GDPR Compliance II


(Andreas Belivanakis) #1

Do you have any ideas on how to implement GDPR to my websites? I would like a simple solution that makes each website compliant, without having to read through mountains of articles and data.

Your suggestions would be appreciated.


(NeilUK) #2

I think the whole EU is looking for the same solution as you :wink:


(Andreas Belivanakis) #3

I just saw a beautiful solution implemented by Dominos’s pizza. As a customer, I had to respond to an email from them, that took me to a landing page and asked me to check one or more (out of 3) checkboxes. I got an acknowledgement right after that, and we were done in no time.

It would be hard to match that, but something like that would be ideal.


(Gabrielle Vickery) #4

I’m reading up a fair bit on this. I’m recommending 3 things to my website clients at the moment:

  1. Pop in a privacy policy at the botton of each site.
  2. Add an SSL to each domain
  3. If there’s a contact form then add details to it explaining what happens with your data once you hit send.

Sounds simple but it’s like glue really :(.


(Nigel) #5

Update you privacy policy to reflect GDPR - some help here: https://seqlegal.com/free-legal-documents/privacy-policy

If you collect personal information then be clear who, why, what for, how long etc. Follow the free guidance given on the ICO website: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

Make sure it is only kept for the purpose it was given consent for and if needed get ‘informed’ consent again.

If you already complied with existing the data protection legislation then it should not take long to update that to the GDPR standards - if not then you should have been!

Nigel


(Rob Beattie) #6

I’ve built a number of sites for different clients and I’d be interested to know whether people think it’s my responsibility to make sure their sites are GDPR-compliant, or whether it’s their responsibility to come to me and ask me to make them compliant.

TIA

Rob


(Nigel) #7

Interesting question - I would say that if you have handed control off to them completely then they should pay you to make them compliant. If you have a support contract and provide ongoing maintenance or manage the hosting then maybe its your responsibility. Maybe then offer the basic option for turning off cookies and a updated basic privacy policy.

Most of GPDR covers personal data that is collected by the clients - they should have already updated themselves or be down that route by now.


(Markus Frieauff ) #8

Howdie!
I have been dealing with GDPR (or DSGVO, as it is called in Germany) a lot recently. I maintain websites for appr. 30 clients. Here’s my 3 cents:

  • legally I am not in charge. The client is in charge of his/her website. This is stated in all the imprints/website credits.
  • Yet I feel an obligation to keep my clients informed and help them remain compliant with the law. Esp. since they know absolutely NOTHING about all that.
  • I have researched a lot and sent out an email to all clients with info that is as detailled as necessary and as short as possible. I didn’t go into all details of what needs to be changed, but outlined the rough idea of the regulations and the consequences.
  • I did not make a flat rate offer for the changes, because the sites are all different in size, technology, content, tools being used. However I estimated at least 2 hours for the most simple sites.
    Here’s my list of what I change / check on each site:
  1. transit to https including applying for the required SSL-certificate in the name of the client
  2. check all internal links in order not to break https
  3. redirect all http calls to https
  4. double-check the entire transition with “why no padlock”
  5. issue new sitemap to Google and make the changes in the Webmaster tools
  6. install a cookie permission request (the new one made by Will with Stacks4Stacks
  7. make sure no scripts are running that transmit ip-addresses before the permission is given
  8. update the privacy policy pages using a template from a german lawyer (it needs to include information about which data are collected, for which purpose, for how long, if tracking is used, if and what for cookies are being used, the visitor’s right to request information, correction, deletion, transmission of their personal data, the legal grounds on which the data are collected incl. the relevant authority for claims)
  9. check which libraries or components are called from CDNs and modify them to be called from the local server (includes Google Scripts, Webfonts, Jquery, Font Awesome etc.)
  10. add an explicit and not preselected permission checkbox to each contact form (this is still under discussion among german IT lawyers, but seems to be the safe way) - the checkbox must containt a link to the privacy policy page
  11. make sure the permission checkbox content is contained in the generated email so that my client can save it for proof purposes
  12. collect all required compliance contracts from the relevant service providers (hosting companies, analytics companies, Google etc.) for the client
  13. make sure newsletter application forms only work using double-opt-in (still waiting for a simple way to do that if you’re not using one of the email marketing services and their form elements)
  14. delete all Fb like buttons or replace them with the SHARIFF solution that does not talk to FB before the like button is clicked
  15. propose a dedicated privacy policy text for the client’s facebook pages, if they have
  16. propose a link to the privacy policy page for their email signature (since these emails may contain personal data as well)
  17. and finally I always suggest to take a close look at the core business of the clients “offline”. Many of them don’t know how to implement the new rules and I can assist them in most cases.

That is about it. :wink:
Do you do more? less? different things? I’d be really interested to hear.


(Michael M.) #9

Thanks for sharing the workflow. But no 10 and 11 (and 16) are not necessary. See here (in German): https://www.datenschutz-guru.de/braucht-mein-kontaktformular-jetzt-eine-checkbox/


(Markus Frieauff ) #10

Hi Michael,
Thanks - I’ll answer in German…
Den Beitrag kenne ich, stimme hier aber dem ansonsten von mir sehr geschätzten Autoren nicht zu. Ich finde das ist eine für einen Anwalt zu sehr auf „gesundem Menschenverstand“ basierende Argumentation. Der Wortlaut des Gesetzes ist ausdrücklich ein anderer und das kann man zwar unsinnig finden (da gehe ich mit), aber nicht so leichthin abtun. Zumindest würde ich mich darauf nicht stützen.


(Jannis from inStacks Software) #11

Maybe better to remove all contact forms and just provide an email address…


(Michael M.) #12

The safest way: Removing the website…


(Jan Fuellemann) #13

What the heck, just remove this strange Internet-thingie once and for all.


(klaatu) #14

Is this forum GDPR compliant?


(Nigel) #15

No. It’s going to go underground. You’ll need to find via messages left in phone boxes.


(Michael M.) #16

We should move to the darknet! And use the forum only with sun glasses and gas mask


(Dan) #17

Just an FYI: I’m working to make sure everything we do at Realmac is GDPR compliment.

Here’s a document we recently started working on. We hope to outline everything we do/are doing here:
https://help.realmacsoftware.com/support/solutions/articles/36000053137--privacy-policy-gdpr-compliance

It’s a work in-progress, but you can expect to see more details on that page as we dig deeper and work out exactly what is required by GDPR.

I think this is going to be a long process for all parties involved, but ultimately worth it.

Cheers
Dan


#18

Another example of government creating a lot of work that in the end will not benefit anything.

Thank you to Rapidweaver and all the members here who are figuring all this out.


(Gabrielle Vickery) #19

Hi Robbeattie, I think that it’s your responsibility to recommend that they become compliant, and give them your costings to make it happen.


(Gabrielle Vickery) #20

hahaha! That’s funny :slight_smile: