8 Steps to Make Your Photography Website GDPR Ready
GDPR is almost upon us, and many of you are still in the process of preparing your site for the big changes to data collection taking effect on May 25th 2018. In the following article we are going to outline the steps you can take to GDPR proof your site before the deadline day.
*Note this is not legal advice. This guide offers some steps that can assist you in making your site more GDPR compliant, but for legal wording and to truly protect your business it would be best to seek legal counsel.
This post includes a quick overview of GDPR, and a quick checklist of things you should review to make your website compliant.
What is GDPR
The General Data Protection Regulation (GDPR) is a regulation in EU Law for data protection and privacy for all individuals in the European Union (EU). It also covers details on the export of personal data outside the EU. The GDPR aims to give more control to its citizens and residents over their personal data and to simplify regulations for international businesses operating within the EU. GDPR does not just affect businesses within the EU, but any business that has operations or collects information about EU citizens.
If you operate outside of the EU it would still be good practice to comply with these regulations as global data protection policies are tightening up with recent worldwide scandals such as Facebooks data leak in 2018.
So if you hold information about individuals, suppliers, vendors, employees, past or present, even as a small business, you need to comply with these new terms and conditions. Failure to comply with these terms can lead to legal action or a hefty fine on your business.
It may be the time to invest in some studio management software to start tracking all the information that you’re collecting about clients, as it will make it easier to know what information was collected and when. Check out tools such as 17Hats, Studio Ninja, and Tave.
Clients have the following rights under GDPR, which can be seen in chapter 3 of the GDPR regulations:
– The right to transparency
– The right to be informed about collected information
– The right to access to their specific collected information
– The right to rectify collected information
– The right to request removal of information
– The right to restrict processing
– The right to object to processing
– The right to data portability
– The right to complain to a supervisory authority
– The right to withdraw consent
Lets not all get in a panic. There are several steps that you can take to make sure your website is complying with GDPR before the deadline day on May 25th 2018.
The GDPR Checklist
Here are the things and steps that you should consider in advance for GDPR. Items that are starred are required:
4. Updating Contact Forms
5. Auditing Data *
6. Data Subject Requests *
7. Reviewing your plugins
8. Moving to HTTPS
You should create a cookies policy outlining the following items:
– Give a definition of what cookies are.
– What cookies are deployed on your site. For all cookies that are not required to run your site, you must ask for consent prior to deploying those cookies to your clients’ browser.
– Cookies used by third parties, including information from third party sources such as Google Analytics, Facebook Custom Audiences (Facebook Pixel), mailing services, and client management software.
– How to manage cookie preferences on your site
– License to use the site
– A disclaimer of liability (limiting your site due to errors)
– Any statutory rights
– Acceptable use Policy
Again it would be best to get a template from SEQ Legal or Terms Feed to make sure you cover all the legal jargon required.
4. Update Contact Forms
You will need to update contact forms if you plan to use them for marketing purposes, such as newsletters or email marketing. If someone contacts you via a contact form for the purpose of enquiring about your services you do not need to add a check box. You will however need to remove the users information after 90 days (subject to change) if it is no longer for “legitimate business interest”.
When storing the information, make sure that it tracks the submission dates of the clients form.
Using our Flo forms plugin you can do this very easily on your site. Check out the following tutorial on how to do so:
5. Auditing Data *
You’ll want to review the existing data that you have collected via your website. So review the different types of data that you’ve collected, wether that’s via a contact form, adding users to your newsletter list or other tools where you have information about potential and existing clients.
For contact forms, you should make sure that you have suitable access to the information you have collected and a way to remove it after a certain period of time. This is particularly true for those clients who have not booked, and you do not legally require their information.
For newsletters, did you previously have a double opt-in explicitly asking for consent? If not, it’s time to cleanse your data, and send out a double opt-in to make sure that users are happy being on your newsletter list. Most mailing list services will offer this as standard, reach out to them if you’re unsure on how to do so.
It’s a good time now to review your site and decide on the information you’re collecting, do you really need it all? If you don’t need some of the information you’re collecting, now is a good time to remove any tools that aren’t being used.
Also make sure that all of the data you’re storing is safe and not liable to be leaked or stolen as this is a direct breach of the GDPR regulations. Add some encryption software (on Mac you can use FileVault, it’s built in, when enabled – all files stored in the “home” folder will be encrypted) to your computer and anywhere else you may have data stored.
6. Data subject Requests *
7. Review Site Plugins
If any of your plugins is collecting information about your users, make sure that it gives you the possibility to export / delete / review the information that is collected. If it’s not 100% necessary for your business remove it. Also note that excessive amounts of plugins can slow down your website, so it’s a good time now to review what isn’t needed to operate your business.
8. Move to HTTPS
We also suggest thinking about moving to HTTPS so that all data collected on your site is encrypted and secure. This is also a ranking signal for SEO with Google, so it can actually improve your site’s performance. Just make sure that you enable HTTPS correctly and redirect all the links properly to avoid any errors on your site. If you need assistance with enabling HTTPS on your site, check out our SSL Implementation services.
For more useful resources and guides on preparing yourself for GDPR check out:
– The GDPR Regulation Documentation
– Go through this GDPR checklist
– Check out SEQ Legal or Terms Feed for policy generator templates
Next you’ll want to review, audit and clean any existing data that you have. If you haven’t been given explicit consent for any of the information, or you’re unsure, request consent or remove the information safely.
For full compliance you may want to seek legal advice for your site and business from a legal representative, to make sure you’re completely covered and to avoid any fines due to non-compliance. Whilst it might be a pain now to get your site up and running, in the long run it’s a great benefit that there is now increased security for your own personal data, as well as your customers’.
If there is anything else we’ve missed, just let us know in the comments below!