How we implemented the GDPR

A few weeks ago in late May, new data protection laws came into force known as the GDPR. This post outlines how we have prepared for this new regulation and the steps we have taken to make sure that we are compliant.

What is the GDPR?

GDPR is short for “General Data Protection Regulation” and it is Europe’s new regulation over for data protection laws. It replaces previous regulation which dates back to 1995 – almost pre internet.

It outlines new rules for organisations about the lawful basis for collecting personal data as well as new rights for people in terms of being able to request what data and organisation holds on them and their right to be forgotten – to ask an organisation to remove data they hold.

ICO Guide to the General Data Protection Regulation

We carried out a lot of research when implementing the new GDPR regulations and we found lots of useful information from the UK regulators website – the Information Commissioner’s Office. Well worth a read if you want to find out more about the regulations in detail.

View the ICO's guide to the GDPR

What did this mean for Highrise Digital?

Like most organisations, we collect personal data from our customers and others, and it meant that we have to be more transparent about what we collect, who we share it with and how we store this data. It has turned out to be a good thing, although it has taken a while to implement!

Some examples of personal data, which can be used to identify a person includes, but is not limited to, the following:

  • Name
  • Email address
  • IP address
  • Postal address
  • Date of birth

In addition to collecting the information above, when we carry out work for clients, there is a lot of personal data that most organisations collect, particularly those who have websites, that are not as obvious. We identified the following personal data that we collected:

  • Forms on our website such as those used for contacting us, signing up to our services and also for signing up to some of our mailing lists
  • Analytics software we use on our websites in order to try and get a better understanding of how our websites are being used, so that we can improve them in the future.
  • Sharing data with third parties including accounting software, cloud storage, cloud-based email solutions such as Google G Suite and mailing list software
  • Storing personal information about our employees
  • eCommerce transactions handled through our software store

To get ourselves ready for GDPR meant that we had to carry out a few tasks and then come up with a plan to put in place to meet the needs of the GDPR. In this post, we are going to focus on a just a few areas of what we have done in terms of getting ready for the GDPR.

 

Improving our online forms

A big part of collecting personal data for us, was the information that we collect online through various forms on our website.

What forms do we use?

We did a quick audit of the forms and found that we collected information in the following forms on our site:

  • Contact form – this is a general enquiry form where we collect a persons name and email as well as a message
  • Newsletter signup form – we run a quarterly newsletter about WordPress website management which people can sign up to, collecting first and last name as well as the email address.
  • Project start form – this form collects all of the information about a client when we start a project. This includes name, company name and email and address and invoicing details etc.
  • WP Mentorship form – we run a mentorship group, helping other WordPress developers and people signup through our website providing their name, email and why they want to be part of the group.

Improving our forms

One of the elements of the GDPR is being able to have evidence of what data you collected and when and what consent (or other lawful basis) you are using in order to process the data. Therefore to try and meet these needs we did a few things.

  • Used a popular form plugin called Gravity Forms. When a user completes a form, this creates an entry in our database with lots of useful information for this audit trail. This includes the date and time of the entry and also all of the options they selected when filling in the form.
  • Completed some custom coding to store, alongside the form entry, the actual form itself. We did this by saving the form fields themselves as a JSON string in a hidden field. This enables us to understand exactly what the form looked like when a user completed it. This is important of course as we may change the form fields over time and this enables us to see what fields were present when a user completed a form
  • Privacy FAQs – underneath our online forms we provided some simply FAQs in an accordion style display to answer some common questions about what data the form collects and what we do with the data. The aim here was to be completely transparent with customers.
  • Privacy policy – we provided a link to our privacy policy (see below for more information on this) which customers should read and accept. This is marked as a required field so that users must have read and accept the policy in order to submit the form.

I won't lie, getting ready for the GDPR has been difficult and time consuming, however the new regulations are good for people in general and it has been a good opportunity for our business to be more transparent about what we do with data. I hope what we have implemented makes it easier for users to understand what data we collect, how we use and share this data and what their rights are.

Mark Wilkinson, Highrise Digital Co-founder and developer

New terms documents

We created a brand new page on our website which contains links to all our terms including our:

  • General terms and conditions;
  • Privacy policy;
  • Data processing agreement, and;
  • Cookie policy
View our terms

Updating our terms

We already had some terms and conditions, privacy policy and other terms of business and the GDPR provided the perfect opportunity to refresh these and bring them inline with the new regulations.

Based on the new requirements we created four main documents, to help be more transparent with customers and users and outline the main points regarding data and data protection. You can view all our terms documents on our terms page here.

Privacy policy

This document is an important one as it outlines to users;

  • exactly what data we are collecting about them;
  • how we are using this data;
  • who we are sharing the data with;
  • how long we are going to keep that data
  • what we will do if we find we have had a data breach;
  • what your choices, as a user/customer are including your “right to be forgotten” are;
  • what our security procedures and policies are.

Terms and conditions

This document is our general terms and conditions document that applies to pretty much all our customers and people we work with. Although it covers data protection it also looks at a number of others areas in the way we operate and do business that we think it is important for clients to know about.

Data processing agreement

Because we process data on behalf of a data controller (someone who determines the purposes and means of processing personal data), it is important we have a data processing agreement in place. This document contains the following important information:

  • What we (as a data processor) will do to assist you (the data controller) in terms of your responsibilities of the GDPR
  • Personal data processing purposes and details
    • Subject matter of processing
    • Duration of processing
    • The nature and purpose of processing
    • Data subject types
    • Personal data categories
    • Security measures
    • Approved sub processor categories

In this document, we are trying to outline how we process the data in accordance with the new regulations.

Cookie policy

As some cookies can collect personal data, this document outlines what types of cookies we use and what your options as a user of our site are. In addition to the cookie policy, we have also included a cookie popup on our site to indicate to users that we are using cookies. This includes a link to our cookie policy.

Version controlled documents

Leading on from earlier in this article, an important part of the audit here is to understand exactly what user and customers have agreed to. As our policy documents are always going to change with time, we needed a way of knowing what a particular document looked like when a user agreed to it.

Version control to the rescue

To solve this problem we turned to a solution that here at Highrise Digital we use everyday when developing WordPress websites. This is called version control and is software that tracks every change to a file.

Version control provides a history of all the changes to a file or document.

This was perfect and we have put all our policy documents under version control. They all live on Github and are served to our website visitors using Github pages. This means any changes to the documents will be live instantly and those changes will be tracked.

As each entry to our online forms is time and date stamped, the version control software allows us to see exactly what that document looked like at that point in time.

Credits

During the course of implementing our GDPR policies and practices we got a lot of help from the following people/organisations, for which we would like to say thank you to:

About the author

Mark is the lead WordPress developer at Highrise Digital. He has been working with WordPress for over 13 years, way back to 2005. He focuses on back-end development, integrating the website build with WordPress so it can be editable.