egoselfaxis
asked on
Seeking pointers and verbiage for making websites GDPR Compliant
I'm getting ready to update some of the websites that I actively maintain so that they're "GDPR compliant", which we've all been hearing chatter about. Most of the sites are WordPress based, and contain contact forms that send email and write the information to the database, as well as Woocommerce-based shopping carts and Mailchimp-based newsletter signup forms. I've read several articles that suggest what I'm supposed to do to make the sites GDPR compliant, but they all fall short in my opinion, and don't really provide useful enough information.
I'm going to first start by installing and configuring this plugin on my WordPress sites: https://wordpress.org/plugins/wp-gdpr-compliance/
In addition, I think I'm going to need to manually update some of my other non-WordPress sites with the following:
1) I will add a short text blurb explaining that data is being collected somewhere either on the website or form page
2) I will add some kind of required "I agree to these terms and grant you permission to store my data" checkbox to the forms
3) I will will create a new "Terms and Conditions / Privacy Policy" page (that's company specific), and add a link to it somewhere in the bottom footer
Does this sound about right? Or am I missing anything else here?
Also .. does anyone here know where I could find a suitable, generic "Terms and Conditions / Privacy Policy" page (perhaps one that's GDPR Compliance specific) that I could copy & paste from and use for all of the sites that I need to update? I've got about 10 sites on my list that I'm going to need to update this month, and I'd like to be able to streamline the process as much as possible. Any tips or advice would be appreciated.
Thanks,
- Yvan
I'm going to first start by installing and configuring this plugin on my WordPress sites: https://wordpress.org/plugins/wp-gdpr-compliance/
In addition, I think I'm going to need to manually update some of my other non-WordPress sites with the following:
1) I will add a short text blurb explaining that data is being collected somewhere either on the website or form page
2) I will add some kind of required "I agree to these terms and grant you permission to store my data" checkbox to the forms
3) I will will create a new "Terms and Conditions / Privacy Policy" page (that's company specific), and add a link to it somewhere in the bottom footer
Does this sound about right? Or am I missing anything else here?
Also .. does anyone here know where I could find a suitable, generic "Terms and Conditions / Privacy Policy" page (perhaps one that's GDPR Compliance specific) that I could copy & paste from and use for all of the sites that I need to update? I've got about 10 sites on my list that I'm going to need to update this month, and I'd like to be able to streamline the process as much as possible. Any tips or advice would be appreciated.
Thanks,
- Yvan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Don't get me wrong ... I agree with all of this. But the bottom line is that I'm dealing with small, US-based business that don't even really deal with customers outside of the country, and I'm trying to find a balance between protecting them, and not going too overboard by urging them to hire attorneys, or to eliminate certain 3rd party integrations, or by employing geo-blocking, etc.
As I've gone down this rabbit hole, it's become apparent that there are some potential gray areas in the new regulations. For example, many of my clients have contact forms on their websites that do nothing more than send email, or they have newsletter signup forms that feed into Mailchimp, .. or they have Google Analytics based visitor tracking, etc.
That being said, .. is it reasonable for me to assume that if a person from the EU comes to one my client's websites, fills out and submits a newsletter signup form, and then fills out and submits a contact form, .. that because those emails are being sent through the web hosting provider's SMTP server, routed to someone's gmail account, and stored in someone's Mailchimp account, -- are the web hosting provider, Mailchimp, and Google the ones to be held accountable in this situation? Or is it the business owner?
Granted, it's entirely possible that someone from the EU might visit one of these sites and sign up for a newsletter, submit a contact form, and to have their visit be logged by Google Analytics. But truth be told -- it's actually much more likely that someone from the EU would do this ONLY because the new GDPR laws have now become enforceable, and because they're fishing for small, non-compliant companies to go after. So far, this has been the only way I've been able to persuade these small companies to move towards GDPR compliance .. by warning them that this sort of thing might happen.
Anyways .. as I was saying, I agree that these guidelines need to be adhered to based on each unique business model, and by taking all the different moving parts into consideration. I'm just trying to devise a more intelligent way to advise my clients about these new regulations without my having to go to law school about it.
- Yvan
As I've gone down this rabbit hole, it's become apparent that there are some potential gray areas in the new regulations. For example, many of my clients have contact forms on their websites that do nothing more than send email, or they have newsletter signup forms that feed into Mailchimp, .. or they have Google Analytics based visitor tracking, etc.
