The purpose of this page is it to provide an overview of the GDPR (General Data Protection Regulations) as well as an action plan for compliance, it has been significantly precise’d to make it readable.
We have focused the content on WordPress sites, relevant plugins within those sites and any applications that are used by iMarketing customers.
NOTE: This document may highlight some of your company’s further potential requirements specifically staff and suppliers, however, we take no responsibility for anything other than wordpress, plugins and applications.
What this document provides:
- A “quick and dirty” overview of GDPR
- Implications and requirements of the regulations specifically relating to your enquiries, customers, website databases, ecommerce stores and any online applications. (NOTE not employee or supplier data.)
- An overview of the specific steps iMarketing can take to ensure you comply with GDPR.
It is not a one stop shop to meet all actions required by the GDPR.
What is GDPR?
The European General Data Protection Regulation (GDPR) focuses on the core principle of giving citizens and residents more control of their personal data.
The GDPR applies to any business that processes the personal data of EU citizens. This includes customer, supplier, partner and employee personal data. If you are a non EU business that has EU citizen data then you are very likely to be liable.
The aim is to provide Individuals with more rights on how businesses use their data, for example:
- Individuals have the ‘right to be forgotten.’
- Individuals can demand you cease processing their personal data.
- Individuals can review their data.
- Individuals can demand reasons why you need the data.
- Individuals are able to request you rectify or alter their data,
- There is also a requirement to not keep data for excessive periods or longer than necessary.
NOTE – Consent may not be required for pre-existing personal data, as long as you have a legal basis for its usage that is compliant with the current legislation (Data Protection Act).
- Businesses whose activities involve ‘regular or systematic’ monitoring of data subjects on a large scale (in other words processing extensive personal information), or which involve processing large volumes of ‘special category data’ must employ a Data Protection Officer (DPO). Their role will be to ensure the company complies with the obligations under the GDPR. They’ll also be the contact for any data protection queries.
- The GDPR doesn’t yet fully define what constitutes ‘large-scale’, but some examples include the processing of patient data by hospitals, travel data and transport services, and customer data by an insurance company or bank.
- Smaller business (those with less than 250 staff) are still within GDPR scope however it MAY mean you don’t need to employ a DPO. (It is dependant on your data and how you manage it)
Our actions and recommendations are confined to customer and marketing data NOT employee or supplier data, and definitely not any other parties data you may potentially be storing/using.
The areas you need to be aware of are:
Establish IF you need a DPO?
A Data Protection Officer DPO is required if your company’s core activities involve ‘regular or systematic’ monitoring of data subjects on a large scale, or which involve processing large volumes of ‘special category data.’
Document your dataset:
Individuals data – (What do I have, How do I use it, Is it secure)
This data will enable you to send a “fair process” notice (If necessary) – this provides individuals with clear information about what you’re doing with their personal data:
Use this example google doc to help document your dataset.
Data required in your dataset:
- What am I storing? – e.g. name, address, email, bank details, photos, IP addresses, sensitive data (health details or religious views).
- How am I using it? – processing sales/enquiries, sending email campaigns, processing bookings etc.
- Opt in? – Ensure that all data that requires consent (newsletter signups, site registrations, purchases, booking enquiries) has a clear unequivocal and explicit method for gathering that consent.
Ensure as much as is practically possible that data is secure, the objective is to ensure you have “done all you can” in case of a breach (Hacking etc)
Update all forms
Identify where you gather customer data
- Enable an opt in function to ensure that all your forms have consent “tickboxes.”
- Each tick box to include an explanation of WHY the data is necessary. (ecommerce/booking/registration forms etc)
- Create website/application functions that enable data subjects to view/edit/delete their data
- Create functions to ensure consent when provided is recorded in a granular fashion – i.e. that constant action to be stored in a database to be produced if requested.
Create privacy/data usage/cookie policies
There are several documents that you need on your website, these are linked from the data forms that customers complete.
- Privacy Notice – identifying your customer data usage.
- Ecommerce policies to include refunds and deliveries (not related to GDPR).
Distribute a fair usage notice
NOTE – this may only be necessary if you were not previously complying with the Data Protection Act (DPA)
Distribute a fair process notice, this provides individuals with clear information about what you’re doing with their personal data, this should include:
- Usage – Why you’re processing their personal data (the purpose), including your legal basis you have.
- Movement – who is handling and may receive their data (do you use a 3rd party data).
