
Let’s do a deep dive or as Paul Lacey would like me to say, let’s unpack GDPR for websites. Firstly, let’s start with WordPress. If you are not using WordPress, do stay tuned for further website advice. And, of course, be sure to check out what your content management system is doing in order to assist you with GDPR compliance. Now WordPress themselves are taking GDPR very seriously and they’ve set up a GDPR compliance team. They are focused on several key areas which include functionality for site owners to create privacy policies for their websites, guidelines for plugins to be GDPR compliant, new admin tools to facilitate compliance, and documentation to educate people on privacy, and the new tools that they are making available. You can find more information about what WordPress are doing on the GDPR compliance tools in WordPress article which we have linked to in the notes. And be sure to keep an eye on the GDPR compliance tag on the wordpress.org website.

Lee Matthew Jackson:
As of this episode, the most recent conversation includes discussions on tools to export as well as tools to remove personal data and also documentation for developers, and, again, so much more. Let’s look at the core areas to consider for a website. These would be, but not limited to, data collection, consent for that data collection, as well as the awareness of what data you are collecting to that individual. Data retention, which includes the right of access or portability, the right to be forgotten, as well as the time period that you will be keeping that data for. And, finally, security. This is the secure processing and storage of the data as well as things like breach reporting. So let’s break down each a little further. So data collection.

Lee Matthew Jackson:
We collect data in a wide range of ways through our websites. So, for example, forms, call to actions, cookies, plugins, the ecommerce solution you have, surveys, and many more. It is therefore imperative that we provide clear information on what is being collected and ensuring that we have the permission from the user to collect that data. If we are collecting information through cookies, then clear notification needs to be provided and a breakdown of what is being collected should be provided along with clear information on your privacy policies. Let’s unpack a couple of examples. The first one would be lead captures and other forms. So, for example, with your lead capture, you should be providing a clear opt in message with your lead capture form along with clear informational links to your privacy policy that gives information on what is being stored and how that data is being used. The same goes with other data through forms and other inputs.

Lee Matthew Jackson:
You need to be clear on how that data is being used, processed, and being stored. Another example would be cookies. Cookies can collect personal identifiable information. I often refer to this as PII because it can be a tongue twister. It would seem reasonable to think that as long as the name of a person is not being collected that we’re good to go. However, let’s look at what recital 30 of the EU GDPR documentation says on the matter. That’s number 30. Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols such as Internet protocol addresses, such IP addresses, cookie identifiers, or other identifiers such as radio frequency identification tags.

Lee Matthew Jackson:
I would be impressed if you can get your website to do that. Now it’s important you understand what each cookie is doing and storing so that you can ascertain if it contains any PII, personal identifiable information, as well as provide clear information to the user, and or remove and change the cookie if needed. For example, the Google Analytics cookie, this is gonna be pretty popular because I think most websites around the world are using Google Analytics to track what is going on with their website. Now, at its absolute basic setting, there is no identifiable information linking to that site visitor. However, you should ensure that you’re not passing any personal information via URLs as these are likely going to show up inside of Google Analytics. And if you are passing this sort of identifiable information in the URL, then you’re not really giving that information the due diligence that it deserves. If you’re not sure what I mean, if you’ve ever seen a URL that may contain a long series of characters at the end of it, and within that, it could contain a first name, a last name, an email, maybe a date of birth, maybe other identifiable information. This information, if passed in that sort of way, can appear inside of Google Analytics.

Lee Matthew Jackson:
This is a way of identifying somebody. And, again, it’s not very secure. It’s not a nice, secure way of passing data around. Now further on from this, you do need to take a look at your Google Analytics configuration. Are you capturing identifiable information on, say, a completion events, or are you using an ID from your website or an email address as an identifier for your reports? We’ve linked to a brilliant article by Edward from Little Data, and he provides information on Google Analytics compliance. So be sure to check that one out. Auditing. Now, we would recommend you engage in a full website audit.

Lee Matthew Jackson:
It’s essential for your business to understand how your website works and how it stores data. Then with this information, you can take the necessary compliance action and update your policies for full transparency. We are offering GDPR website audits to our clients and you can find more information on those via anglecrown.comforward/gdpraudit. Or, again, check out the show notes. Awareness. Now then, once you’ve established how your site works, what information is being gathered, and how, it is essential that you provide clear policies and reasonable opportunities for individuals to see and access those policies so that they can make informed decisions. These policies, this documentation does need to be kept up to date. So if you introduce new code, new plugins, new third party services to your website, then your documentation needs to reflect this.

