TIPS & TRICKS
What we did to make
GDPR Compliant Needyesterday
Follow us on
Fabio Sarcona, Co-Founder Needyesterday, Italy
8 June 2018
From 25 May the new privacy legislation is in force. And yes… for weeks you have seen everywhere the 4 most hated letters of the web: GDPR. And even today, 2 weeks after the new regulations come into force, there is a lot of confusion. In this article you will learn what we have done to get Needyesterday GDPR compliant and sleep well after that.
So we thought about sharing our experience and what we did to make Needyesterday GDPR compliant. What will follow will be a series of tips and tricks that we used for for our site.
Disclaimer: I do not want to replace any legal expert (which I always recommend consulting) but I want to help you by addressing the GDPR with a practical approach and without technical terms (that you find in the glossary I have included).
I want to immediately tell you this: if you are not the CEO of large company, then most likely making your site GDPR compliant will not be a big deal. Relax.
That said, in this article…
I will show you:
- What we did to make Needyesterday GDPR compliant
- What steps we have followed and what questions we have asked before proceeding with the update of our site
- Which tools we have used
- A glossary with all the most common terms used in the new GDPR regulations.
You will NOT find:
- One-click solutions
- Magic potions
- Plugins that will make GDPR Compliant 100% and also prepare an excellent coffee for only $ 49
- Armaggeddon theories on the end of the internet
Are you ready? let’s start! 😉
What data you collect, how and for what reason
If you are a freelancer or a small web agency, probably you will collect this kind of data:
- First name
- Last name
and perhaps, in some cases, the link of your client’s site.
You probably acquire this data through a Contact Form or through your newsletter.
And most likely you use this data to send an estimate on a new project, to update and communicate with your client or to do web marketing through your mailist.
If you recognize yourself in this analysis, then you have already completed the first step to be GDPR compliant. In fact, this is one of the most important things to do: understand what data you collect from third parties and how. Do this step before any technical intervention or any investment in tools or plugins to make your site GDPR compliant.
This first step is crucial because the GDPR aims to make the management of sensitive data more transparent, so for the next step it is important to have this solved this point.
I have added below some questions that can help you complete the first step.
How is consent collected? For example:
- Web forms
- Sign In page
- Email campaigns
- Telemarketing campaigns
What information is being collected? For example:
- Phone Number
Who is collecting it?
Which plugin or tool is collecting data?
Why is it being collected? For example:
- Site statistics
- Behavior on the site (example: Heatmap)
How will it be used? For example:
- To contact customers
- Sending proposals
Who will be the data shared with?
What will be the effect of this on the individuals involved?
Is the intended use likely to cause individuals to object or complain?
How is this consent demonstrated? For Example:
- I keep a record of when and how we got consent from the individual
- I keep a record of what they were told when I collected the data
Where is consent recorded? For Example:
- With your CRM system (for example Mailchimp)
Answering these questions you will surely give you a clearer idea of what to do to make your site GDPR compliant.
What did we do?
At Needyesterday we asked ourselves three precise questions:
How do we get data from our users?
– Contact Form on our Contact us page
Which data do we collect?
In the case of our optin-form, we collect just name and email.
In the contact form we collect:
– First name
– Last name
When the user is interested in working with us or in a partnership, we also request to provide a link to their portfolio and Linkedin profile and their role.
And for what reasons do we ask for these data?
In the case of our optin-form, we offer free access to all our freebies immediately after sign-up to the newsletter.
In the case of our contact form, we request user data to process requests and never use data in any other way except to respond to support requests or to requests for more information.
I believe a good way to make your website GDPR compliant is simply to treat your users’ data as if it were your personal data: with the utmost respect and only for the reasons you stated.
If you do not give your users data to third parties, if you do not take any data without your consent, if you have the utmost care and common sense to keep this data, you are and will always be GDPR compliant.
Clear and transparent information
The second step is to inform how you will use the data you collect in the clearest and most transparent way possible.
