If you’re not sure what GDPR is I found the video above to be a good overview. You can go a little more in-depth with this article here, which also links out to other resources.
The purpose of this post is to explain how I’ll be implementing GDPR compliance into this and future websites, as well as to offer the same changes to existing clients as retrofit work for their existing sites. It’s worth noting that I am not a legal expert by any stretch of the imagination. The implementation work that I’m doing will very much be a work-in-progress until clearer, standardised guidelines are available on GDPR. I’m simply looking to cover all the bases to the best of my knowledge and understanding.
The responsibility for GDPR compliance falls ultimately to the website (and/or business) owner. In the case of Scattershot Creative, that’s me. For my clients, that’s them. With that said, because I’m doing this work for myself and because I’m generally a helpful chap, it seems right to offer this out to help past clients. For current and future clients, having a developer with a working knowledge and understanding of GDPR, who can offer guidance and take steps to helping you implement it on your website, seems like a good thing. Perhaps even a necessary thing.
Privacy policy
Scattershot Creative will be getting a proper privacy policy, separate from its cookie policy. This is something that a great deal of websites already have, but being on the smaller end of the business scale (and collecting only limited data in very specific circumstances) it’s not something I’d done here before. This page will explain what data this website collects about its users, when it is collected, how it is used and how it is protected. It also covers a number of other topics, such as how I interact with third parties and my email practices.
Having a clear, easy-to-read privacy policy appears to be an important part of GDPR compliance because there’s a big emphasis on openness and consent with regards to data collection and use. New links to these pages will go in, likely at the bottom of each page of this website just above the footer, to provide easy access to the new privacy policy and the cookie policy at all times.
For my recent clients (websites built in the last 12-18 months) this should be a relatively simple addition to their existing code base. Client websites that fall outside of that timescale may require a more bespoke solution. I’m happy to provide the privacy policy document I’ll be using here as a template and help implement these changes where I can, if requested.
Contact forms
The information I’ve read so far seems a little conflicted when it comes to contact forms in the way I have most often used them for myself and clients. Usually, upon completion and submission by a user, the data in the contact form is securely emailed directly to the relevant contact email address for that website. There’s some suggestion that since that data is not being stored by the website itself there’s no need for the user to consent to their data being collected – because, in a way, it isn’t. It’s transmitted to the email provider/client directly at which point… who has the responsibility, exactly?
I’m a keen better-safe-than-sorry kinda guy. So I’m going to add a consent tick box to all my contact forms with words along the lines of “please tick to consent to your data being collected, stored and used in line with the guidelines set out in my privacy policy”. This covers getting consent and lets the privacy policy (which the above would link to) do the rest of the heavy lifting.
My present understanding suggests that even if it turns out I’m not collecting, storing, or using data in any way covered under GDPR it’s better to ask permission than later seek forgiveness. It seems right that users who consent and later request what data I have on them, only to be told I have none, have no particular reason to be upset about that. Whereas not requesting consent and storing user data anyway is obviously a big no-no.
Miscellany
Existing clients with online shops (eCommerce) will be hearing from me individually with details of what needs to be done with regards to their particular set up. Going forward I hope to develop enough of an understanding to be able to continue to provide assistance to new clients with their eCommerce needs.
Privacy by design has caused/is continuing to cause a buzz, and plays a part in GDPR. I’m not sure how actually relevant it is to what I do, or indeed what many of my clients do, but I’ll be keeping an eye on it.
As part of the process, I will be checking any WordPress plugins installed to see what data they collect – disabling this collection (or the entire plugin) where it is not vital to the running of the website, or otherwise mentioning it in the privacy policy.
Okay, that’s all for now. I’ll update this post if I remember other things I meant to include or if anything changes to the point of rendering some or all of the above obsolete. If you have a better understanding of any of this and wish to offer corrections, suggestions or additions please do get in touch.