Lee Matthew Jackson:
With WordPress, there are some great plugins that will allow you to put a notification on the website as soon as people hit any page, and they can then opt in to having the relevant cookies that you have on your website to be triggered, as well as point them in the correct direction to go and review the relevant documentation. And we’ll be sure to link to a couple of those in the notes. Let’s move on to data retention. So data should be stored for no longer than is absolutely necessary. And it should be stored securely, and the information gathered should be relevant. It should serve only the purpose it is intended for. So on a side note, this could, of course, lead to better conversions on forms because it’s gonna force you to seriously consider what information you are asking for. Let’s look at the right of access and portability.

Lee Matthew Jackson:
People have the right to access personal and other information that you store on them. This gives them the transparency as well as allows them to verify the lawfulness of the processing. There is a link in the notes that will unpack what that means. Now in standard cases, you cannot charge for access to this information. However, you will find more information on the right of access, again, in the notes in the data retention section underneath the right of access and portability. So go ahead and check those out. The ICO do a great job of unpacking all of this in a much more detail. Now the data that you provide should be portable, allowing the individual to use that data for themselves and potentially import it into their own or other third party systems.

Lee Matthew Jackson:
Therefore, you need to be providing this in a machine readable format. So, for example, a good old CSV file. GDPR gives people the right to be forgotten. So people are given the right to be forgotten underneath article 17 of the GDPR. Now there are caveats to this. So you can’t tell your bank to delete your credit card balance, I’m afraid. However, and often, in the case of a website, information often does fall under this right to be forgotten. So, for example, but not limited to data used for marketing, data that required their initial consent for you to hold together, or data that you maybe have collected unlawfully, or data that is no longer necessary.

Lee Matthew Jackson:
So, again, we recommend further reading. We’ve linked in the notes to the ICO website, and that’ll help you get a further understanding of what is or what is not covered under this particular right. Now the time period of data retention. We’ve already alluded just before about data that is no longer necessary. Let’s unpack this further. GDPR does not set period limitations for retaining personal information. However, it does stipulate that it should not be kept beyond its required purpose or purposes. Data should be reviewed regularly, and any information deemed no longer relevant should be securely deleted or updated.

Lee Matthew Jackson:
So a good example would be form entries in gravity forms or whatever form processor that you use. If the information has served its purpose, then it may not be necessary to store that entry indefinitely. Now this could be through an internal policy that you adhere to on a regular basis, or this could be automated should there be clearly defined parameters on how long certain information is needed. Again, we’re gonna reference the ICO website. There is a link in this section which gives you much more information on this area. And then we have security. As a business storing personal information, it is essential that you do your due diligence with the data that you have on your systems. Let’s look at the secure processing and storage of data.

Lee Matthew Jackson:
So your website should adhere to industry standards for security. So this includes, but not limited to, SSL secure connections, updated and maintained website code, updated server software, firewall protection, the correct file permission settings, password policies, encryption of data, audit logs, encrypted backup. I’m pretty sure any IT expert could give you a very long list of things that should be considered. Now in the world of WordPress, there are great plugins to help facilitate much of this as well as the backing of the WordPress team who are taking GDPR very seriously. Most reputable website hosts are also taking measures to help protect websites and to be GDPR compliant. So be sure to connect with your website host for more information on that. In short, with regards to the security of your website and infrastructure, this is something you absolutely should be getting the experts involved with. It’s not really something that people or businesses should be teaching themselves.

Lee Matthew Jackson:
So highly recommend that you connect with either an IT professional, with your web development company, as well as the third party service providers such as your website hosts, etcetera. Now breach reporting. This is part of GDPR. And in the event of a data breach, GDPR requires that you inform the relevant supervisory authority within 72 hours of becoming aware of such a breach. Now there are some detailed guidelines on the ICO website that provide more information as to when you should inform people affected by the breach as well as providing you a clear checklist for preparing for and responding to a data breach. So be sure to check out that article. The ICO website is super clear, really good information with good checklists. So we really recommend you go ahead and check out those parts of the websites particularly.

Lee Matthew Jackson:
Alright. Next steps. So whether you build websites or you’re looking to make your own website GDPR compliant, it is essential that you carefully review your website and take necessary action. Given the potential of a 4% fine of global revenue for a data breach, this is not something to take lightly. But government threats aside, however, it is a really good business practice to respect and to protect the information entrusted to us by our audience, by our clients, and our associates. Showing respect to their information helps build up trust in you and your brand, and it shows that you are a credible business who does their due diligence in order to protect those that you serve. Now if you’re feeling overwhelmed by everything, all these links off to the ICO website, etcetera, then we would recommend that you take things one step at a time. For example, you could break it down like so.

