GDPR General Data Protection Regulation
Unless you’ve been ‘off-grid’ somewhere very remote you have probably heard that the General Data Protection Regulation (GDPR) is coming into force across Europe and in the UK, beginning 25 May, 2018.
Here we will outline what that means to our customers, give some basic advice on steps you should take to work towards compliance and explain some of the issues you need to consider as a website owner. As well as covering the basics, we’ve provided detail about your Digital Nomads website and services used, which you will need to review and take account of in your own preparation towards compliance.
Early disclaimer – the following advice is provided in good faith. Digital Nomads Limited is not a law firm and you should seek legal advice from a suitably qualified professional where required.
To summarise, the main points relevant to website owners are:
- Consent. Everyone whose data you collect must consent to you doing so.
- Right to access. Individuals will have the right to access to their data and to information on how it’s being processed and used.
- Right to be forgotten. An individual will have the right to have their data erased, and for it to no longer be disseminated.
- Privacy by design. This means that instead of bolting on data privacy, it will have to be incorporated into the design of a system from the outset. It also means you need to think about encrypting devices including computers, laptops, external hard drives and portable USB drives.
- Agreements with third party data controllers. You need to understand who else controls and processes your data and ensure they have appropriate controls in place and meet standards equivalent to those in place in Europe. Services you might use include Dropbox, Mailchimp, Evernote, Google Drive, Google Analytics, Xero etc.
The Information Commissioner’s Office (ICO) is the regulator in the UK and they have stated they will always look to educate, engage and encourage compliance. There are a lot of resources available on their website to help you make a start.
If you don’t comply with the regulations, there are harsh penalties – up to 4% of annual global turnover or €20 Million (whichever is greater). However, the ICO have stated they expect to see organisations working ‘towards’ compliance. So you need to make a start but perhaps not lose sleep if you don’t have everything completed by 25 May.
Quick GDPR Guide
GDPR applies to every company and organisation in the world that processes personal data. If you save a name or an email address, for example, you are processing personal data (this isn’t just about email marketing). Have a look at our 5 minute GDPR guide for more information on how this will affect your organisation and what you can do to get prepared.
About your Digital Nomads website
Is my site compliant?
We are unable to confirm that your own site, organisation or business is compliant. We can give you detailed information about our systems and security and provide technical advice and support, but you will need to make the decision for yourselves on your own compliance.
Where is our data located?
Most of our websites are hosted by Heart Internet at their primary data centre in Leeds (UK). A small number of sites are hosted on the Digital Ocean Cloud infrastructure in a London data centre, managed on the Cloudways WordPress cloud hosting platform (cloud hosting clients will already be aware of the infrastructure being used).
Digital Nomads Limited is a Data Controller and we have Data Processing Agreements in place with our hosting providers, who are Data Processors, in compliance with the obligations required by Article 17 of the Data Protection Directive 95/46/EC.
A small number of sites are hosted by our clients either directly e.g. a Council and University client who use their own infrastructure, or via third party hosting, arranged by our clients.
How secure is our data with you?
All personal data, both your own and that of your clients, customers and website users, is supplied to us through controlled processes that are protected by appropriate measures, including encryption.
Access to your data is subject to audits and access logging, and is restricted based on business need.
All staff that have access to your data, or will be collecting data, have been fully trained on respecting customers’ rights, collecting only the data that is needed, adhering to privacy by design, and following other privacy principles.
However, others in the technical space are pointing out that the cookie law is a separate piece of legislation, which itself is currently being reviewed and it has been suggested that the cookie notice requirement will be withdrawn due to user fatigue. Unfortunately, it seems this isn’t going to be clarified until 2019.
Meanwhile, the existing Privacy and Electronic Communications Regulations (PECR) Act, which requires cookie notices on websites, continues to be in force.
You have three choices here:
- Do nothing and await further clarification
- Implement a basic cookie notice (for an example see our Mobile Apps site)
- Implement a solution that blocks cookies by default and requires explicit consent (as used on this site)
Digital Nomads Limited can help implement cookie solutions and we’d be happy to quote for any additional work required. Whatever you decide, we would recommend you document your decision. For more on cookies read this guide by the ICO.
Contact and enquiry forms
Contact and enquiry forms on websites capture personal data which is often stored in the website database. Digital Nomads mostly use Gravity Forms for this purpose. It’s important to note that GDPR does not prohibit saving of personal data to the database, it just requires that you gain consent before doing so.
The easiest way to comply would be to add a required checkbox to any forms that need to be compliant. Adding a simple checkbox field that states something along the lines of, “I consent to my submitted data being collected and stored” should do the trick.
