One of the hot topics at WordCamp London 2018 was, of course, GDPR.
I’ve heard her speak before – she knows her stuff – and is one of the most straight-talking people I’ve heard speak on legal topics.
Most notably – and contrary to other talks I’ve heard, blog posts I’ve read and videos I’ve watched – she didn’t try and put the fear of god into people in the room.
She made it clear that we shouldn’t underestimate our responsibilities as website owners and creators, but not in the usual way of highlighting the HUGE punitive actions (such as €20,000,000 fines – and let’s be clear, you’ll have had to have screwed up a lot of areas – multiple times – for that to even be a consideration) that we might expect.
So let’s discuss a few points that she covered in her talk.
Traditionally, privacy policies have been hard-to-understand walls of text that are often copied from other websites as a total afterthought to a project (yup, hands up – that was definitely me – and I know you’re nodding along too).
Sometimes they’re bundled in with the “terms” page of a website – because it’s all legal “stuff” and your footer navigation will be out of balance with another link in it, right?
Heather said, quite correctly, that privacy policies are often included to prevent the rear-end of the company behind the website, and NOT the user using the website. For this reason, she’s telling us that we need to place particular focus on
- What you say
- How you say it
- How you display it
The first thing I have to say is that any software solution claiming to make you “compliant” is probably not true.
Taking GDPR as an example, for the layman particularly, it is a VAST topic.
I wish it were the case, but a plugin, or SaaS solution isn’t going to magic it away.
After watching Heather’s talk, I decided to delve a little deeper into Iubenda* to make sure it’s on par with her points, and I was pleasantly surprised.
The “what you say” section was broken into 2 parts.
The first part (entitled “essential facts”), was definitely applicable to every single website that exists (and this is what, in my opinion, Iubenda* handles well). We’ll see why, shortly.
The services you use might differ from mine, so this breakdown is by no means exhaustive.
Referring, again, to Heather’s slides, she stated that we must include:
- Who you are and how people can contact you
- What personal data you collect
- What categories of data you collect (more information on what these categories might be from the ICO here)
- The consent or legal basis for collecting this data
- Who the data is shared with
- How long you keep the data
- What right to access people have over their data
Who you are and how people can contact you
An easy one to start with.
What personal data you collect
What categories of data you collect
The consent or legal basis for collecting this data
This doesn’t seem to be included yet, but is the top “hot topic” on the Iubenda* feature suggestion board. With May 25th – the GDPR enforcement data – looming, I hope to see this pushed through.
Who the data is shared with
For 3rd-party services, such as Google Analytics, Iubenda* does a good job at making this transparent.
How long you keep the data
A little vague, and could certainly be improved, but it’s there.
What right to access people have over their data
Perhaps a little vague, but I feel it’s sufficient. Perhaps, however, the language could be improved to make it a little more friendly.
While I have really got on board with GDPR as a concept, and have spent a lot of time researching the topic and discussing with others, I don’t enjoy spending my time on it. I want to spend my time building stuff.
There are certainly areas for improvement, but for me personally, Iubenda* gets me much closer to where I should be than if I had to write it (and update it – Iubenda* occasionally refreshes service policies as and when the services themselves change).
I hope also to see further improvements to it as the GDPR enforcement data gets nearer.
Check them out and see what you think.
Finally, a massive thanks to Heather for the work she does in the community – especially for the non-scaremongering, straight-talking approach.
* Signing up through links with an asterisk will mean I receive a small commission.
There are very few paid-for services/tools that I recommend, but if I do, it's because I use them and they have helped me or my business in some way and I feel might help you too.
The price of the service doesn't change.
If I choose to recommended something, I do so whether they've got an affiliate program or not.