Sharing My Process for GDPR Compliance

frustrated person throwing books

Big Disclaimer: I am not a legal expert and this is not legal advice, I am simply passing on information I found useful in trying to understand the complexities of the new GDPR law.

I’ve spent countless hours trying to find a simple solution to complying with the new GDPR law coming into place on May 25. After much research, I’ve put a plan in place.

If you’ve done nothing about GDPR compliance, you should. Start here, at the ICO website to learn more.

GDPR is mind-numbingly boring to research and act upon. But on the positive side, laws being enforced to make businesses responsible for keeping track of information they keep can only be a good thing.

Consider election manipulation, and data breaches where consumer information is compromised. These problems won’t go away, hackers just get smarter and businesses like Facebook, will continue using our information as currency. 

But we small businesses need to take responsibility too and educate ourselves about best practices for handling individuals’ data in the course of doing business.

Expect Continual Changes

There is a lot of confusing information out there, this is why you will continually get privacy notice updates landing in your inbox for a long time to come, even big companies are still trying to work out best practices to adhere to the new law.

It will take a while before this process becomes simple and straightforward, eventually I feel systems will be in place to make the process easier.

Until then, these are the steps I will be taking to comply with the new law.

Steps already taken:

  1. Read the advice for small businesses from the ICO. I’ve also done a lot of additional research, such as keeping up-to-date with information from companies I use to conduct business, such as Squarespace and MailChimp. MailChimp in particular, has been far ahead of other web-based businesses in offering clear information on the GDPR process. 
  2. Took the self-assessment test on the ICO site and found out I needed to register as a data controller for my business (you may not have to, take their assessment test).
  3. Purchased these policies written by privacy information legal professionals to post on my website.*
  4. I created three pages on my website that I linked in the footer of my website to post my policies on, they are Privacy Notice, Cookies Policy, and Terms & Conditions.
  5. I added a cookie banner that tells visitors about the use of cookies on my website, gives them a link to my Privacy Notice, and includes a button to accept the use of cookies.
  6. I’ve signed data processing agreements (DPAs), or am in the process of obtaining agreements with relevant businesses I use to process information. For me, currently those businesses are: Squarespace, MailChimp, Google (G Suite and Analytics), PayPal, and WaveApps.

    (Note: it’s important to document what information is processed through each of these, for example, first name, last name, and email of my subscribers is processed through MailChimp.)
  7. I’ve created a spreadsheet to list companies I use to process the data I collect, and my legal basis for collecting it. In my case, my legal basis for collecting email addresses for my newsletter is consent. For collecting info for payments on my website, the legal basis is to enter into a contract.**
  8. I’ve made sure double opt-in's are place for my MailChimp newsletter form on my website. This means subscribers have to confirm their subscription in an email. But I will be replacing the newsletter form with a subscriber page instead (see below in 'Steps still to take'.
  9. Added information to my contact forms on my website telling users how I will use their data.***

Steps still to take:

  1. To start fresh with my email list data collection, I will be sending out a re-consent email to my list through MailChimp. (There’s conflicting information about whether this is necessary, but MailChimp released a re-consent template allowing us to ask subscribers to update their settings – this is an easy step to take so I am doing it.)
  2. Replace my Squarespace newsletter subscriber form on my website with a new MailChimp GDPR-friendly signup form page. Read more about this MailChimp form here.
  3. Further research into GDPR and the use of social media. Again, lots of confusion on this one.

Notes on Resources

Thank you to those who share their processes and resources.

Not surprisingly, I found the most useful conversations, practical tips, and resources about GDPR through the Squarespace Designer/Developer community – a generous bunch.

* I found the policy package I used via Kerstin Martin’s great blogpost about her own GDPR compliance process. It took time to read through the policies, but I didn’t find them difficult to fill in and fit to my requirements. The package I bought was $129.90.

If documents like these feel too challenging or too expensive there are free or nearly free versions out there, but they don’t offer support. On Miko’s, Using My Head blogpost about GDPR, she listed this plain English version that’s only £15 and claims to be ‘GDPR Ready’ – I like how easy and fast it looks to complete.

Whatever you do, don’t cut and paste from another website.

GDPR compliance is specific to each business, in addition, there are numerous plagiarism tools used to find those who copy other people’s copyrighted information. Lastly, it's just wrong to copy – got that Melania ?!!!

**See the table in Kerstin’s blogpost she created about obtaining her own DPAs, it will help clarify why you need them and show you the type of info I record in my spreadsheet.

***Miko gives instructions on how to add a data use blurb to Squarespace contact forms. It’s under the section titled ‘How to add a custom message to a form.’

That’s it for now. After months of research and deliberation, my full attention goes back to creative work - yay!

Client Resources

While no one can complete the GDPR compliance process for you, I can show you how to make the following changes to your website and where to find the re-consent template on MailChimp.

Three new videos are available that show how to:

  • Add pages for your policies
  • Add links in your footer to your policies
  • Add a Squarespace cookie banner to tell visitors that your website places cookies
  • Find the re-consent form in MailChimp

After watching the videos, if you still need help making changes to your website, I’m happy to give you a quote to make them for you. You will have to provide me with documents for your policies.

In addition, I can quote to create a cookie banner that runs along that can go across the top, along the bottom, or in a box like the one I use.  I can also use colours that match your website. I would do this by adding code to your website.

Header photo by Lacie Slezak