Practical GDPR Advice for Web Agencies and Small Business

The European Union General Data Protection Regulation (GDPR) is an EU-wide initiative that came into force on 25th May, 2018.

It makes major changes to privacy and data protection for all websites that retain data on visitors from within the EU, which is nearly every website on the Internet. All businesses – both within the EU and abroad – need to be aware of this law and how it impacts them.

One of the biggest changes to the new regulation is the extended jurisdiction of the GDPR, as it applies to all firms processing the personal data of subjects residing in the EU, regardless of the company’s location.

The GDPR gives the EU powers to impose fines of up to 20 million euro or 4% of global turnover, whichever is greater.

This article outlines some key concepts of the GDPR, how common web tools may be affected, and how we at Little Web Giants are responding to the legislation. This GDPR Guide is for informational purposes only. It is not legal advice. Please reach out to your legal counsel to receive tailored guidance on how the GDPR may impact your business. Little Web Giants will not be held liable for breaches of the GDPR that may occur due to following information provided in this article.

Contents

Key concepts

Roles under the GDPR

Legal basis of processing

Individual rights under the GDPR

Preparing for GDPR compliance

GDPR and commonly used tools

GDPR action list

Further resources

Data policy templates

Key concepts

Scope of the GDPR

The GDPR relates to the processing of personal data by organisations. Both personal data and data processing have broad definitions. This means that many commonly used online services, from embedded YouTube videos, to contact forms, to email marketing, are affected. The following explanations of data processing and personal data are taken from Stripe’s overview at https://stripe.com/guides/general-data-protection-regulation.

Personal data

Personal data include any information relating to an identified or identifiable individual. This is a very broad concept because it includes any information that could be used on its own, or in combination with other pieces of information, to identify a person. Personal data are not just a person’s name or email address. They can also encompass information such as financial information or even, in some cases, an IP address.

Moreover, certain categories of personal data are given a higher level of data protection because of their sensitive nature. These categories of data are information about an individual’s racial and ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data, health data, information about a person’s sex life or sexual orientation, and criminal record information.

Data processing

Processing of personal data is the key activity that triggers obligations under the GDPR. Processing means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. In practical terms, this means any process that stores or consults personal data is considered processing.

Roles under the GDPR

GDPR distinguishes three profiles when it comes to handling data.

Data subject

The customer, user, or employee – anyone providing identifying personal data. These are the people whom the GDPR protects.

Data controller

The businesses offering services or goods that will state how and why personal data are used and is responsible for the safe storage and use of the data.

Data processor

This can be considered as all third-party suppliers used by the Data Controller, such as Google Analytics, Salesforce, or MailChimp, and any internal teams employed to do similar work, such as an internal accounts team.

The distinction between data processors and data controllers is important because when an organisation obtains consent from a data subject to process their personal data, it must name specifically each data controller that it will share the data with, while it only needs to name the type of data processors. For example, PayPal is generally a data controller, while MailChimp is a data processor, so an organisation that uses both services would need consent to share data specifically with PayPal, and a separate consent to share data with an unspecified email delivery provider.  See https://iapp.org/news/a/the-working-party-guidance-on-consent-is-finally-here/.

Legal basis of processing

The next consideration is to determine whether or not a particular processing activity is GDPR-compliant. Under the GDPR, every data processing activity, performed as a controller or processor, needs to rely on a legal basis.

The GDPR recognises a total of six legal bases for processing EU individuals’ personal data (in the GDPR, EU individuals are referred to as “data subjects”). Those six legal bases, in the order of Art. 6 (1) (a) to (f) of the GDPR, are:

  1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. the processing is necessary for the compliance with a legal obligation to which the controller is subject;
  4. the processing is necessary to protect a vital interest of the data subject;
  5. the data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority; or
  6. the processing is necessary for the legitimate interests pursued by the entity, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require personal data protection.

The remainder of this article will deal extensively with the issue of consent. This is because the GDPR introduces major changes to how consent must be obtained from data subjects. However it is important to remember that consent is not the only legal basis of data processing. For example, if an organisation was asked to prepare a quote and needed to collect data in order to do so, then the legal basis of processing would be 2) above, and consent would not be necessary. Records of an online store that need to be kept for tax accounting purposes would fall under 3).

