This is a quick guide for getting ready for GDPR. It will suggest 7 steps you should follow with a lot of links and information to understand what GDPR is about and how to make your business complain with the law.
When I was thinking on create this post, the first idea was to replicate this post I wrote in Spanish and just create an exact English version here. The Spanish post ended up with more than 6500 words so there is no way I can do that again. Instead, I created this quick guide as summary of that post, including all the links and documentation I collected, which is the most interesting part anyway.
Disclaimer (of course).
The things you need to do (this is the order I suggest, so you do not start with the consent ;)):
- Phase 0 – Understand the basics.
- Phase 1 – Audit your company. (in 3 steps)
- Phase 2 – Understand the data subject rights.
- Phase 3 – Legal Base. Consent and security.
- Phase 4 – Create policy documents. Public documentation.
- Phase 5 – Create internal documents.
- Phase 6 – Fix anything you need in your process.
Phase 0 – Understand the basics.
Read the law, at least once. Or read a summary (a long one) or go to a workshop, or a talk (Kim does great ones).
Do an effort to understand what GDPR means for your business and your clients and users, it does not matter if you are hiring a profesional for doing this, you should know what is this about because you are liable for it (and because it matters but people do not think that is important).
GDPR is not a template, a plugin or a tool you can install. This is a live process that you need to incorporate to your organization and review it as often as you need.
This post try to help you to understand what the process is about (and will help me to remember when I need to review it in the future).
You should be able to know what all these words mean:
- GDPR principles.
- Personal Data (with special categories). What are they?
- Processing Data. What is a process?
- Data Subjet, Data Controller and Data Processor. You should be able to identify one from the other.
- Data Subject Rights. You need to know your rights!
- Lawful Basis, Legitimate grounds. Key for everything we are going to do.
- Consent. The thing most people worry and not the most important I am afraid (imho).
- Data sharing, data flow. Yes, you probably share data with a lot of third parties.
- Data breach and risks. What is a data breach and what to do about it.
Once you think you understand this, you can keep going.
1 – Audit your company.
I recommend you do this in 3 phases:
- A- Discover the data you are handling.
- B- List the processes your organization use.
- C- Get the data flow within your company and into third party organisations.
A- Discover the data you are handling
Create a table (1A) and list all data you process. List everything, even offline cards of leads, single emails, offline contracts, etc.
B- List the processes your organization use
Create a table (1B) and list all processes (you should know what a process is, if not go back to phase 0). Even the smallest thing you do with a data, copy, share, edit, delete, backup, etc.
These two are on the same phase because you will fill up both at the same time. Both lists are live documents, and you should be updating them all the time during this GDPR process and also every time something changes on your company.
C- Data flow
I recommend here to create a data flow visual map. Try to create a map that have all the departments on your company (even if you are a 1 man company you have different departments too) and connect them with lines that represent the data (1 colour per data or group of data). Add also all third party organizations and connect with lines them too.
When that is done, create another table (C2), and for each data from the step A, you must be able to know where it goes and who has access to it.
The objetive of this phase it to be able to identify easily where all the personal data goes and who has access to it.
2- The user rights.
The most important thing on this new law is that everything is centered on the user, not on the company. And the key for this is that the subject has now more rights on their data.
You must know these rights, and be prepared so your users can execute them whenever they want to (of course, some of them could be tied to the use of your services, but I do not have time to go into details here).
The rights are:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- The right not to be subject to automated decision-making including profiling.
Make sure you are able to comply and execute those rights with ALL personal data your organization handle.
3.- Legal Base. Consent and security.
This was the part that I didn´t understand right, and when I did, everything make much more sense.
For processing any personal data (and capturing is processing) you need to have a legal reason. The options you have here are:
- Necessary for compliance with a legal obligation
- Necessary for the performance of a task carried out in the public interest
- Necessary for exercising of official authority vested in the controller
- Necessary to protect the vital interests of a data subject or another person
- For the performance of a contract with the data subject, or to take steps to enter into a contract with them
- For the purposes of legitimate interests pursued by the controller or a 3rd party EXCEPT where such interests are overridden by the interests, rights or freedoms of the data subject
- Consent. Clear, informed and unambiguous affirmative action has been given to indicate the data subject’s consent
Look into the 1-6 legal bases: If you do not have any of those reasons for processing the data, then you need to get consent from the subject.
