The big scary GDPR legislation has been on everyone's lips in the build-up to the 25 May 2018 launch.
Even though it has been known for several years that this was going to happen, it was only when 2018 came round that it really made people aware.
There is a lot of hype about it and also scaremongering around it, which doesn't help when you hear that you could be fined for up to €20m or 4% of your annual global turnover.And because everyone has been pushing it aside until the last possible moment, panic has set in.Sure, it can be overwhelming.
But if you look at it in its basic form, it's not that confusing.
Which is why I decided to write this post to share my thoughts and also show some transparency of why I'm doing this.
This needs to be said...I am not a lawyer.You are free to read this to learn from my experience and perspectives on how I'm going to handle this new regulation. But you should not use this as a legal advice, nor should you use it as a template or benchmark on how you should treat GDPR for your own needs.
Oh, and don't copy my content (and I will know if you did). It's not only annoying, but you will shoot yourself in the foot by lying about what you are doing to be compliant and you could get caught.
You've been told.
Why is GDPR Important?
In a recent newsletter by the Information Commissioner's Office (ICO), who regulates data protection in the UK, they said:
We want you to feel prepared, equipped and excited about the GDPR.
I highly doubt that "exciting" is how everyone feels about it right now. 😕But if you are looking at GDPR as yet another set of regulations you need to comply with and you just want to get it over and done with, then you are looking at it the wrong way.The Economist reported this headline: "The world's most valuable resource is no longer oil, but data" (with a very interesting image):
And that says it all.The change in environment and the increasing use of technology means that more data is around us than ever before, and it has become a such a valuable commodity.But because it's everywhere, it also means people can get careless with it and someone can take advantage of this priceless asset...and not necessarily for the better.
Because data is such a valuable commodity now, companies are under stricter rules to take responsibility for the data you are processing and storing.You only have to look at all the recent news about data breaches, privacy mistrust and careless attitudes towards sensitive data, it makes you more aware that it's happening all the time.
Elizabeth Denham from ICO said:
"...this is about more than legislative box ticking...Accountability is at the centre of all of this: of getting it right today, getting it right in May 2018 and getting it right beyond that."
There are several ways to look at that quote:
- "...this is about more than legislative box ticking..." – this was what most people assumed, in that it's about not forcing people to tick/untick a box, it's a lot more than that
- "...accountability is at the centre of all of this..." – taking responsibility for the data that you are processing, and keeping records of how you are doing that
- "...getting it right today...May 2018...beyond that" – it's an on-going thing. Don't assume that it's a job you do once, and then you can relax. It's an on-going responsibility
Think about the respective individuals who deal with you. When they are corresponding with you in some way, they may be providing information about themselves. And you will be processing it and handling that data.
Why I Have Decided to Write This Post?
It's not something that everyone is doing, but it's not something that should put you off. Sure, you can get ideas, inspiration and follow the lead.Other times, you either want to do something different or to stand out from the crowd...or both!With that in mind, there are several reasons why I decided to write this post as well as the relevant pages on this site.
1. Transparency & honesty
Just the quote mentioned above: "accountability is at the centre of all of this".By putting together this post, it is up to me to keep myself accountable for what I'm doing with your data. And the fact that it's in public means that I have made myself accountable to make sure that I'm on top of it.And if you think that's a bad thing, then you need to look at your priorities on how important it is to protect your stakeholders' personal information.
3. Competitive advantage
Who would you rather work with, someone who is not upfront about what they're doing with your data or someone who does take it seriously.I'm running a business, and I am not ashamed to talk about staying ahead of my competition. That's how a business works.If being GDPR compliant gives me a competitive advantage because I want to tell my audience and clients that I respect the privacy of their individual data, then that's a nice bonus to have.
4. Learn more about the data I collect
Isn't this one of the main purposes of the General Data Protection Regulation? In that we need to understand what data we are processing, how we are processing it and what we are doing to protect it.As you go through the process of being GDPR compliant, you get a better idea of the data you are collecting.
Perhaps it's more than you thought.
Perhaps you had data that you don't need anymore.
Or perhaps you were actually risky with sensitive data.
Whatever it is, being GDPR compliant is an opportunity for you to spring clean and get serious about protecting, and even removing, personal information.