That being said, .. is it reasonable for me to assume that if a person from the EU comes to one my client's websites, fills out and submits a newsletter signup form, and then fills out and submits a contact form, .. that because those emails are being sent through the web hosting provider's SMTP server, routed to someone's gmail account, and stored in someone's Mailchimp account, -- are the web hosting provider, Mailchimp, and Google the ones to be held accountable in this situation? Or is it the business owner?
Granted, it's entirely possible that someone from the EU might visit one of these sites and sign up for a newsletter, submit a contact form, and to have their visit be logged by Google Analytics. But truth be told -- it's actually much more likely that someone from the EU would do this ONLY because the new GDPR laws have now become enforceable, and because they're fishing for small, non-compliant companies to go after. So far, this has been the only way I've been able to persuade these small companies to move towards GDPR compliance .. by warning them that this sort of thing might happen.
Anyways .. as I was saying, I agree that these guidelines need to be adhered to based on each unique business model, and by taking all the different moving parts into consideration. I'm just trying to devise a more intelligent way to advise my clients about these new regulations without my having to go to law school about it.
- Yvan
It is slightly worse or better depending yout p.o.v.... if You travel in Europe the GDPR is also applicable to your data...
And your worst case scenario might happen..., in many countries in EU there is not a real difference before or after 25/5/2018.
(except for enforcability) the rules were layed out years ago (1997 privacy laws, later amendment) and in 2016 GDPR became the regulation.
with a 2 year term to become compliant..., which turned into two week frenzy now because everybody sat on their hands.... until a few weeks back).
The real problem is the big data mining companies that took a free lunch with all the data (voluntarity or not ) syphoning all websites and other sources they could lay their claws^Whands on. (Think Facebook, Google analytics, Cambridge Technologies...) Well the tide now turned....
Maybe they should do an address check on visitors and show a different page for EU ip addresses, or not allow signing up on maillist.
For mailchimp & google please check on their respective sites.
I am not sure mailchimp is GDPR compliant..., i know of a club that used mailchimp and is now stopping that due to GDPR issues.
For maillists it is manatory they are active opt-in , tell in plain and simple language (No EULA Legalese) why the addess is needed and what it will be used for, and stick to that statement. Be transparent. I think a classic maillist perfectly fits the bill. (mailman f.e.)
And don't use the mailaddress for anything else then the stated terms.
GDPR doesn;t forbid trading addresses, it forbids trading addresses WITHOUT prior active & clear consent.
And your worst case scenario might happen..., in many countries in EU there is not a real difference before or after 25/5/2018.
(except for enforcability) the rules were layed out years ago (1997 privacy laws, later amendment) and in 2016 GDPR became the regulation.
with a 2 year term to become compliant..., which turned into two week frenzy now because everybody sat on their hands.... until a few weeks back).
The real problem is the big data mining companies that took a free lunch with all the data (voluntarity or not ) syphoning all websites and other sources they could lay their claws^Whands on. (Think Facebook, Google analytics, Cambridge Technologies...) Well the tide now turned....
Maybe they should do an address check on visitors and show a different page for EU ip addresses, or not allow signing up on maillist.
For mailchimp & google please check on their respective sites.
I am not sure mailchimp is GDPR compliant..., i know of a club that used mailchimp and is now stopping that due to GDPR issues.
For maillists it is manatory they are active opt-in , tell in plain and simple language (No EULA Legalese) why the addess is needed and what it will be used for, and stick to that statement. Be transparent. I think a classic maillist perfectly fits the bill. (mailman f.e.)
And don't use the mailaddress for anything else then the stated terms.
GDPR doesn;t forbid trading addresses, it forbids trading addresses WITHOUT prior active & clear consent.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
GDPR is about changing your business processes to suit the regulation. How do you manage customer data? Who is the person responsible for managing the data. Who is de DPO. Who are the subcontractors? Are the subcontractors GDPR compliant? Does data ever leave Europe? Etc ...
There are hundreds of such questions that need to be addressed first. Technical and organisational measures to protect and manage the data need to be put in place.
Only then can you create a privacy policy that you can put on a website. If you maintain websites for several companies, most of this work should be carried out by those companies, not you.