As you’re probably aware, the Data Protection law is changing in the UK. The General Data Protection Regulation (GDPR) becomes enforceable on May 25th. As with all businesses, it’s important that we make preparations for this, and also communicate with our clients about it. GDPR touches on many aspect of businesses, including websites – all websites will need updated privacy notices (existing privacy policies are not sufficient). Websites which collect personal information (such as newsletter signups, membership sites or applications) will need additional changes to make it clear to users how their data will be used, and where applicable obtain consent. It is also a requirement that users can obtain a copy of personal information stored about them, and request removal – some websites and applications will need modifying to allow this.
We have always been very aware of the data we have access to as part of client projects. We already have policies and procedures in place to ensure we keep sensitive data securely, and have processes for removing or anonymising it on our development systems. However, we’ve been improving our internal processes and documentation to ensure they meet or exceed the GDPR requirements.
As a team, we have been working hard to make sure we’re up to speed. We’ve also been in touch with some of our peers at other WordPress agencies to “swap notes” and share knowledge.
We have released the first draft of our privacy notice for this website. This is a working document and we will keep updating it. It should give a good idea of the kind of content a privacy notice should contain – but it is important to point out that all businesses and websites are different. We strongly advise having your privacy notice checked by your lawyer.
There are also some GDPR tools coming to WordPress in the next few weeks which will assist site owners with compliance. These will include functionality to make it easier to manage privacy notice pages and tools to assist in deleting or providing users with a copy of their data store in WordPress. We’ve been testing this tools this week, and will be looking to integrate them into client projects soon.
Future work will require a “privacy impact assessment” to be carried out before we proceed; in most cases these will be straightforward.
Although quite a big change to some of our processes initially, we do welcome the new regulations at Delicious Media. The main purpose of GDPR is to put control of personal information back into the hands of the user and this can only be a good thing (if it means we get less marketing emails we haven’t asked for then all the better!).