gdpr guide for agencies, freelancers & website owners · 2021. 3. 11. · with this free e-book...
TRANSCRIPT
GDPR Guide for agencies, freelancers & website owners
Virginia Ostfeld, Leefke Kroenke, Johannes Benz & Torben S. Meier ‚ RAIDBOXES
A TIME-SAVING PATH TO GDPR COMPLIANCE
Table of Contents1. What is GDPR and what does it mean for me? 3
2. The eight fundamental principles of GDPR 6
3. Your obligations as a website owner 9
4. The rights of your customers & visitors 10
5. What to put on your to-do list 12
6. To-Dos off your website 13
7. To-Dos on your WordPress website 16
8. Critical WordPress plugins on your and GDPR-compliant alternatives 17
9. Prohibit illegal connections of social plugins 19
10. Contact Form 7 & Gravity Forms 22
11. More technical measures beyond your WordPress plugins 23
12. Which measures has RAIDBOXES already implemented? 26
Your GDPR Checklist 28
With this free e-book we would like to assist agencies, free-
lancers, website owners and WooCommerce shop operators to
get an easy access to the most important contents of the EU’s
upcoming General Data Protection Regulation (EU GDPR). In
addition, we will show you some practical case examples such as
tracking, email marketing and WordPress plugins. In this guide,
you will also find concrete task instructions and a checklist,
which will help you to get your business and your WordPress
website ready for legal compliance with GDPR right on time.
Disclaimer: This technical white paper does not substitute for legal advice. Within
the scope of our business as WordPress hosting provider we have dealt quite ex-
tensively with the applicable laws governing data protection in Germany as well
as the upcoming EU-regulation GDPR. We are not liable for the completeness,
topicality and accuracy of the provided measures and contents.
GDPR Guide for agencies, freelancers & website owners
Virginia Ostfeld, Leefke Kroenke, Johannes Benz & Torben S. Meier ‚ RAIDBOXES
A TIME-SAVING PATH TO GDPR COMPLIANCE
2
1. What is GDPR and what does it mean for me?
On May 25, 2018, the EU General Data Protection Regulation (GDPR) comes into effect in all member states of the European Union. The regulation was adopted back in April 2016 by the EU Parliament, and was already enforced on May 26, 2016. In a few weeks, the two-year transition period is ending, which means that from May 25, 2018, noncompliance with the provisions can be fined heavily.
GDPR is not a directive of the European Union, but a regulation. This im-plies that it is directly binding, and the member states are only allowed to make minor modifications. These modifications are managed by so-cal-led ‘opening clauses’ that allow room for national provisions in some respective areas of GDPR. In terms of Germany, for example, relevant legislation can be mainly found in the new German Federal Data Protec-tion Act (BDSG-new).
GDPR aims at guaranteeing equal protection for personal data in all EU member States by harmonizing data protection. Moreover, GDPR shall regulate free movement of personal data throughout the EU. This aspect shows that GDPR actually considers economic interests. It also accounts for new technologies and strengthens the rights of internet users.
What is personal data? ‚Personal data‘ is legally defined as ‚any information relating to an identi-fied or identifiable natural person‘ (EU GDPR, Art. 4 No. 1).
3
Examples include:
• name• address• email address• phone number• date of birth• bank details• location data• IP address• user behaviour In this context, you should be aware of the fact that even pseudonymized data is considered personal data. Data is only categorized as non-personal if it is processed fully anonymized, i.e. it cannot lead directly nor indirectly to the identification of a natural person.
Many technical measures refer to the usage of IP addresses. One of the crucial legal clarifications GDPR has made is that IP addresses and cookies are now unmistakably defined as personal data.
Which activities fall under data processing?
According to GDPR, processing comprehends collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
4
This holds following implications for you as a WordPress user: You pro-cess data if …
• … you use the WordPress comment function. (In doing so, name, email address, time stamp and IP address are stored in the da base.)
• … users o customers can register on your website.• … you use contact forms.• … you use analysis or tracking tools.• … you use plugins which process data.
Who does GDPR concern?
The General Data Protection Regulation concerns everyone who processes personal data. Since online identification data such as IP and cookies count as personal data according to GDPR, every website owner who processes data of EU citizens is essentially concerned.
GDPR acts under the principle of lex loci solutionis (‚law of the place ofperformance‘), which means it applies for you even if your enterprise is not based in the EU, but your customers or website visitors are EU citizens.
What kind of penalties can be imposed? If you do not comply with the requirements of GDPR, you will face the prospect of a fine in the amount of up to 10 million Euros or up to 2 percent of the last total annual global turnover, depending on which amount is higher. In some particularly severe cases of abuse, the level of fines rises up to 20 million Euros and 4 percent of the annual turnover.
5
How can infringements be exposed? • By active inspections conducted by supervisory authorities• By customers, employees or fellow competitors who report
infringements to• the supervisory authorities• By self-report after an infringement• By investigative journalists or bloggers who detect breaches
and make them public It is probably very unlikely that you, of all people, shall become subject to active inspections by supervisory authorities. However, you should bear in mind that an infringement can be reported by third persons to public authorities. The degree of penalty will take into account a number of criteria, such as the manner in which the infringement became known and the degree of cooperation with the supervisory authorities.
2. The eight fundamental principles of GDPR
Before showing you some concrete case examples for web designers, marketers and website owners, we shall first take a look at the basic principles of GDPR:
Lawfulness
Essentially, this means that you are only allowed to process personal data if the processing is lawful according to GDPR (see ‘prohibition if permission is reserved’).
6
Transparency
Persons affected must be able to retrace the processing of their personal data. This is why it is particularly important to design a privacy policy in an easily understandable manner. GDPR also tightens up information obligations, which will be discussed in a later section.
Prohibition if permission is reserved
GDPR identifies six conditions, of which at least one needs to be met in order to count as lawful processing of personal data:
1. Consent was bound to one or more specific purposes2. Processing is necessary for measures prior to contract or for
performing the contract3. Legal obligation for processing4. Protection of vital interests of person affected or other natural
persons5. Processing in public interest or in exercise of official authority6. Legitimate interests pursued by a controller or a third party which
justify data processing. For this point, caution is called for until first relevant court rulings have been made.
Balancing of interests
A legitimate interest alone (legal or economic) does not suffice to justify processing of personal data, but a given necessity of the processing needs to be assessed. In addition, if you base on the condition of legitimate interest, the interests of the persons affected must not be overridden.
7
Case example: balancing of interests
Let’s say you are a website owner who conducts tracking without consent and bases it on economic interest, it is very likely that the interest of the person affected to remain anonymous will be weighted higher. Therefore, data processing will be judged as unlawful in this case.
If you base your data processing on a legitimate interest, you should always provide a possibility to objection (e.g. an opt-out). As soon as a person affected makes use of the opt-out, you are no longer allowed to process the data. Your privacy policy needs to provide exact information about how you handle the data.
Purpose limitation
You are only allowed to use the collected data for the initial purpose for which you had sought consent of the person affected. The purpose of processing can only be modified subsequently if it is ‘compatible with the initial purpose’.
Data minimization
You are only allowed to process personal data you actually require. Any data collection beyond your needs is not permitted.
Integrity and confidentiality
You must protect the personal data processed with technical and orga-nizational measures (TOM) from unauthorized processing, destruction, alteration and loss.
8
9
Privacy by Design
Privacy by Design means the obligation to include data protection already during the conceptualization of new products or techniques (e.g. hardware or software). This shall prevent unlawful data processing as early as possible.
Privacy by Default
This principle requires all gadgets or online platforms to guarantee the highest level of data protection already in the default settings. It implies, for example, that these gadgets and services need to be pre-set in a way that only the absolutely necessary data for the intended purposes are collected.
3. Your obligations as a website owner
Requesting consent for data processing:
• Consent must be given on a voluntary basis.• Consent must be given actively. An opt-in selection field must not be
pre-filled.• The person affected must have a right to choose. He must be able to
use your service even in case of non-consent.• Prior to requiring consent, you need to inform the person affected
about the purpose of data processing.• You need to able to prove the declaration of consent.• You must notify the person affected about his right to objection
It is important for you to respect the fundamental principle of purpose limitation. You are only allowed to use the data for the purpose for which you can prove the declaration of consent. For a different data processing procedure, you need to require another declaration of consent. We will have to wait for the first judicial decisions to see how fragmentedly the courts will judge each individual consent declaration (e.g. whether sending a newsletter and personalizing a newsletter are deemed two separate purposes).
Accountability
On request of the data protection supervisory authority, you must be able to prove that you are working in compliance with GDPR. This means that you need to be able to present documents, e.g. on your processing activities, the issued declarations of consent etc., within a time-limit (e.g. 72 hours) set by the requesting authority.
Information obligation in case of data breach
In case a data breach has occurred, you must inform the person affected and the data protection supervisory authority within 72 hours.
4. The rights of your customers and website visitors
Right of data accuracy
Personal data must be correct and kept up-to-date. As data processer, you need to take corresponding measures to erase or correct obsolete data.
10
11
Right to data erasure – right to be forgotten
Persons affected can withdraw their consent to data processing anytime. If this happens, you are obligated to delete the concerned data immediately.
Right to data portability
Persons affected can request you to transmit data which they have provided for you (e.g. during registration) to a third party. This is supposed to facilitate a change of suppliers.
Right to data portability
Persons affected have the right to be informed about: • Which specific personal data you store and for which purpose• How you process these data• Where and how long you store them• Whether you transmit personal data to third parties
Whenever you receive such a request, you have 72 hours’ time to react. This is why you should try to find out quick methods to search your database as soon as possible. Be careful to be ensured that the person requesting the information is also an authorized person. A verification needs to take place.
Right to objection
Any user has the right to withdraw consent to data processing anytime.
5. What to put on your to-do list
Unfortunately, GDPR calls for some action on your side which cannot be avoided. To assist you, we have put together the most important tasks and resources, so you can work along a to-do list in a fast and structured manner. As mentioned in the disclaimer in the beginning, we are not liable for accuracy and completeness. Nevertheless, you can achieve at least a decent or even good standard with our list and in any case, it makes you significantly less vulnerable. Implementing the issued points here already demonstrate that you take data protection seriously, which will make a favourable impact in any inspection.
Prioritization of To-Dos
Since the list comprises a whole array of measures, part of them very extensive, it is key to prioritize first. To keep it organized, we have sorted the measures within categories in descending order of importance. The most important first. While this sorting represents our subjective view, it should help you during implementation.
In general, you should ask yourself the following questions during prioritizing and implementation (also sorted by importance):
• Where do I have personal data and are these well protected?• Whenever I process personal data, does it happen with consent of
the persons affected and am I acting transparently concerning the purpose?
12
13
• Where do I expose obvious deficiencies, which could disturb or bother persons affected, such as a missing data privacy policy?
• To which extent are personal data processed and to which intensity could a person affected feel violated in his rights?
• Am I able to present a documentation about my data processing upon request?
It should be considered that anything, which is reviewable directly from outside and without any further effort, is likely to be targeted in the first place. In any case, make sure you have a data privacy policy which is compliant with data protection laws and that your imprint is complete.
6. To-Dos off your website
Provide your data with a minimum level of protection
Amid all documentation obligations, you should not forget one thing: The aim is to advance data protection and give users back their data sovereignty. In the end, nothing was gained if an extensive documentation is made available, but data is handled negligently.
The most crucial point, which we keep emphasizing at RAIDBOXES by the way, are secure passwords. This applies for every application which uses customer data. Currently, the most frequent reason for malware incidents at our customers are way too easy passwords! They are so simple in these cases that programs are able to guess them automatically.
For this reason, we have made secure passwords a technical obligation for creating a new WordPress website. A password should contain at least 7 characters and include special characters, numbers, lowercase and uppercase characters. Of course, we are also not able to memori-ze hundreds of passwords, which is why we use a password manager, specifically 1Password. The password managers are embedded in the operating system and can auto-fill the secure passwords according to the situation. Further possible measures are an encrypted hard drive, the separation of private and business data and an anti-virus software.
Publish an (adjusted) data privacy policy
If your website is not of a purely private nature (e.g. only contains pictures of friends and relatives), you need a data privacy policy, which ought to be easily comprehensible. As soon as you process personal data (e.g. IP addresses), your website must feature a GDPR-compliant privacy policy. Whether you are using the website commercially or not, is not of concern.
Tip!
There are online tools which can assist you in creating a data privacy policy. Naturally, the makers of these tools assume no liability, which is why you should check on the generated privacy policy personally – or have it checked by a data protection expert or a lawyer, if you want to be entirely sure.
14
15
Enter data processing agreements (DPAs) with third-party suppliers
A data processing agreement (DPA) is generally necessary, when third-party suppliers process data of your customers or website visitors on your behalf. With these third-party suppliers (e.g. newsletter providers, web hosting services, visitor tracking tools like Google Analytics etc.) you need to conclude a DPA.
Data processing on behalf comprises the collection, the processing or the use of personal data by a contractor under instructions of the ordering party. The DPA regulates the data processing between the contractor and the ordering arty in a contractual arrangement.
Google, for example, provides an online DPA contract for the usage of Google Analytics. You have to print out this contract, sign both copies and send them to the address of the contracting party in Ireland. In return, Google will also sign these contracts and send one of the versions back to you. Unfortunately, the harsh reality is that you have to conclude a DPA with every supplier who processes your personal data on your behalf.
Attend to sufficient documentation
Attend to sufficient documentation Apart from minor exceptions, everyone who processes personal data must be able to present a register of processing activities, including a description of the technical and organizational measures (TOMs).
7. To-Dos on your WordPress website Is WordPress even GDPR-compliant?
Only recently, a GDPR-Compliance-Team was built in the WP Core, which promotes WordPress’s GDPR compliance. The GDPR team has commit-ted to the goal to provide comprehensible data protection guidelines for website owners, guidelines for plugin developers and documentation about the requirements of GDPR. In addition, the team was working on GDPR tools, which was integrated into the WordPress Core at the end of May 2018.
Looking at WordPress as a whole
An important WordPress core feature, namely the comment function, is currently not yet GDPR-compliant. You can find concrete measures to deal with it under the subsection ‘contact forms’ further below.
Moreover, as a website owner, you should review all your WordPress plugins on GDPR compliance. Most plugin providers have already relea-sed information which will help you to adjust the corresponding settings.
GDPR plugins for assistance
Even plugins have already been developed, such as GDPR plugin (20,000+ active installations), that can help you implement GDPR compliance on your WordPress website.
Furthermore, using GDPR Plugin you can also manage data processing of other plugins like Contact Form 7, Gravity Forms, WooCommerce, MailChimp or the Events Manager by integrations. Again, the makers
16
17
of the plugins assume no liability, it’s you as the website owner who is responsible for guaranteeing data protection.
What do shop operators using WooCommerce need to watch out for?
Same procedure as all third-party suppliers, the first task is to check whether the WooCommerce plugin processes personal data, and if yes, which specific data is concerned. WooCommerce has already issued a statement concerning GDPR and has emphasized that there is no sample solution for all:
‚Each WooCommerce site uses a different setof plugins, has a different flow for shipping, etc.,
so there isn’t a one-size-fits-all approach‘.
The WooCommerce post also stresses that it is the duty of each web-site owner to inform his visitors about the usage of the plugin and the usage of the data. A GDPR-compliant data privacy policy is the Alpha and Omega to do so.
8. Remove critical WordPress plugins on your website and replace them with GDPR-compliant alternatives
All plugins which are provided by the commercial WordPress enterprise Automattic themselves need a valid connection to wordpress.com and thus not only a direct connection to your data but also, for example, the personal IP of your website visitors.
They are the perfect example for the kinds of plugins you should react upon prior to May 25, 2018 by substituting them with an alternative
which is compliant with the EU GDPR regulation – at least until the plugin developers release a legally compliant plugin version in the future. They are deemed legally compliant if they do not transmit any personal data anymore, such as IP addresses.
The following Automattic WordPress plugins serve as representative examples and are used in this article for illustration purposes:
• Jetpack (statistics plugin)• Gravatar (community plugin)• Akismet (anti-spam plugin)• VaultPress (backup plugin)• WP Super Cache (caching plugin)
To keep your website GDPR-safe you can resort to following alternatives which do not transmit personal data of your visitors.
Gather anonymous visitor statistics
Statify instead of Jetpack
Of course, we would also like to know about which parts and contents of our website work especially well usability-wise, what people like to read or share, for how long visitors stay or how high the bounce rate is etc. The EU GDPR will tighten up legal regulations. As was already required under previous national data protection acts (e.g. Germany), you ought to anonymize every visitor of your website entirely. In addition, no personal data is allowed to be transferred to third-party services. This is why we recommend Statify, so that all anonymized personal data stay on your website and are not passed on to other services.
18
19
According to the developers of Statify, the plugin does not process, send or save any personal data, e.g. cookies or IP addresses beyond yourwebsite.
Replace WordPress backup plugins with alternative solutions
Integrated WordPress backups instead of VaultPress
For countering the transmittance of personal data to (for instance) US-American servers, and freeing further performance capacities of your website as a positive side effect, we recommend to abstain from particular WordPress backup plugins in the future. A better alternative is using automated WordPress backups provided by your WordPress hosting service, e.g. at RAIDBOXES.
9. Prohibit illegal connections of social plugins, such as the Facebook Like Button, Like Box or Twitter Widgets
Shariff Wrapper instead of e.g. AddToAny Share Buttons
In many cases, social sharing services already process data as soon as your visitors go to a website with an active social plugin. Even if a user hasn’t shared anything yet, the data is already transmitted. These circumstances are largely unknown, yet very critical in the context of GDPR. While researching for legally compliant solutions we only came across ne single social plugin for free which prevents data transfer prior to clicking a share button. At this time, we therefore recommend the dele-tion of integrated Twitter Widgets or Facebook Like Buttons or the Like Box, and to rely on the social plugin by Shariff Wrapper for share buttons in posts.
Restrict antispam protection to your own website
Antispam Bee instead of Akismet
Antispam Bee can be used GDPR-compliantly.
Check your CDN providers and substitute if necessary
Server-side caching instead of foreign CDN
A CDN provider stores a cached version of your site on external servers. This way the website can be delivered faster. But at the same time, it can lead to problems concerning data protection, especially when it comes to entering form data.
If your visitors hail from the German-speaking European region (Germany, Austria, Switzerland), caching fulfils the same function as a CDN. The website is delivered just as fast, if not even faster. At RAIDBOXES, caching is already integrated on the server and the cached data is exclu-sively stored on German servers with guaranteed ISO 21007-certification.
In short, you have following options to obtain a fast web page load in a GDPR-compliant manner: • Use caching plugins or switch to a German provider with server-side
caching.• Check whether your foreign CDN provider supports the Privacy-Shield
agreement and sign a DPA with the provider.• Use a European CDN provider such as KeyCDN. In this case, you will
also have to sign a DPA
20
21
Double-opt-in feature for comments
It should be noted in advance that notifications for follow-up comments to your own comment already imply that data is being transmitted. To prevent possibilities of misinterpretation within the grey zone, use the free plugin Subscribe to Double-Opt-In Comments to let your visitor confirm in advance whether notifications about follow-up comments are truly desired.
Use legally compliant avatars for your blog and comment sections
WP User Avatar instead of Gravatar
Important: To deactivate Gravatar completely in WordPress, you need to adjust following settings in the WordPress admin area under the menu item ‘Settings’.
Go to the submenu ‘Discussions’ and scroll all the way down to the avatar section. Now you can deactivate the selection box ‘Avatar Display – Show Avatars’. Click on Save to apply the settings and delete your website’s cache. Now your website should not communicate with WordPress.com via Gravatar any longer.
Add a Cookie Banner
The case of ‚cookie notifications for the user’ (also called ‘cookie consent’) is actually not a newly introduced regulation by GDPR. In fact, it has already become effective for quite some time now since the EU Cookie Directive in 2009. Now GDPR places cookies under special focus because personal data can be processed thereby. In any case, you should seek for user consent.
The most common way to do so is via a cookie banner. A fremium plugin option which takes care of this function is the GDPR plugin. It should keep you on the safe side initially. Significant changes are not to be ex-pected until the upcoming ePrivacy regulation (ePV) by the end of 2019.
10. Adjust contact form plugins like Contact Form 7 & Gravity Forms
Adjust newsletter and email marketing
In your newsletter forms, the email address should be the only manda-tory field, all other data such as first and surname should be requested optionally.
In case you haven’t done it by now, start using double opt-in immediately. The double-opt-in procedure requires the email receiver to explicitly click on a link in a confirmation mail after the first registration. Only then the person is added to the mailing list.
This ensures that nobody can sign up for a newsletter on your behalf and the registration is actually approved by you. The confirmation mail is not allowed to contain advertisement or any other content.
Add an Acceptance Checkbox in contact forms
According to the General Data Protection Regulation, sending a form presumes the sender’s consent. The definition for data not only compri-ses the personal IP, but also the email address and the content per se.
An opt-in to confirm prior consent for data storage can be implemented
22
23
by adding an Acceptance Checkbox for Contact Form 7 and by using the freemium plugin WP GDPR Compliance for Gravity Forms.
We are convinced that, in the medium to long term, all popular plugin developers will implement the necessary requirements to meet the GDPR. Until then, the WP GDPR Compliance will do a good job.
11. More technical measures beyond your WordPress plugins
Implement SSL encryption
Although SSL encryption is not an obligation according to GDPR, secure data transmission around your website is simply not possible without an SSL-encrypted connection!
Don’t want to set up the SSL certificate by yourself? Use, for example, Let’s Encrypt SSL certificates. Via free 1-click installation you can activa-te an SSL certificate for your WordPress website, fast and easy.
Create an opt-out for Google Analytics
Once more, we would like to point out in this context that, prior to the EU GDPR. To guarantee this by now at the latest, the very often used Google Analytics should be extended by following line of code:
ga(‚set‘, ‚anonymizeIp‘, true);
In case your Javascript Snippet looked like this previously:
24
<script>(function(i,s,o,g,r,a,m){i[‚GoogleAnalytic-sObject‘]=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Da-te();a=s.createElement(o),m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,‘script‘,‘https://www.goog-le-analytics.com/analytics.js‘,‘ga‘);ga(‚create‘, ‚UA-XXXXXXXX-X‘, ‚auto‘);ga(‚require‘, ‚displayfeatures‘);ga(‚require‘, ‚linkid‘, ‚linkid.js‘);ga(‚send‘, ‚pageview‘);</script>
Code will look like this after the addition: <script>(function(i,s,o,g,r,a,m){i[‚GoogleAnalytic-sObject‘]=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Da-te();a=s.createElement(o),m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,‘script‘,‘https://www.goog-le-analytics.com/analytics.js‘,‘ga‘);ga(‚create‘, ‚UA-XXXXXXXX-X‘, ‚auto‘);ga(‚require‘, ‚displayfeatures‘);ga(‚require‘, ‚linkid‘, ‚linkid.js‘);ga(‚set‘, ‚anonymizeIp‘, true);ga(‚send‘, ‚pageview‘);</script>
25
Moreover, you ought to create a possibility in your privacy policy, so that your website visitors can be excluded entirely from the Google analysis. You can find a free opt-out plugin for Google Analytics named Google Analytics Opt-Out in the WordPress plugin repository. It installs a cookie which prevents analytics.js from collecting data.
Anonymize IP addresses in blog comments
WordPress stores the IP addresses of comment authors by default. However, gathering the IP address is not compliant with data protection according to EU GDPR.
Thanks to a small PHP snippet in your functions.php of your active WordPress theme you can prevent the storage of IP addresses in the future. We recommend you use a child theme to keep the code integrated even after your theme updates next time. The code to be inserted is as follows:
function wpb_remove_commentsip( $comment_author_ip ) {return ‚‘; }add_filter( ‚pre_comment_user_ip‘, ‚wpb_remove_commentsip‘ );
Finally, you need to delete still existing IP addresses in your website’s database retroactively in a one-time manual action.
26
Host Google Fonts locally
Lots of WordPress websites make use of Google’s free fonts (Google Fonts). As soon as a website with Google Fonts is visited, these fonts are loaded via the Google server. Since this process transmits data to Google, some website owners may worry about GDPR compliance of Google Fonts.
Even if it might look overly meticulous at first, it becomes very unders-tandable at second glance. Similar to the above-mentioned Facebook plugins, Google Fonts enable visitor tracking throughout an enormous number of websites and data transmittance without the user having consented to any of it. Google itself merely refers to the General Terms of Service without committing an actual statement. To avoid data proces-sing by Google, you can embed Google Fonts on your own web server.
12. Which measures has RAIDBOXES already implemented?
As a WordPress service provider, we have always been taking data protection very seriously – even way before GDPR, which is why we could check a bunch of GDPR requirements directly off our list. In general, Germany belongs to the group of countries with a considerably high level of data protection, which is why German businesses have little to fear, in comparison, about additional requirements to be met. If you are a freelancer and do not employ any staff members, the measures should be relatively easy for you to implement. At the moment, we are buckling down and working at full speed to be entirely compliant with GDPR by May 25. By now, we have already successfully implemented the following list of measures:
27
• We have documented all tasks to be carried out, appointed all persons in charge and written an operational time schedule.
• Two of our staff members have undergone special training and obtained certifications as data protection officers. Subsequently, they have trained the entire team in all relevant issues around GDPR.
• Every staff member has signed a separate data protection declaration. • We have signed data processing agreements (DPA) with all third-
party suppliers whose services we draw upon.• We have created a DPA for our customers to enter.• We have documented our technical and organizational measures,
which are part of our DPA.• We have completely rewritten our data privacy policy. The new one
informs you thoroughly about all details concerning where and when which particular data is processed.
• Our office doors have been reinforced with security locks. • All laptops are encrypted and equipped with strong passwords as
well as anti-virus protection.• All above-described measures have been implemented on our website.• We have made strong passwords a technical obligation for the
creation of new WordPress websites.• We maintain a register listing all data processing activities.• We are creating a double-opt-in sign-up for new testers.• We are member of The German Association for Data Protection and
Data Security (GDD), a non-profit organization for practicable and effective data protection.
• Our appointed data privacy officer has participated in regular trainings and is about to obtain an additional qualification in IT law.
• We are developing a security reward program.• A verification code is sent when we receive a request for information.
Your GDPR ChecklistReview all procedures in which you process personal data and ensure a sufficient level of data protection (processing means: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data).
Apart from minor exceptions, everyone who processes personal data must be able to present a register of processing activities upon request, including a description of the technical and organizational measures (TOMs).
Check whether you need a data protection officer (rough orientation: more than 10 employees). If you don’t, you should still appoint a person in charge of communication with the data protection supervisory authority.
Sign data processing agreements (DPAs) with third-party suppliers (such as marketing or tracking tools) who process data on your behalf. According to GDPR, these can be also sent electronically.
Adjust your data privacy policy to the requirements of GDPR. The most crucial element is to always declare the specific purpose of data processing and to explain how a user can object to data processing. The data privacy policy should be readable and comprehensible to everyone.
28
Make sure that, in case of an inspection by the authorities or a request by a person affected, you can meet the legal obligation to produce supporting documents as evidence (data protection concept, register of data processing activities, DPAs, declarations of consent etc.)
If you are the owner of a WordPress website, check whether you are currently using plugins which process personal data, and whether these are GDPR-compliant. Many popular plugins have already released information addressing GDPR.
Check whether your imprint is complete!
29
2018 RAIDBOXES
All rights reserved. All parts of this publication may be reproduced, stored on a data processing system or transmitted unrestrictedly without written permission of the publisher. Reproduction may occur in any form or manner, electronically or mechanically, by photocopying, recording or otherwise, for private or commercial purposes.