General Data Protection Regulation (GDPR)

adminCompliance, Website Update

GDPR

In our attempts to become GDPR compliant, we have undergone a small journey into the goings on behind the scenes at virtual precision, and more importantly, ensuring all our website data collection policies are up to scratch. We share our brief journey to help point you, the small business/sole trader in the right direction.

Disclaimer: Virtual Precision is NOT offering legal advise, but rather documenting our personal journey, in order to help you identify your process by giving you examples.

GDPR – Facts

  1. If you process large scale personal identifiable data (PID), then you will need to employ a Data Protection Officer (DPO), to ensure compliance with GDPR. (examples include patient data at doctors or hospitals)
  2. If you process small scale PID (such as Virtual Precision), then you can simply look into your website functionality to ensure all features are compliant.
  3. GDPR will apply to any business that processes data, and every business does.
  4. If you do one thing now, you will need to update your privacy policy… show transparency, and we will show you how.
  5. Individuals have rights on how their data is collected, stored and shared, and more importantly, they now have the right to be forgotten, so should be able to access their personal information and delete it in a transparent manner.
  6. If there is a serious breach of data (that impacts the rights of data subjects), this will have to be reported to your specific countries regulator ( Information Commissioner’s Office (ICO) in the UK). This will have to be ideally reported within 24 hours, but no later than 72 hours.
  7. Failure to comply will result in harsh penalties.

GDPR – the Small Business Checklist

1. Know your data

You will need to demonstrate an understanding of the types of personal data you hold, where you got it (past), where it is coming from (future), where you store it, how secure your storage is and what you do with the information collected (transparency).

Personal Identifiable Data consists of names, email, address, IP addresses, bank or card details, photos, and any special data such as ethnicity, religion, health details etc. (perhaps collected through surveys, job applications, medical history etc.)

Users should be able to view/download and erase their data, if they want to do so (be forgotten).

What did we do?

Make a list of processing partners 
  • Our hosting company hosts your website, so check they are GDPR compliant and try and find out what information they collect from visitors to your website and for what purpose.
  • If you use cpanel, then this will collect user / visitor information including IP addresses. You can find this information in AwStats.
  • MailChimp. We use mailchimp for our newsletter / mailing list data gathering. MailChimp have recently updated their pre-designed forms to add GDPR. So all you have to do it login to mailchimp, check your lists and associated forms, and update them to include GDPR.
  • Google Analytics collects IP addresses from site visitors but is not something you can access in the reporting interface. You will have to state this in your privacy policy and refer to Google’s GDPR / privacy policy.
  • web developer is a processing partner, so please ensure they are compliant. Virtual Precision does not have a web developer, rather we are our own web developer, so no information is shared here.
Make a list of Connected 3rd party plugins
  • Record why you use them, and ask yourself if they are necessary. You can easily find your list in your plugins page.
  • Don’t forget to include your wordpress theme and any theme add-on’s in this list.
  • Make a note of information collected. Once complete, re-think that information and ask yourself if you really need it all. If not, remove it. All you really need is perhaps a first name (to be polite) and an email address.
  • Don’t forget that if like most websites, you will need to included Google Analytics and Search Console in this list. Check their GDPR compliance also.

You can also read some useful information here, which can help you understand the analytics process, including how to anonimise ip tracking.

Make a list of Business Partners

If you have any business partners, you will need to state how you share data, which data, and why. Virtual Precision do not have any business partners and we do not share your data with anyone.

2. Focus on security measures and policies

Make a list of your security measures and policies. For example is your site encrypted (https). What other security measure do you have? List them, explain what they do and how they protect you, and ensure these features are compliant.

3. Create Fair Processing notices

Users must be informed under GDPR as to why you require their information, how long it will be stored and ensure they consent to same. Also make sure they have the option of deleting themselves at any time. With mailchimp, this is easy, as already described, but people who leave comments or sign up to your website might cause a little more complication. Ensure you have tracked and traced all information clearly and make sure you are compliant.

Privacy Policy

We are currently working on our privacy policy, which is a constant work in progress. There are some delays with plugins used as they are also currently working on their GDPR policy. Our privacy policy should be complete once this information is collected. You can view it here anytime.

GDPR Plugin

A highly recommended plugin that can help you get compliant quick and easily is The GDPR Framework by Codelight. You can find out more and download and implement this plugin for free.

I will be reviewing this plugin including a crash course in setting it up, hopefully in time for Friday’s GDPR deadline, but at least after I have fully implemented my privacy policy.

Please feel free to contact us should you need any help in the meantime.