Jaakko Alajoki — May 23, 2018

Will you survive GDPR or go to prison?

 

I’m going to start with a disclaimer. This post is not legal advice. We’re not lawyers.

 

GDPR (General Data Protection Regulation) is here and the deadline for complying it is 25.5. If you don’t know what it’s all about, then better google it right now. I’m not going to explain GDPR on a detailed level, but I am going to tell you about how we will try to comply with it, and what you should do to avoid any trouble. I’m saying “try” because everything is still very open and no one knows how the law is actually going to be applied. You can read the law but it still leaves many concrete solutions open. Time will tell how things proceed.

My first advice to everyone is: calm down. No one is going to jail. The police won’t come ringing anyone’s doorbell. No one will get sued.

Is my website secure?

GDPR requires that organizations put effort on making their services as secure as possible. Security is a complex matter and needs to be applied on many levels. We are committed to high security and have various policies in place to keep our products secure.

Working with WordPress, the best way to avoid data breaches is to keep everything up to date. That’s why we are offering the Evermade Care plan to our clients: it takes care of the necessary updates for you. We are also following industry best practices to harden servers and WordPress installations, and backing up all of our sites.

Breach notification is a key element of GDPR and we are committed to notify all required parties about security breaches within given timeframes. Notifying end users is always agreed beforehand.

Who is responsible?

GDPR requires that every company has designated a data security officer. At Evermade the person is me. Although the GDPR is handled on project level I’m officially responsible that Evermade complies with GDPR.

What kind of privacy policy do I need?

GDPR aims to bring more transparency for end users. To achieve that you need to properly communicate:

  • What information is gathered
  • Why it’s gathered
  • How it’s stored and secured
  • For how long it’s kept

For the privacy policy, you need to understand how your site is built. Find it out and update your policy respectively.

Use cases are so different that it’s impossible to give a one-size-fits-all privacy policy template. It’s also a legal document, so I’m not the one to give very detailed advice regarding the content.

Can I still collect cookies?

In GDPR, cookies can be considered private data. So in theory, users should have been asked for an approval before saving cookies. After quickly browsing the internet for an answer, you’ll find a bunch of opinions and a wide range of solutions. Some of the solutions are somewhat ridiculous like this example by Cookiebot:

 

I can imagine my mom wondering if a cookie called _hjIncludedInSample is violating her privacy.

But we are in Finland and operating under Finnish laws. There’s a lot of discussion around the matter but no clear answer from authorities like Finnish Communications Regulatory Authority (Viestintävirasto) or Data Protection Ombudsman (tietosuojavaltuutettu). EU is also preparing the new ePrivacy regulation to be released in 2019, which is the successor to the current ePrivacy Directive (also known as the Cookie Law). Before putting to much effort for cookie consents I would wait guidance from official authorities.

Do I need to make changes to my website?

Do you need something else besides updated privacy policy? Maybe.

GDPR comes with a few feature requirements. Users have the right to access their data and the right to be forgotten. GDPR also states that you should collect data only when necessary and that you should delete it when it’s no longer used. So you should have tools in place for reviewing information and deleting it.

Say you have a contact form. People may call to ask what information you have saved. You need to be able to tell that and also to delete the information if required. Another example, if you are running a webshop, you need to be able to delete a user’s profile and orders. Most services already have suitable admin tools for this, and they are becoming more compatible with GDPR.

What I would do is provide contact details in the privacy policy for data access and removal requests, and handle them manually. If the requests start pouring in, we can build a tool that will automate the process for you.

GDPR also introduces the concept of data portability:

“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”

Does WordPress comply with GDPR?

WordPress users list contains personally identifiable information. If your marketing site doesn’t allow user registration (most likely it won’t) you are all good. If registration is enabled, you need to make sure to comply with GDPR by:

  • Taking care of security
  • Informing users about what is collected and why
  • Allowing users to access and delete their information

WordPress plugins are a completely different story. GDPR compliance depends on the plugin (whether it’s collecting personal information or not). Most plugins don’t, so you don’t need to worry. In other cases, you need to make sure that your plugin is GDPR compatible. When writing this, many plugin developers are still working on GDPR compatibility, so the situation is constantly changing. WordPress developers have formed a GDPR Compliance Team which aims to help WordPress users and developers make WordPress completely GDPR compliant.

Do I need to get consent to use Google Analytics?

If you disable IP tracking and display features you are good to go Analytics is not tracking any private information. Saving privately identifiable information is against Google Analytics policy anyway. More information here.

Does HubSpot comply with GDPR?

It’s getting there

Does MailChimp comply with GDPR?

Yes. But remember to talk to your lawyers. More information here.

Does HotJar comply with GDPR?

Work in progress

Conclusion

GDPR might sound like just another bureaucratic thing coming from EU, aimed at making our lives more difficult, but its intentions are actually very good. Instead of panicking about it, I would focus on being secure, transparent and trying to respect privacy as well as you can. That’s what matters and by taking care of that you are most likely to comply with GDPR as well.

 

Jaakko Alajoki

A project in mind?
We'll get back to you in 24 hours.