Consent is however the appropriate legal basis for data processing in the case of:

  • sending marketing emails;
  • adding a cookie to a user’s browser to track their behaviour;
  • embedding content from services such as YouTube, Facebook, or Google Maps, which perform their own user tracking; or
  • collecting data through a contact form.

There are many additional cases where consent may be required.

Consent must be gained for each specific data processing activity individually. Consent must also be active: It is not acceptable to have a pre-ticked checkbox or to display a banner explaining that continuing to browse the website indicates consent. If consent is not given it is not acceptable to block access to services that would otherwise be provided. A record of the date, time, and method of consent must be kept. It must be as easy to withdraw consent as it is to give it.

Individual rights under the GDPR

The GDPR define key rights that all data subjects have and that organisations must comply with.

Communication

Use plain language. Tell users who you are when you request the data. Say why you are processing their data, how long they will be stored, and who receives them.

Consent

Get clear consent to process the data.

Access and portability

Let people access and edit their data and give it to another company.

Warnings

Inform people of data breaches if there is a serious risk to them.

Erase

Give people the ‘right to be forgotten’. Erase their personal data if they ask, but only if it does not compromise freedom of expression or the ability to research.

Marketing

Give people the right to opt out of direct marketing that uses their data.

Safeguarding sensitive data

Use extra safeguards for information on health, race, sexual orientation, religion, and political beliefs.

Data transfer outside the EU

Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities.

Ensuring GDPR compliance

Business processes

Organisations should review what personal data they currently process and whether the current processing is in compliance with GDPR standards.

If necessary, new data policies should be developed that outline:

  • how personal data is collected, stored and used;
  • which staff members have access to which data;
  • the staff member(s) responsible for data protection policies;
  • the time span that personal data are retained;
  • how records of data processing are kept; and
  • actions to be taken in the event of a data breach.

Please note that in some cases organisations have only 72 hours to inform the authorities of a data breach, so preparation is essential. Consider data stored in Excel files on staff computers and how that is managed, in addition to databases, CRMs, email marketing lists, or on websites.

In the case that personal data are held and used by the organisation where there is no clear record of consent, it is advised to seek consent, for example by sending a new opt-in email to a marketing list.

Working with third parties

Organisations should perform a thorough review of all third parties that they share personal data with, and make sure that the third parties are in compliance with the GDPR. This is particularly important if there is data transfer outside of the EU. A list of services commonly used by Little Web Giants, with a brief description of their GDPR implications, is included in this report.

GDPR and commonly used tools

Any website process that sends a request to a third party will include the user’s IP address. As the IP address is in some cases personal data, this means all third party services on a website, from social embeds to Google Fonts, come under the purview of the GDPR.

Web agency and web hosting

Little Web Giants

Unless we have a specific contract that states otherwise, Little Web Giants is a data processor for our clients, not a data controller. That means it is the client’s responsibility to obtain and record consent, and otherwise ensure compliance with the GDPR with respect to personal data collected or stored on websites hosted, developed or maintained by Little Web Giants. We are unable to provide legal counsel on the GDPR or any other legislation. This document is only an introductory guide and not formal legal advice.

WP Engine

We use WP Engine as our primary hosting provider. WP Engine has said it will comply with the requirements of the GDPR and is also part of the EU-US and Swiss-US Privacy Programs, allowing for legal transfer of data outside of the EU. WP Engine acts as a data processor for the websites it hosts.

See more: https://wpengine.com/support/gdpr-compliance/

WordPress

WordPress 4.9.6

The WordPress core development team release a new version in late May (4.9.6) that includes tools for website owners to comply with the GDPR. The new features include:

  • a privacy policy template;
  • user data export and delete tools;
  • tools to anonymise comments; and
  • the ability for users to opt-in to comment cookies.