5. Better to be upfront than to hide
After doing my research and even attending an event, it's obvious that you can't hide from, it's going to happen.So it's better to be upfront about it.
What Have I Done & Will Continue To Do?
Below are what I have done to make sure that I become compliant with GDPR and my future plans (and I also mention here about protecting your WordPress site from hackers too):
- look at what data I currently possess and delete those that are not required any more e.g. Google Search Console or Google Analytics accounts of previous clients
- anonymise personal information where possible e.g. IP addresses on Google Analytics
- be open about it by writing this post
- revisit online accounts and making sure that they are protected with password manager and 2-factor authentication
- create a specific 3rd-party page to showcase the list of tools and software that I use, which are collecting data about you and what we are doing about it together
- updated my cookies policy page and provided further details about how you can manage and control cookies
- only use WordPress plugins which are regularly maintained by developers
- continue to use a reputable VPN like NordVPN to protect the data further, especially when using public WiFi
- always update the WordPress core software to ensure that any security loopholes are fixed as quickly as possible
- will update the pages above whenever needed e.g. when using new tools
- keep myself accountable and stay on top of this responsibility
- continue to respect your rights to privacy
- continue to stay on top of my requirements with GDPR
This is what spring cleaning my data felt like...and yes, I was dancing on my chair - Gif by Giphy
What You Can Do Right Now?
As well as the above, I've got a few more pieces of advice:
- follow ICO's step-by-step checklist
- find out what tools, software and plugins you are using, and understand better about what they're doing with your and your stakeholders' data.
- if you can't find information about the above, contact the makers of those tools. If they are not doing anything about the new regulation, ditch them...seriously. Even if it's more of an effort, find an alternative because it's not worth it in the long-run
- do your research and learn as much as you can about about how you are handling data, get educated about online security and respect other people's right to privacy even more
- If possible, get some legal advice, especially if you are handling very sensitive data like medical or information about children
- be accountable or find someone to be accountable for the on-going process of data processing and handling
- seriously consider using a password manager and 2-factor authentication where possible to strengthen your online security
- and relax...it's not that bad once you get into it. And the sooner you do it, the better
What I've Learnt From Doing This
1. The amount of data I have is an eye-opener, and it made me realise that I need to stay on top of it. But thanks to my (maybe annoying) obsession with online security and privacy, that has helped me to get a massive head start.
2. The more tools you use, the more you need to be aware of what data they take. The recent news about Facebook and what they do with your data has helped to raise more awareness about what data you are sharing online, but you should also look at your own website.
3. It is impossible to stay on top of everything, but it's about trying your best and making the steps that are required to do something about data protection.
4. There are definitely no certifications around yet (at the time of writing):
Reminder, as this ad has interrupted my lunch reading:– there are NO UK certifications for GDPR yet– only the ICO can approve accreditations or certifications, and they haven't– no one is, or can be, "qualified"– you do not need a certification– don't piss your money away.
5. There is no one-click option that will make you compliant with GDPR.
6. Do not keep data that you do not need anymore. For example, if someone unsubscribes from a newsletter, you should not keep that email address anymore.
7. By being honest with my contact form checkbox, people trust me more on what I will do with their email.
8. As I said earlier, it can be overwhelming, but it's not that scary if you break it down into bite-sized chunks.
9. There is no one-size-fits-all option. Everyone's case is unique, and you can't copy what someone else is doing. But you can learn from them.
10. It's not a one-off task, but an ongoing one. The more data you collect, the more tools you use and the more visibility your website gets, you will collate more data, and it's up to you to handle it correctly.11. It's a learning process. I will definitely not say that I'm doing it the perfect way, nor am I saying that it's a process you should follow. But it is an ongoing journey.
Just so you know, there won't be a GDPR police force going around handing out fines to those who have not done what they're supposed to do from 25 May.But you have to do your own bit.Like I said, I am quite certain that I have not got everything done, and it's not 100% complete. And I'm not sure if it will ever be complete either.
But the most important thing is that you are taking active steps in making sure that you are doing the best you can to comply with this new regulation.
In the long run, you will thank yourself in the end.
And even if they don't say it, so will your audience, visitors, fans, clients, customers, employees, patients, students, pupils, candidates, attendees...you get the idea.