As a new Weaver the GDPR is really putting me off


(Dean) #1

Hi people. I am still learning the software, and on my quest, on these forums and in general online the whole GDPR thing has really confused me. My first site would be a Rapid Weaver 8 theme with som adjustments from Stacks.

I would want to build a personal site, or two. I have seen some privacy tabs on sites and they have reams of text. How the heck would you know what to write. It seems very complicated for a beginner.

I saw one website and he has has blocked all EU access to his site, so I can’t view it, but that’s one way around it, if you don’t want any EU visitors.

Trying to make a few steps forward but keep getting complications. It all looks like a load red tape to me, which I hate with a passion.


(Jannis from inStacks Software) #2

Where are you located, geographically?


(Dean) #3

Britain, UK.


(Jannis from inStacks Software) #4

If it’s a personal site, I wouldn’t be too afraid. Even if you don’t collect any data, sell any goods, or use any analytics integration.
I guess @tav and @willwood can give best answers regarding UK. For Germany, this would a different story :wink:


(Dean) #5

Thank you.

I am not sure what sort of site as yet. There’s not a one size fits all with this, so it seems. I have seen some stacks or add ins like Cockie Jar but I am not sure if I need those or not. It’s all left be very confused and annoyed that things have to get complicated.

I am sure I am making more about it than I need to, but being this new into this, I find it very off putting, to say the least.


(Will Woodgate) #6

The easiest approach:

  1. Choose a theme advertising itself as being GDPR compliant
  2. In Stacks, opt to use local versions of jQuery / Font Awesome in the settings
  3. Avoid any analytical scripts or plugins (e.g. Google Analytics, Hit Counter or GoSquared)
  4. Don’t use 3rd party content or scripts (e.g. social media share buttons, Google Fonts or YouTube embeds)
  5. Put up a simple privacy policy page - many free generators or templates exist for these

Now your website is self-contained. You do not have any invasive tracking from third-parties. No reason to be concerned or display a popup message or anything like that. The privacy policy clearly presents what data you collect and how you use it. Everyone is happy. You are all setup and ready to go.

If your website does need to make use of third-party scripts, tracking or plugins (basically any components of your website, not stored on your web server) then ideally you need a popup and give users the ability to opt-in and opt-out again. This can be more challenging, but good solutions do exist for RapidWeaver.

Take care with selecting popup / cookie message addons for RapidWeaver. Some are purely cosmetic from a time before GDPR was introduced. Therefore they may still allow potentially invasive things to load in the page background, before the user has a chance to read the message and opt-in to said items. Depending on your interpretation of the law, that’s not really good enough for GDPR.


(Rob D) #7

And one of the best solutions is Will’s own free CookieManager stack.

If you care about your visitors’ privacy, then you owe it to them (and to yourself) to observe GDPR rules—without a need for going crazy over them.


(Dean) #8

Thank you willwood, I feel better already.

That has put it into simple terms for me to get my head around.

What about a contact form?

Many thanks


(Will Woodgate) #9

As a minimum, put a checkbox on your contact form with words to the effect of:

By submitting your message, you agree that the information you supply will be handled in accordance to our website privacy policy.

Some people prefer to only have the contact form submit after the user has checked this option. If using the standard RapidWeaver Contact Form, I offered a solution here for only submitting the form when a checkbox is checked:

Some third-party form stacks like Formulate and CompactForm and others have a similar feature built-in. They will only let the form send when the GDPR checkbox is checked by the end user.


#10

I understand your pain. The entire GDPR process completely put me off creating websites and I’m now decommissioning all websites that I have created because I really just can’t be bothered with all of the hassle.

For me also, it has broken the internet. I have my browser in private mode on my phone so every time I visit a website I get a popup asking me to read and accept the policy. Every time. It’s just blooming awful.


(James Bond) #11

I think you’re making way more of this than needed. GDPR requires a small amount of tweaking to the edges of most sites unless you’re involved in online sales and/or data gathering in which case you should be across this as a matter of course.


(Dean) #12

Thanks so much.


(Marc Lucas) #13

Hi All

Not 100% related but is related to GDPR and email mailing lists which could have a positive effect on the way people gather email information from their websites. Seems like all was not as it seemed from the ICO


(Simon) #14

Hi Dean,

I’m also in the UK. I asked the ICO about IP addresses (which tends to be part of the main debate) and interestingly enough have just come off the phone with them this morning. A couple of things you need to note:

  1. Where your website is hosted determines which GDPR legislation you come under.
  2. Each EU member state has a base GDPR, but can (and often does) add legislation on top of this base GDPR.
  3. The ICO is clear that you are only responsible for what you process. If you use a service on your website that takes visitors IP address from your site and adds to that other data making it personal information, they are responsible to comply with GDPR not you, as you are not processing this information, unless of course they are processing it on your behalf and you end up with all that data.

In the UK the main chatter is about IP addresses which the UK ICO have stated, could be personal information if there is other information that can identify a living individual. Otherwise IP addresses are not personal information in the UK.

My suggestion is that you assess what information your website(s) processes. If this information can identify a living individual you are processing personal information and you need to ensure GDPR compliance.

These links should help you:

If you have any doubts call the ICO and chat to them. They are extremely helpful. Beware of taking information from non UK developers as they may well have a different set of rules depending on which EU member state you are in.


(Dave Farrants) #15

Interesting. I have 12 .uk domains currently hosted in Denmark (One.com) - if I move them to USA hosting (or other non EU country) does that mean I’m no longer liable for GDPR?


(Simon) #16

I apologise as my comment was a little too simplistic. The question really isn’t about the website, but about the data. The data will fall subject to the laws of the land that it resides in; i.e under who’s jurisdiction is the hard-disk the data is on?; If the hard-disk is in the USA then they have jurisdiction, if in the EU then they have jurisdiction. I think the danger here is in thinking in terms of websites not in terms of data. The question is where the data ends up. If you collect it in the US, but transfer it back to Denmark and process it there, you are still required to comply to GDPR as the data is within EU jurisdiction.

Realistically, you don’t save yourself much in putting it on a US server. If it is a purely informational site, you may as well put it on a Danish server. If the website collects data that you intend to process in Denmark, then collecting it in the US and transferring it back gains you nothing. In fact it may may make things harder as you need to comply not only with EU law but also US law.

On a slightly different note, I would be cautious about holding .uk domains in the EU. I have already received notification that all .eu domains that I have registered here in the UK will be revoked in March 2019 when Brexit occurs. I can imagine a similar situation happening for .uk domains registered outside of the UK.