For example, if your site has a Landing Page where you offer free resources such as:
- Free layouts
and ask the user’s name and email to give access to your resources, then it will be immediately clear why you are asking for that data.
Implicitly you are saying:
If you enter your name and your email here I will give you my free resources.
What does this mean? That the user is aware of the fact that his data is needed to get your free resources.
At this point you probably have a question in your mind: Do I need to add a checkbox requesting explicit consent to the subscription?
Drumroll… and the answer is simple: NO.
Why? Because as described in this excellent article by Tim Strifler the user is already aware immediately of the reason why you are requesting the data.
For example, on our Freebies page, through the optin-form in the Header we ask for the name and the user to give access to a .zip package that includes all the free resources. The reason why we ask for the data is clear.
The same principle applies if on your Contact page you ask for data such as Name, Surname, Email to send an estimate for a new project.
What did we do?
We didn’t do much extra to be compliant. We have always preferred to be transparent starting from the copy we use. So the user is immediately aware that his/her data are mandatory to get free resources and to be informed on our new tutorials and offers. This made it unnecessary to add the infamous checkbox that is surely destined to remain one of the most discussed points of the new privacy regulations.
Contact form and Comment Form
Our users’ emails are never used for remarketing or other purposes not described. So we did not have to add any checkbox that asks for explicit consent as done for example in the Comment Form of the Elegant Themes blog.
Make access to collected data and cancellation simple
Another important point of the GDPR is access to the collected data. What does it mean?
It means that all users must be able to request the cancellation of their data to respect their right to be forgotten as established by the GDPR.
The ability to export and delete user data is a feature that was introduced with WordPress version 4.9.6. The same applies to data stored by Woocommerce that can now be exported and deleted using the new WP export feature 4.9.6. Another thing introduced by Woocommerce is the ability to determine how long you will keep your customers’ data when it is no longer necessary for order processing.
Many plug-in developers will introduce similar tools or native integrations with WP’s Data Export, so in the coming weeks we can certainly expect news that will make access to the stored data easier and faster.
What did we do?
And what about the data collected by Woocommerce?
With regard to Woocommerce, the data used to process any Orders will also be deleted and then we decided to keep data for a maximum of one year for completed orders (see screenshot #1).
Alternative to GDPR Data Request Form Plugin
You can also use the Delete Me plugin that will help you easily manage the request for access and deletion of the collected data.
Regarding subscribers to our newsletter, we give a quick and easy way to unsubscribe – meaning stop receiving our email, not deleting their data, Mailchimp as many email services don’t delete user data after an unsubscribe – by inserting a link in every email we send along with a short note reminding you why they are subscribed to our newsletter (see screenshot #2).
GDPR and ePR compliant cookie consent
You will have already heard a thousand times about cookies, what they are and what they do… so I do not want to add to bore but I want to talk about what the new legislation request to be Cookie Compliant.
- Given before the installation of cookies. This means that no cookies, except technical cookies, can be installed on the site prior to the user’s consent.
- Inform users about what cookies you use. Your users need to know what cookies you use and for what reason and you must do so by providing specific and clear information about what they are giving their consent to.
- Keep track of consent. All consent data must be stored securely to provide evidence of consent in the event of a check (check out the screenshot below).
- Renewed once a year. Cookies must be renewed every 12 months, so they can not be stored later than this period.
What did we do?
For the Cookies Consent we have chosen to use CookieBot a cloud service that does an automatic scan of the site by detecting the cookies used and allows you to obtain preventive blocking of cookies, to ensure the use of the site even without consent to cookies not strictly necessary and access a downloadable CSV document that tracks all the consents obtained.
If you want to know more about the Cookie Consent, I recommend this great article Cookie Consent | How I do comply with the GDPR?
Tools and Resources
Generate Privacy Page
All you need to do is choose those in use on your site and Iubenda will automatically create your Privacy page.