So consent is not required for everything (no matter how many emails you get about that), you only need consent for things that you cannot cover with the other 6 options.
So I am not going to write more about consent, I am going just to point you to the links at the end of the post, where you can find a lot of good information on how it should be done, and when you need to get the consent again or not.
This is another important thing for GDPR. You need to ensure all your process are secure, that the data transfers are made through secure channels and you must have backups too.
You also need to have a retention policy for the data and for your backups.
In plain english, most people need to do this:
- Make sure you know where your backup are.
- Make sure you know when are they deleted.
- Make sure your website and all our transfer of data is made through SSL (your web should be https and a green padlock should appear on the browser).
4.- Create policy documents. Public documentation.
The best thing you will find about this is the fantastic talk from Heather Burns at WordCamp London 2018.
Go check it, you won´t find a better guide on this.
5.- Create internal documents.
Here you need to write everything down. What you do, how you do it, why you do it and the legal base of the business and personal data we process.
This is an internal document, so it shouldn´t be public, but this is what you will show to the authorities in the case you need to show how you have everything cover.
You will also need a security document, considering the data breach risks, how to prevent them, and what to do if they happen in the future.
Another important internal document is how to execute the rights of the data subjects. This documents will help you to proceed when a data subject require something from you.
6.- Fix anything you need to.
At this point, you have all the information, and you know where your website, app or organization is failing to comply with GDPR. You need to create a plan to fix everything as soon as possible.
These are some of the things you may need to do (they are just examples):
- Maybe you need to decide that some personal data is not worth to keep it as you are not using them at all.
- Is it possible you need to improve the security of your website and computer to reduce risks, as I said before, SSL and backups are important here.
- It is probably that you need to ask for consent for some of the data you are keeping (just for keeping it even if you do not use it).
- You may need to update your forms and any other way you use to get personal data.
- And mostly sure, you will need to inform your users and clients about all the changes.
Links and interesting content about GDPR
These are links and docs that I have been collecting and reading to be able to create this post and to understand the GDPR myself. Not all the information on the links is correct, I mean, some links have some information that is not 100% correct (imho), but all of them have something that will help you to understand the GDPR and how to comply with it.
GDPR OFFICIAL TEXT.
- English: http://eur-lex.europa.eu/legal-content/En/TXT/HTML/?uri=CELEX:32016R0679&from=En
- Spanish: http://eur-lex.europa.eu/legal-content/ES/TXT/HTML/?uri=CELEX:32016R0679&from=ES
Official docs and links:
- ICO (Information Commissioners Office): https://ico.org.uk/
- ICO (Information Commissioners Office) resources: https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/
- AGPD (Agencia de protección de datos española). Spanish equivalent to ICO: https://www.agpd.es/portalwebAGPD/temas/reglamento/index-ides-idphp.php
- Helping tool from AGPD (available in English too): https://www.agpd.es/portalwebAGPD/canalresponsable/inscripcion_ficheros/herramientas_ayuda/index-ides-idphp.php
If you do not have too much time.
- Preparing for the GDPR- 12 steps by ICO: https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf
- Heather Burns talk. General view (most of what I have written is based on this talk).
Video: 45 minutes https://www.youtube.com/watch?v=hVf_VGjl9Hc
- GDPR quick guide for businesses: https://www.bgateway.com/documents/guides/GDPR.pdf
General information posts.