See more: https://make.wordpress.org/core/2018/05/03/wordpress-4-9-6-beta/

Jetpack

Jetpack is a popular set of commonly used WordPress plugins. LWG oftens uses it to display related posts, however there are a number of other features including security, sharing, writing, design, and search engine tools. Jetpack also provides the Akismet spam filtering service for comments.

Jetpack syncs data to their servers, including comment information and registered user data. Consent to do this will need to be obtained from all users who create an account on a website where Jetpack is active, and from all comment authors.

LWG advises updating to version 6.0 or higher of Jetpack, which includes new privacy settings with a GDPR focus.

See more: https://jetpack.com/support/privacy/#gdpr

Gravatar

Gravatar is a service that fetches user images to show alongside their comments. User emails are sent to this service. LWG advises disabling this, otherwise consent must be obtained from comment authors.

Comments

WordPress requires comment authors to submit a name (can be a pseudonym) and an email address. Comment authors will need to consent to their email address being stored on the website indefinitely and being sent to a third party service (Akismet) for spam filtering.

The personal data of the comment author should be deleted on request. It is not clear if comments should be deleted or anonymised if they are a part of the public record.

User accounts

Websites that have user accounts will need clear terms of service that state what data are collected from users, how the data are used, who the data are shared with, and how long the data are stored.

Uses must have the ability to access, edit, export, and delete their data. This can be an automated process or a manual process that can be triggered by contacting the business via contact form or email.

When deleting users:

  • A record of deleted user IDs should be kept. Deleted users should be re-deleted when restoring from a backup.
  • Only data that are processed on the legal basis of consent should be deleted. User data required for tax accounting or other purposes should be retained.
  • All third-party services should be notified, for example Salesforce or other CRM systems.
  • If there is a public-facing profile page for the user, it should now return a 404 error so that it will be de-indexed from Google search results.

Managing backups

Deleted users should be re-deleted when restoring an older database from a backup.

Cookies

First-party cookies

The GDPR introduces changes to how users must be notified about cookies. Cookies used for certain purposes can be placed in the browser without requiring consent, as long as no personally identifying data, including IP addresses, are captured from those cookies. This would include first-party cookies that are used to track visitor numbers, or cookies that manage login state.

However, in order to use any cookies that capture personally identifying data, consent is required. Consent must be active: It is no longer acceptable to show a banner that states continued use of the website implies consent. No cookies that capture personal data should be set in the browser until consent has been obtained. There must also be a simple tool to opt out of consent. This can be achieved by dropping a cookie in the user’s browser when consent is obtained, and then providing a method for them to delete that cookie later. Website controllers should also consider the issue of records of consent.

See more: http://europa.eu/rapid/press-release_IP-17-16_en.htm

Third-party cookies

All third-party cookies require consent from users.

Google services

Google has made significant efforts to be ready for the introduction of the GDPR. In recent weeks it has released a number of statements regarding its products as they relate to the GDPR. It has also introduced new tools to help users of their services achieve compliance. If no product-specific statement on the GDPR and privacy is available, Google’s general privacy policy and terms of use apply.

See more: https://privacy.google.com/businesses/compliance/

https://policies.google.com/

Google Analytics

For Google Analytics, including GA 360, Attribution, Optimize, Tag Manager, and Data Studio, Google positions themselves as data processor. Google asked Analytics clients to log in and manually set a data retention period before 25th May, 2018. If you are an Analytics client and have not this yet, you should do so immediately. Google also offers the possibility of anonymising IP addresses.

There is some uncertainty about whether consent from users will be required to use Analytics tracking cookies. Analytics does store IP addresses but in an aggregated form. LWG advises either asking users for consent before tracking them with Analytics, or enabling anonymised IP addresses.

At this stage Google has not provided a solution for exporting data from Analytics to comply with data portability requirements.

See more: https://support.google.com/analytics/answer/2763052?hl=en

Google Adsense

For the services DoubleClick for Publishers, DoubleClick Ad Exchange, AdMob, and AdSense, Google is an independent data controller. Specific, named consent must be obtained from users before sharing personal data with these services.