- Duration – How long you intend to retain their data and how they can change it.
- Their rights – notify individuals of the existence of their personal data rights whilst communicating.
- Opt out – Provide the ability to opt out.
Plan how to service your data requests
There is also a requirement to:
- Provide data subjects with a copy of their data should they request it.
- Provide the ability for data subjects to rectify anything that’s inaccurate.
- Enable opt out or data deletion (enable data subjects to stop you processing their data.)
- Create a system to report serious breaches to the regulator, example hacking.
(Latest 72 hrs.)
All requests carry a timeframe and a deadline of one month, from the original date of request.
You also need to update your google analytics
- Remove the final octet in the google code to ensure you are not able to identify the detailed location of the visitor
- Update the data retention policies and timescales
- Accept Googles Data Processing Amendment
- In some instances you will also have to add your contact data as the Data Processor/Controller
Other Potential Areas that you need to be aware of
Some of the other areas that may be required are listed below. These are not included in our website actions outlined later in this document.
- If your records are a bit all over the place (misc spreadsheets etc) you need to consolidate and store all this data cleanly. Should there be a breach any regulating body will look unfavourably on poor data management.
- Does your business hold HR records – you need to take advice.
- Do you hold supplier data
- You should conduct due-diligence on your supply chain, ensuring that all suppliers and contractors are GDPR-compliant. This will assist in avoiding being impacted by any of their breaches and their consequent penalties.
- We would also suggest you develop appropriate contract terms with suppliers.
Is your data ‘sensitive’?
Generally, you’ll need explicit consent from individuals whose special category personal data you want to process. Special categories of personal data’ tend to be defined as:
- Racial or ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Trade union membership.
- Genetic data, biometric data, data concerning health.
- Data concerning a person’s sex life or sexual orientation.
iMarketing Action Plan
iMarketing can ensure GDPR compliance by carrying out a number of activities on your site:
Update all forms
- We will add tick boxes and a notice link to each of the relevant forms in your site.
- We will also remove all WordPress commenting functionality where it is not material to the commercial value of the site.
- We will enable data subjects to submit a request for a data download.
Ecommerce sites (Woocommerce)
- We will upgrade your version of woocommerce so you are able to:
- Validate data requests
- Send subjects their data
- Delete their data
Creating privacy/data usage/cookie policies
We will create a number of simple policies that will be tailored for each website, initially our focus will be:
- Privacy Notice – identifying your customer data usage
These policies will be linked to your forms should a data subject require further information.
- We will update the ip address and all the google policies and amendments.
- If this is required (currently we do not believe necessary unless you use specialist Analytics functions) then we will amend.
Email marketing database
It is good practice and a legal requirement to enable email recipients to unsubscribe or to manage their email settings.
To this end, for all customers who are using our email system we will create a “Preference Centre.” (This enables email recipients to adjust their settings.)
Our activities are:
- Consolidate all your lists into one (if possible).
- Segment the lists to ensure sendings can still be sent appropriately
- Add preference segments and create the code to enable customers to manage their preferences.
- Connect up all the forms from your site to the email list.
- Ensure that the system records data consent (for those forms requiring consent)
- For ecommerce stores connect WooCommerce to our email system with appropriate consent levels.
On conclusion your customers will be able to adjust their email settings, this will enable you to send targeted emails appropriately, and more to the point legally!
Distribute a fair usage notice
If you are of the opinion you should send a notice then our strategy is to create a campaign consisting of 3 parts:
- A marketing section – perhaps an offer or something similar. This will be followed by…
- A “your rights” section highlighting the various GDPR rights and this will include a link to your preference centre.
- A link to the policies which will provide your data subjects with clear information about your usage of their data and your policies.
Servicing data requests
We will also create a dedicated page where a data subject can submit his email to be verified after which he will be sent a link/s that enable him to view/delete his data, including:
- Any data submitted through the std forms.
- Any ecommerce or wordpress login data should he have created an account.
One of the elements of GDPR is the ability to show you are “security aware.”
- We are able to encrypt all your form data so SHOULD you have a breach the data is worthless.
If you need your site made compliant then please click below.
This document is not an official guide to EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. It is meant to help you better understand how iMarketing will be addressing some important legal points. In short, DO NOT rely on this document as legal advice, it is intended to keep you informed and outline what iMarketing are doing on your behalf.
simplybusiness.co.uk – GDPR for small businesses
hubspot.com – The GDPR & HubSpot