The person that I trust more on this topic. She has been the inspiration to write this post. I have pasted a talk before, but she has got much more content to share, and everything is public and free to get online. Follow her on twitter: https://twitter.com/webdevlaw
- About Cookies, written in january 2017 (the first post I read about GDPR): https://webdevlaw.uk/2017/01/10/cookie-law-reform-announcement/
- Privacy by Design: https://www.smashingmagazine.com/2017/07/privacy-by-design-framework/
- Link to her blog with content about GDPR: https://webdevlaw.uk/data-protection-gdpr/
- Get to grips with GDPR. https://webdevlaw.uk/data-protection-gdpr/
- Designing for data protection. https://webdevlaw.uk/data-protection-gdpr/
CONSENT and email marketing.
- You may not need to confirm all your email list again: http://www.wired.co.uk/article/pecr-gdpr-emails
- ICO official doc about Consent: https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf
- Can I still use business emails out of GDPR? https://ico.org.uk/for-organisations/marketing/the-rules-around-business-to-business-marketing-the-gdpr-and-pecr/
- Great guide on Active Campaign: https://www.activecampaign.com/learn/guides/preparing-for-the-gdpr-collecting-consent/
- General post about email marketing: https://litmus.com/blog/gdpr-what-europes-new-privacy-law-means-for-email-marketers
- Consent ux examples: https://www.econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent
- Great PDF explaining the GDPR for email marketing and GDPR: http://www.thevirtualmarketeer.co.uk/marketing-tips-downloads/gdpr-sign-up-form/
- Cold EMails: https://blog.convert.com/gdpr-cold-emails-means-outbound-strategy.html
WORDPRESS RELATED LINKS.
- WordPress 4.9.6 privacy tools: https://wordpress.org/news/2018/05/wordpress-4-9-6-privacy-and-maintenance-release/
- WordPress tools: https://wordpress.org/news/2018/04/gdpr-compliance-tools-in-wordpress/
- WordPress GDPR guide. https://www.codeinwp.com/blog/complete-wordpress-gdpr-guide/
- GDPR for WordPress developers: https://webdevlaw.uk/wp-content/uploads/2018/03/WP-North-East-GDPR-for-WordPress-developers.pdf
- Spanish articles from AyudaWP blog (Fernando Tellado): https://ayudawp.com/tag/rgpd/
- https://ayudawp.com/rgpd-woocommerce/ (spanish)
Some examples on how some companies are handling this changes. Good and bad examples.
- More about the cookies. How to use Google tag manager to get consent for them: http://www.beaconfire-red.com/epic-stuff/gdpr-cookies-milk
- GDPR for developers and site owners: https://www.thewebguild.org/news/gdpr-essentials-for-web-developers-and-site-owners
- Just a short summary (too short maybe): https://sendgrid.com/blog/the-gdpr-is-coming-how-to-prepare/
- GDPR for business owners: https://www.connected-uk.com/gdpr-for-business-owners-senior-executives/
- About who is a data subject on the GDPR: http://www.davidfroud.com/gdpr-not-just-eu-citizens-or-residents/ and https://insights.hgpresearch.com/gdpr-and-the-expanding-concept-of-citizen
- Google Analytics data retention policy: https://support.google.com/analytics/answer/7667196
- Businesses closing access to EU users because GDPR: https://techcrunch.com/2018/05/05/unroll-me-to-close-to-eu-users-saying-it-cant-comply-with-gdpr/
- Nice small doc. GDPR for Website Owners by Rob Hadingham: https://docs.google.com/document/d/1yZIBox5pCxpS3Rgbkln1KPAhQfdWkwMNkDW-J9rnZUY/edit
- And to finish the list, a little bit of humour-terror , the nightmare letter: https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis/
I am sure you are a little bit afraid you wont be ready in time. Do not worry I am the same as you. Do not get block because of this.
In fact, as you can see, this website is still not 100% ready to GDPR, I am working on it and this document is part of my work to understand the GDPR.
I will keep updating this post with more links as soon as i find them, so please comeback if you think it was useful.
There are no comments active on this blog ( it is my way to deal with them on some websites) but I am happy to discuss and comment in twitter. So please tweet me if you want to say something!
Thank you for reading. I hope this document will help others to comply and to understand better what GDPR is about.