While not being able to offer advice as we are not insured for that type of activity, (and don’t want to lay ourselves open to future legal claims) here are some personal thoughts on how to at least embrace the spirit of the new legislation while the exact letter of the law becomes clear.
Why bother? Ethically, my personal stance is I feel from a privacy point of view this legislation is a much needed first step to reign in the incredible amount of sometimes personal data being sent back and fore between websites on our daily life between companies for whatever purpose they see fit.
For a web designer like myself, its hard to know what is being shared and where, so what hope is there for someone without a technical background?
Due to all the services (api’s) that websites such as WordPress use its hard to know where it start, for instance all of our (Cardiff Web Design’s) websites use Google Analytics, this amongst other things record information like browser type, operating system, it will record a user’s IP, which identifies the router where the website was accessed from. This can be considered personally identifiable information.
We may use plugins such as Wordfence for security which add to this information, stored and sent.
We may embed services such as a booking system which stores and sends personal data.
The content management system such as WordPress will also send information back and for, here is a link to what WordPress have done and are doing.
We now have to tell people we are doing this and give them a route to access the information stored on them. If they object to us keeping this we have to be able to erase it … completely.
Databases were not designed to do that. If you completely remove a table you may break the database, so existing software may need to change.
We have the previous cookie law, which in my opinion was toothless in the action that could be taken against website owners, who didn’t want that annoying pop up appearing on every new visit and did anyone read it anyway?
So why not take the time to educate ourselves in the process? Well we could embrace it as a win for freedom instead of begrudgingly complying. We can run with this and help empower people to know just what is out there on them and what they can do to limit this, if they choose to?
This leads to where can we find trusted information to help us. Business is business and people will try to take advantage of opportunities (take advantage of the situation / screw people).
Beware of the newly appearing agents charging stupid money for blanket catch all privacy policies to businesses for their websites. In six months time how many of these agents will disappear before they get sued for offering bad advice, I wonder?
To make us sit up in our seats. Another risk to your business is the risk of a fine through non compliance. I feel at this stage it is important to demonstrate that you have taken steps to implement a procedure and document that, through emails to people like ourselves. If you show you are taking this seriously then surely if we make mistakes at least they are through oversight rather than intent.
We need to realise what data your website is recording and how, where it is stored, how we can gain access to it for a subject access request. How can we provide data to someone, quickly and if they request to be able to erase it completely. I found this warning helpful on subject access requests.
A potential risk to your business here is this system may be abused by filing subject access requests to businesses knowing they cannot comply within the time limits, which could incur a heavy fine.
We need to need to decide how to reduce the amount of data needing to be kept and to be able to justify why it was kept in the first place and for how long it is justifiable to keep it for.
Here are some links I have found useful in uncovering a way to comply with the new legislation deadline of 25th May 2018, yes tomorrow.
Elegant Themes: A Quick guide to data protection regulations
At times like this I turn to trusted sources so have based my opinion on personal discussion and further reading. I feel it is important to have something in place, at first even if it’s not perfect, you can always edit and improve it as your understanding improves.
Here is a nice general overview from wired, as we like them, the information is clear with further links to trusted sources, (by coincidence their founding editor David Rowan’s gave a futuristic talk in Cardiff this week at Wales Digital).
At the moment I’m undertaking a piece of work involving mailing lists with a client, will share what we know in a future article.
If you want to discuss any of these issues and how they affect you then please contact us. While we are happy to point you in the right direction, we would advise you seek your own legal advice.