Please note: There’s a second part to this now which covers cookies too: Final update on GDPR and cookies.
With the 25th May deadline looming, we’ve received a lot of enquiries regarding GDPR recently.
Because our clients are so varied – in terms of both size and business type – we unfortunately can’t pull together a one-size-fits-all guide of what we think you need to know about this stuff. However, we’ve compiled a list of GDPR compliance questions below as a guideline to what we cover at Creatomatic.
A caveat that we have to make is that we’re not GDPR or legal specialists – if you’re in any doubt, we strongly recommend seeking legal advice. The best and most informative source of information and support we’ve found so far has been the FSB (Federation of Small Businesses) which more than justifies our annual membership for this stuff alone.
Are Creatomatic GDPR compliant?
We’re working on ensuring our own compliance for the 25th May guideline. This document is part of our own process to ensure compliance and has been shared in good faith to help our clients meet their own requirements for the GDPR deadline.
Is my website/email/marketing data GDPR compliant?
Unfortunately, there’s no definitive, one-size-fits all answer to this. It depends as much on what you do with your data than it does on how it’s stored.
Before tackling the intricacies of GDPR, it’s vital to gain a clear understanding of what personal data your organisation collects, stores, uses and/or shares.
We’d suggest that you make a list of all of the places that personal data is collected and/or stored, specifically what personal data you hold and, where it is stored and what you use this personal data for.
It’s quite possible that some of the data you hold is no longer required, and should be responsibly erased from your systems.
In terms of the data which Creatomatic work with, this is likely to cover one or more of the following locations:
- Website – usually via your WordPress dashboard
- Email – usually held via Gmail
- Tracking – usually held in Google Analytics
- Any custom database system we’ve put together
- Email marketing – usually via MailChimp
Where is our website data held?
- All of Creatomatic’s web hosting servers are located in the UK.
- We also maintain second-level backup servers located in the Republic of Ireland.
- Finally, we may store your contact details – names and email addresses – in the US through Mailchimp, for marketing and service announcements.
Are there cookies on my website?
Unless you’ve specifically requested that tracking is disabled, your site will have three cookies from Google Analytics:
- _ga – expires after 2 years
- _gid – expires after 1 day
- _gat – expires immediately
If your site allows users to log in with an account (for memberships, or online sales through WooCommerce) WordPress will set a cookie which stores their credentials (double-hashed, in the case of the password). This expires after two weeks.
If you use custom third-party systems for tracking or communication (ie. live chat, lead tracking, etc) these platforms may set separate cookies. You will need to contact each of these third parties to obtain specific cookie information from them.
Every WordPress site we launch has a cookie notification which appears on first load. To check that this is running on your site, you can view the site in a new private/incognito window.
What personal data is held on my website?
This varies from client to client. Quite often, enquiry forms will be backed up in WordPress; if you sell products or services online using WooCommerce or WooBookings, customer and order data will be held online.
Under GDPR guidelines, companies are obliged to remove personal details after it’s been processed (ie. when you’ve replied to an enquiry, or shipped an order) – so you are responsible for removing this data once it’s been used.
What do I have to do with email marketing lists?
Anyone on your email marketing list must have expressly opted in to receive your digital marketing correspondence. If not, you need to clean up your mailing lists.
An efficient and effective method of ensuring you’re only emailing people that have specifically confirmed they want to hear from you is to send out a ‘please confirm you want to be on this mailing list’ type email, and remove anyone that doesn’t respond from your databases.
We strongly recommend against sending out mass emails from your own email account, as you’ll almost certainly end up blacklisting yourself! We highly recommend MailChimp for this purpose.
Next, you should ensure that you’re only signing future mailing list subscribers who too, expressly wish to be on there. This means removing the automatic ‘opt-in’ check box on sign-up forms, and ensuring people tick it for themselves to receive these emails.
Again, MailChimp does much of the heavy lifting for you on this front by having two-step confirmation (enter email to join our mailing list, followed by a ‘please click to confirm you definitely want to be on this list’ emails). We can help set MailChimp up on your behalf, design email templates and create campaigns etc – please give us a shout if you need a hand.
There are numerous templates available online to assist with creating your own. Scottish Enterprise does a decent job of showcasing the kind of thing you should be aiming for with theirs – https://www.scottish-enterprise.com/help/privacy
I run an online shop – is there anything specific I need to know?
Other things to consider are how you process orders, which typically have personal data printed on the paperwork. For example, if you print out things like customer orders or picking slips that hold a person’s name, address or contact details, you are posing a data risk.
What about my email compliance?
Creatomatic provide email hosting and services to a number of our clients. As such, you should ensure that all of your email services, including the storage of email from anyone that you are connected to, is securely stored in accordance with the GDPR guidelines.
A common-sense approach to this would ensure that:
- Your email data is stored securely
- You’re using strong passwords to access email
- You run good quality and regularly updated anti-virus software
- You apply good housekeeping to ensure unnecessary emails are deleted.
You should also have a Data Retention policy: a clear statement about how your organisation stores data and the length of time it is help before being erased.
A typical business data retention policy covers a period of two years as data older than this tends to be deemed out of date, though there are exceptions to this rule (notably in health, government and financial industries).
If we’ve set you up with GSuite/Gmail for Business, your email is handled by Google. Their guidelines on GDPR can be found here: https://cloud.google.com/security/gdpr/
Does my website need to have SSL?
Having a Secure Sockets Layer (SSL) certificate in place on your website encrypts all of the data being entered into the website through form fields (e.g. setting up an account, ordering goods online or signing up to a newsletter). You can tell if your site has SSL because the address will start with https:// rather than http://.
For almost all of our hosting clients, we’ve got you covered on this front – see our post back in September 2017 on the subject.
It’s important to note that whilst having an SSL Certificate in place takes care of the data input part of the process, it doesn’t necessarily cover how that personal data is processed thereafter.
Is my (tracking tool/live chat/etc) GDPR compliant?
Many websites run, host or contain tools, feeds and plugins from third parties – a few examples would include Facebook, Google Analytics, MailChimp, SalesForce, Lead Forensics and so on.
The GDPR regulations refer to these as ‘third party data processors’ – in effect, they are processing the organisation’s data on their behalf.
It is your responsibility as the website owner to ensure any and all connected third parties to your website meet GDPR regulations and, if they don’t, you should replace them or remove them entirely from your website until they meet the guidelines.
You need to make sure that your processes and policy clearly states what third party data processors you use and where a subject’s data is passed to.
Further reading and resources
- Google – https://cloud.google.com/security/compliance/gdpr/
- Google Analytics – https://www.peakdemand.co.uk/blog/the-impact-of-gdpr-on-google-analytics/
- MailChimp – https://blog.mailchimp.com/getting-ready-for-the-gdpr/
- WordPress (non official) – https://www.codeinwp.com/blog/complete-wordpress-gdpr-guide/