If made a required field, the form can not be submitted without the user’s explicit consent and you’ll know that every submission is compliant.
If you need help adding checkboxes or consent statements to your forms please get in touch to discuss your options further.
Subscribers & mailing lists
Many of our clients use functionality to enable users to subscribe to receive updates by email when new content is added to their website (news or blog posts). Some use the Mailchimp service to maintain subscriber lists and to send newsletters.
The subscribe by email plugin stores subscriber email addresses in the website database. It includes the ability to enable double opt in for subscribers, which we would recommend you enable. All email notifications to your subscribers include clear unsubscribe links.
Clients using Mailchimp often have sign up forms on their website. The data submitted is also stored within the website database before being transmitted to Mailchimp.
An issue of concern here is dealing with the right to be forgotten. Website databases are included in backups (more later) so where that right was exercised, it would be necessary to work through all backups manually and remove the email address concerned. Currently, that would be a very time consuming process. We suggest we deal with that issue if/when it arises (we have logged the issue as one requiring further investigation).
You should include details about your use of Subscribe by email and Mailchimp in your privacy notice.
Mailchimp users should ensure they have a data processing agreement in place with the provider, which you can find here.
Lastly, you will want to review existing mailing and subscriber lists. The GDPR says you must obtain freely given, specific, informed, and unambiguous consent from your contacts. You also must clearly explain how you plan to use their personal data. Can you evidence that all details held were provided explicitly and with clarity about end use?
If not, or if you have manually added email addresses to either lists from other sources e.g. business cards received at networking events, or from online research, or perhaps you have used email addresses of customers purchasing products from your website, then you do not have consent. In such circumstances you are strongly advised to seek consent and to ask your contacts to re-subscribe.
We’re sure, like us, you will have been bombarded with emails from companies asking you to update your marketing preferences over recent weeks. You might need to join the bandwagon.
If you need help with this please get in touch.
Having an effective backup regime for your website is critically important. Digital Nomads Limited provide clients with two options.
Most client sites use the Backupbuddy plugin by iThemes, configured to routinely make backups which are stored in the website hosting account and also sent to a remote data centre for secure storage. This is a widely used solution, allegedly protecting half a million WordPress websites worldwide.
We are in discussion with iThemes to ensure their service is compliant – but as of 15 May, 2018 we have not had assurance and do not currently have a data processing agreement in place.
Our second solution uses the Snapshot premium plugin by WPMU DEV, configured to routinely make backups which are stored in the website hosting account. Clients using this solution are responsible for manually downloading and storing backups within their own infrastructure.
Digital Nomads Limited also hold a single backup copy of every client website, which is saved to a fully encrypted company computer. This is a ‘one off’ backup of last resort, usually made on completion of a website project and not routinely updated.
WordPress & plugins
All of our websites use the WordPress content management system (CMS). New Tools have been added to WordPress to help you with personal data export and erasure requests (version 4.9.6 released 18 May, 2018).
Your website will also use plugins to enhance functionality. Examples include online forms, shopping carts, backup and security enhancements, member forums etc. Digital Nomads selects plugins carefully, ensuring they are regularly updated. Wherever possible premium plugins are used. For futher details of the plugins used on your website please get in touch.
Security & IP addresses
All of our websites use a security plugin to enhance and harden site security. Further details are available on request.
Your website’s security configuration will result in IP addresses being stored in the website database on occasion. Digital Nomads consider this is necessary and proportionate for the purposes of ensuring network and information security. We believe you may use “legitimate interest” as the lawful basis for processing this data.
Digital Nomads takes all reasonable measures to ensure your website is designed as securely as possible. However, it is impossible for Digital Nomads, or any other agency, to guarantee protection against hackers or unauthorised parties.
Digital Nomads uses strong passwords to access client websites, servers and control panels. A password generator is used for this purpose and passwords are securely stored using 1Password. The password vault is stored in Dropbox and encrypted with Boxcryptor, a zero knowledge encryption solution. For more information on 1Password privacy and security please visit this page.
All client websites are set to enforce strong passwords by default, but this can be overridden by administrators from within the WordPress dashboard. We would advise clients to ensure that strong passwords are used.
Invoices & finance
Digital Nomads uses Xero online accounting software to manage invoicing, bank reconciliation and bookkeeping. Document backups are saved in Dropbox and encrypted with Boxcryptor, Xero is configured with two factor authentication. For more detail on Xero privacy and security please visit this page.
When you contact Digital Nomads for support, by emailing firstname.lastname@example.org, your email(s) and our replies are stored in the Zendesk customer service and engagement platform. For more detail on Zendesk privacy and security please visit this page.