Google Maps

For Google Maps services, including embedded Google Maps, Google is a data controller. This means specific consent to share personal data with Google must be obtained before loading embedded maps. Google requires that the Google terms of service are shown to users when embedding a Google Map.

See more: https://developers.google.com/maps/terms#section_9_3

https://privacy.google.com/businesses/compliance/#?modal_active=none

YouTube

YouTube embedded videos place cookies in the end user’s browser by default. In this case, users will be required to opt in to YouTube cookies before video embeds can be loaded. An example of how this works can be seen at https://edps.europa.eu/press-publications/press-news/videos/cnn-regulators-probe-facebook-over-data-privacy-giovanni_en.

YouTube has also made it possible to embed videos in an “Enhanced Privacy Mode”. If you have YouTube videos embedded on your website, you should replace the existing embed codes with ones that use this privacy mode. You can find instructions to do so at https://support.google.com/youtube/answer/171780?hl=en

Google reCAPTCHA

Google reCAPTCHA and noCAPTCHA tools require user consent. Google requires that users are informed that the use of reCAPTCHA and noCAPTCHA is governed by Google’s privacy policy.

See more: https://termsfeed.com/blog/privacy-policy-recaptcha/

Google Fonts

There is considerable uncertainty about how the Google Fonts service will be affected by the GDPR. The service allows for faster website loads by caching commonly used fonts across the Internet. The service does collect IP addresses but does not place cookies in the user’s browser. At this stage there has not been a specific statement from Google regarding Google Fonts and the GDPR. Some commentators are concerned that use of Google Fonts could be illegal under the GDPR. A solution is to self-host font files, although this would mean slower website load times.

See more: https://developers.google.com/fonts/faq#what_does_using_the_google_fonts_api_mean_for_the_privacy_of_my_users

Google Drive, Docs, Cloud

Google Docs and other cloud storage services are data processors. Use of them does involve transfer of data outside the EU but is in compliance with the EU-US Privacy Shield. Storing personal data in Google documents or cloud services requires consent from the data subjects.

See more: https://cloud.google.com/security/gdpr/

Facebook

In most cases where businesses use Facebook’s services, Facebook is acting as the data controller and has the responsibility to obtain consent. This is the case, for example, in running ad campaigns on the Facebook platform. In certain cases, such as the Custom Audience tool, Facebook is the data processor and obligation to obtain consent falls on the business importing the data to Facebook.

See more: https://www.facebook.com/business/gdpr  https://developers.facebook.com/docs/privacy#.

Pixel

The Facebook conversion Pixel relies on cookies and user consent will need to be obtained before it can be used.

E-commerce

In the case of personal data that are collected in order to sell products or services online, the legal basis of processing is the contract of sale, not consent. There are important caveats to note here. Personal data should only be kept for the time period required to comply with relevant laws, such as those governing tax accounting. Following this time period, the data should be deleted. Personal data collected for the purpose of fulfilling an online purchase cannot be used for behavioural targeting of ads or email marketing unless consent to those activities has been given.

This also implies that the reviews of data obtained from the online store, for example in the form of quarterly or annual reports, or analyses to identify demands for particular products or from particular locations, must be carried out in such a way that individual records are no longer identifiable as a natural person. This can be done through combined processes of minimising the data that are stored, and masking, pseudonymising, and aggregating records.

See more: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/contract/

http://blog.protiviti.com/2018/02/21/saving-analytical-data-without-violating-gdpr-part-1-data-minimization-masking/

WooCommerce

WooCommerce is the most popular e-commerce solution for WordPress. WooCommerce syncs some data to their servers, including non-personally identifying order data. WooCommerce also offers tax and shipping rate calculation services on checkout. These services do make use of personal data, and consent from the user will be required in online stores that use this functionality.

See more: https://jetpack.com/support/what-data-does-jetpack-sync/

PayPal

PayPal is a popular payment services provider. When processing transactions for an online store, PayPal is a data controller (not a joint data controller). PayPal states that the store’s “privacy policy must clearly and expressly indicate that all PayPal transactions are subject to the PayPal Privacy Policy”.