The annual cost per person / language is $19 but if you use this affiliate link, you get a $10 discount on the first year of subscription.
Always automatically, Iubenda generates the text with the regulations provided by the GDPR and updates automatically if the regulations change.
it’s very easy to integrate because there are several ways to include Iubenda on your site: you can use a WordPress plugin, but I recommend the Embed code solution directly on your Child Theme or in the Divi Options panel (in the Integrations tab).
Last week Iubenda also released a new tool for managing and storing sensitive data, a specific tool for GDPR. The cost is $29 per month and it is an excellent solution if your site or your clients’ treat sensitive data such as Clinical Data, Bank Data, and other data that need more complex management.
#Cookiebot: (Free version)
Iubenda generates a banner for the consent of Cookies but it does not prevent cookies from being prevented as required by the regulation. For this reason we at Needyesterday have preferred to use CookieBot which scans your site and automatically generates a preventive blocking of cookies installed on your site.
Alternatively, you can also use this other great plugin for Cookie Law:
#Ginger – EU Cookie Law
Others tool and resources:
Two tools that allow you to find active cookies on your site:
Glossary of Terms
Binding Corporate Rules (BCRs)
a set of binding rules put in place to allow multinational companies and organizations to transfer personal data that they control from the EU to their affiliates outside the EU (but within the organization)
any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their unique identification
freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data
Data Concerning Health
any personal data related to the physical or mental health of an individual or the provision of health services to them
the entity that determines the purposes, conditions and means of the processing of personal data
also known as the Right to be Forgotten, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data
the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller.
the entity that processes data on behalf of the Data Controller
Data Protection Authority
national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union
Data Protection Officer
an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR
a natural person whose personal data is processed by a controller or processor
non-legislative acts enacted in order to supplement existing legislation and provide criteria or clarity
an exemption from a law
a legislative act that sets out a goal that all EU countries must achieve through their own national laws
personal data that is protected through technological measures to ensure that the data is only accessible/readable by those with a specified access
any entity engaged in economic activity, regardless of legal form, including persons, partnerships, associations, etc.
any specific set of personal data that is accessible according to specific criteria, or able to be queried
data concerning the characteristics of an individual which are inherited or acquired which give unique information about the health or physiology of the individual
Group of Undertakings
a controlling undertaking and its controlled undertakings
the place within the Union that the main decisions surrounding data processing are made; with regard to the processor
any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person
Personal Data Breach
a breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data
Privacy by Design
a principle that calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition
Privacy Impact Assessment
a tool used to identify and reduce the privacy risks of entities by analyzing the personal data that are processed and the policies in place to protect the data
any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
any automated processing of personal data intended to evaluate, analyze, or predict data subject behavior
the processing of personal data such that it can no longer be attributed to a single data subject without the use of additional data, so long as said additional data stays separate to ensure non-attribution
the entity to which the personal data are disclosed
a binding legislative act that must be applied in its entirety across the Union
any person in the Union explicitly designated by the controller to be addressed by the supervisory authorities
Right to be Forgotten
also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data
Right to Access
also known as Subject Access Right, it entitles the data subject to have access to and information about the personal data that a controller has concerning them
Subject Access Right
also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them
a public authority which is established by a member state in accordance with article 46
informal negotiations between the European Commission, the European Parliament, and the Council of the European Union usually held following the first readings of proposed legislation in order to more quickly agree to a compromise text to be adopted.
I think the GDPR will continue to be a “hot” topic for quite a while. Just ask “What have you done to make your site GDPR Compliant?” To see a flurry of comments and opinions all different from each other.
From my point of view – which is not that of a lawyer or privacy expert – think that if you have always made a correct and transparent use of your users’ data, you have never given any third party an email and you respect the privacy of others as if it were yours, you have already done 90% of the work to make your business GDPR compliant.
Okay .. enough with boring legal stuff… I want to finish showing you something really geeky…