Lee Matthew Jackson:
First of all, make a list of what data is being captured and how, and if it falls under PII personal identifiable information. Then, document this as part of your privacy policy documentation. Again, in the notes, we’ve linked out to a company called SimplyDocs that provide you with GDPR ready templates that you could use. These are specifically for the UK, but there are a lot of tools out there if you run a search on the Internet that will assist you in creating the relevant documentation. So that’s your first step. You’ve made a list of what data is captured and how. You’ve identified what comes under PII, and then you’ve documented this in a relevant privacy policy documentation. This information you can then make clear on your website.

Lee Matthew Jackson:
You would then wanna make a, list of any plugins or features that expose PII, personal identifiable information, that need to be rectified so you can connect with your developer or the plug in author to sort those weak spots out. Next step then would be on data retention. You could ensure you’ve created a plan to provide data upon request. That could be an manual process or that could be automated. You could build that in and the client could press a button to receive the information you have on them. You can ensure then you have a clear way to remove all of that information if the user requests, again, manual or automated. And then, finally, you can ensure that you can provide that data in a machine readable format which would be CSV. Now with most websites that are simply capturing form data and you don’t necessarily have a user account for that person, that’s gonna be pretty easy.

Lee Matthew Jackson:
Gravity Forms, Formidable Forms, and other form builders, either within WordPress or outside of WordPress, usually offer the ability to delete records against user as well as export that data into a CSV file. And, also, note that WordPress is, as of now, still working on ways to allow you to provide other data exportable in a CSV format. So I’m really excited to see where that’s going in the future. Your final step then after all of this could be then to review your site security. And, again, as we recommend, this is where you really need to get 3rd parties involved. In fact, throughout this entire process, if you can afford to get a compliance officer involved who understands GDPR and can take you through the whole process, then we highly recommend you do that. Some businesses, I understand, can’t afford that, which is important, therefore, you educate yourself as much as possible. But for those businesses that do have the budget, and if you’re an agency that serves other businesses, then it would be worth you asking your client if they can put aside budget to get the relevant legal advice to get a compliance officer in to help you out because that will take so much more of the burden off.

Lee Matthew Jackson:
We do have a duty of care to our customers and those we interact with. So it’s essential we educate ourselves on the key parts of GDPR and we take that necessary action. In short, achieving GDPR compliance is about understanding what you have and putting in functionality or procedures in place to comply. I’ll say that again. Achieving GDPR compliance is about understanding what you have and putting in the functionality or procedures in place to comply. Doesn’t need to be rocket science. It doesn’t need to be costly. It just needs to be based on a sensible understanding of GDPR with reasonable actions to be taken or reasonable actions to be planned.

Lee Matthew Jackson:
So have you got questions on GDPR? This is a brilliant discussion. We have several places you can come and talk to us about it. First of all, the comments on this show, on the main show page, or on the blog post that we have, or alternatively inside of the Facebook community. You can find that on wpinnovator.comforward/group. So I hope you’ve enjoyed this episode. I can hardly entertaining, but at least I hope it was informative. This is a very serious subject and we’ve had a lot of people connecting with us both for help as an agency to help them with their GDPR compliance, but also we’ve had a lot of people in the community asking what our understanding of GDPR compliance is, and also what things they should be considering for their website. This is why we have written our mega blog, but also we recognize that our knowledge and our legal expertise is obviously very limited, which is why we’ve also ensured that we’ve backed everything up that we’ve written with links out to further information so that you can really get into the core of GDPR.

Lee Matthew Jackson:
Get a good understanding of what it means for you, for your website, for your business, and for the people that you serve. So in next week’s show, we’re gonna be interviewing my mate who have known him for donkey’s years now, Jason Vance. We had a fantastic time in that interview. And he shares his journey from pastor to web developer, to an exciting new business that’s really taken off for him in 2018. So, a brilliant episode that’s coming up in number 128. That’s a 128 of the Agency Trailblazer Podcast. We will see you next week. This podcast is brought to you by the Agency Trailblazer community.

Lee Matthew Jackson:
Is agency life stressing you out? Then it is our mission to help you build an agency that you love. We’ve created a community which includes the agency reset roadmap that will allow you to get your agency back on the right track. We also have lots of noble straight to the point, easy to consume workshops. We have a thriving community of other agency owners. And we all wrap up every month with a mastermind call with myself and sometimes a special guest where we unpack your questions. For more details, check out agency trailblazer.com.