See more: https://www.paypal.com/uk/webapps/mpp/ua/upcoming-policies-full

Stripe

Stripe is a payment services provider, that acts as both a data processor and a data controller. For more information, see their GDPR page: https://stripe.com/guides/general-data-protection-regulation

Social

AddThis

AddThis is a tool for embedding share buttons on website pages and tracking shares of website content on social media. However, AddThis also tracks website visitors and uses these data for behavioural advertising services. There is not an adequate opt-out mechanism for this tracking. LWG recommends replacing AddThis with direct share links to Facebook, Twitter, and LinkedIn, which do not require cookies to function.

AddThis Privacy Policy: http://www.addthis.com/privacy/opt-out

Share by link implementation: https://stackoverflow.com/questions/15074566/open-source-alternative-to-addthis-addtoany-sharethis-etcfor-social-bookmarking

Share buttons and other social embeds

All social media embed tools, including share buttons, YouTube and Vimeo videos, Facebook Like Box, Facebook, Twitter and Instagram feeds, embedded posts, and so on drop cookies in the user’s browser and will require consent before they can be loaded. LWG recommends replacing share buttons with direct share links to relevant social media platforms, and obtaining consent before other social embed content is loaded.

See for example: https://vimeo.com/cookie_policy

CDN and off-site resources

As IP addresses can be considered personal data, any resources such as fonts, scripts, or stylesheets that are loaded from third parties may fall under the purview of the GDPR. Google Fonts (discussed above) is one example. The European Court of Justice ruled in 2016 that IP addresses are personal data if a website controller who obtains an IP address could also, with reasonable effort, legally obtain additional data that would combine with the IP address to be personally identifying. There is still considerable uncertainty as to whether third-party asset services, such as public content distribution networks, will be disallowed under the GDPR.

Fonts.com

Fonts.com is a premium font service used by LWG to provide high quality fonts to our clients. Fonts are loaded directly from Fonts.com’s servers, not from the website servers. At this stage Fonts.com has not made a public statement on how the GDPR will affect their clients. At the time of writing, LWG was waiting for a response from their legal team.

jQuery and other CDNs

As has been best practice for the past five years or so, LWG loads commonly used assets such as the jQuery JavaScript library from public content distribution networks. It is unclear at this stage if this practice will continue to be acceptable if the CDNs do not store the IP addresses they receive.

Font Awesome

Font Awesome is a popular font icon set that is used on many LWG websites. Typically the font is also loaded over a CDN, however the service recommended by Font Awesome sets a cookie in the user’s browser. Therefore LWG advises switching to hosting Font Awesome locally.

Email marketing

Email marketing will require consent from the recipient. Consent must be specific: It’s not acceptable to send promotional emails to users who signed up for a monthly newsletter. Records of consent must be kept. LWG strongly suggests using double opt-in methods to make sure that sign-up forms are not susceptible to abuse.

Some commentators are suggesting that promotional email marketing without specific consent may be acceptable on the basis of pursuing legitimate business interests, however LWG cannot offer advice or recommendation on this issue.

See more: https://www.communigator.co.uk/blog/legitimate-interest-saving-grace-gdpr/

https://www.econsultancy.com/blog/69303-gdpr-for-marketers-five-examples-of-legitimate-interests

MailChimp

MailChimp will be a data processor of third-party data (i.e. email contact lists) under the GDPR. MailChimp enforces high standards of privacy and LWG recommends using them as an email provider. MailChimp does not require double opt-in, but strongly recommends it. MailChimp does require records of consent, which MailChimp will manage if a double opt-in process is active.

See more: https://kb.mailchimp.com/binaries/content/assets/mailchimpkb/us/en/pdfs/mailchimp_gdpr_sept2017.pdf

Sensitive data

Information on health, race, sexual orientation, religion, and political beliefs is considered sensitive data and additional rules apply. There needs to be legal basis for processing of the data. This could be specific consent or legitimate activities of the organisation. If your organisation collects sensitive data, LWG strongly advises to seek legal advice and/or a data security consultant. It will most likely be the case that your organisation will be required to appoint a data protection officer to comply with the GDPR.

See more: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/

Contact forms

Contact forms should have a checkbox for the user to give consent to the specific data processing that will take place. There should also be a method for users to withdraw that consent, for example via a form on the data protection policy page.

CRM systems

Zapier

Zapier is a service that is used to move data between various other services, such as WordPress and MailChimp, or Google Docs and Salesforce. Zapier is a data processor under the GDPR, and complies with GDPR requirements. Records of data processed by Zapier are deleted after seven days. Use of Zapier’s services requires that consent to process data has been obtained and recorded.

Salesforce

Salesforce provides comprehensive resources on preparing for the GDPR: https://www.salesforce.com/gdpr/overview/

 

GDPR action list

Technical

  • Website visitors must opt-in before any personally identifying cookies are placed in their browser. This includes Google Analytics, a Facebook Pixel, YouTube and Vimeo embeds, social embeds, social share buttons, Google Maps, reCAPTCHA, and any other tracking.
  • Provide a method of removing consent to track (deleting consent cookie) on the Privacy Policy page.
  • User sign-up forms must include a consent checkbox with specific information about data collected. Log consent when users sign up.
  • Users must be able to request to access, edit, and delete their data. However, they cannot delete data that is legally required to be held for e.g. tax accounting purposes. This can be a contact form or email.
  • There must be a method to track users that were deleted. Deleted users should not be restored when backups are restored.
  • Users must specifically opt-in to different types of email communication. Signing up to a newsletter does not mean consent to send marketing material. Use double opt-in and keep a record of when consent was given.
  • Include a consent checkbox on all contact forms.
  • Include a consent checkbox on all comment forms. Allow deletion or anonymisation of comments.

Business Processes

  • Review currently held personal data and take action to delete or obtain consent for any data that is non-compliant. This includes identifying email lists that are not GDPR compliant and seek to obtain a new opt-in.
  • Develop a plain language data protection policy that outlines what data are collected, what purposes they are used for, who they are shared with, and how long they are held.
  • Update the terms of service for website user accounts to outline what data are collected, the specific data controllers they are shared with, and the nature of the data processors they are shared with.
  • Develop a policy document for internal procedures for data processing and what happens in the event of a breach. Appoint a responsible staff member for GDPR compliance and notify all other staff to aid them in making the organisation compliant.
  • Review all third-party services to confirm their compliance. Take any actions required by the services to be GDPR compliant.
  • Communicate changes in the terms of service to website users.

Further resources

English

http://ec.europa.eu/justice/smedataprotect/index_en.htm

https://www.eugdpr.org/eugdpr.org.html

https://techblog.bozho.net/gdpr-practical-guide-developers/

German

https://www.bvdw.org/fileadmin/bvdw/upload/dokumente/recht/dsgvo/EU-Datenschutzgrundverordnung-2018.pdf

https://www.datenschutz-guru.de/dsgvo-in-kleinen-unternehmen-umsetzen-tipps-fur-ein-dsgvo-projekt/

http://magazin.digital-publishing-report.de/de/8-2018/datenschutzgrundverordnung

https://www.blogmojo.de/dsgvo-checkliste/

https://www.e-recht24.de

Data policy templates

German

https://t3n.de/store/order/dsgvoguide

This is a very comprehensive guide with templates for a variety of contracts, including with employees and freelancers/contractors, as well as a template data privacy statement for WordPress websites. 99€ + MwSt.

https://dsgvo-muster-datenschutzerklaerung.dg-datenschutz.de

This is a data privacy statement generator, and free.

https://www.e-recht24.de/muster-datenschutzerklaerung.html

This is a data privacy statement generator. It is free for basic usage, and has a paid level for features such as Facebook Pixel integration.

https://datenschutz-generator.de/

Free data privacy statement generator.

English

https://digital.com/blog/best-privacy-policy-generators/

This is a list of privacy policy generators.

Cookie permission pop-up

https://pagefair.com/blog/2018/granular-gdpr-consent/

This is an example of wireframe designs for an opt-in message.