We’ve implemented the General Data Protection Regulation. Here’s how we did it!
General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. We are glad to report that we have done all the required regulation to become GDPR compliant. Our steps to GDPR compliance could also be a practical guide* for your own website if you may. Here is what we did to be GDPR compliant:
Implemented checkboxes for opt-in consent in all our forms
We currently have three main forms where you can reach us for various reasons. We’ve implemented checkboxes for opt-in consent in each one of them:
- Contact form (general, presale or support questions)
- Subscribe form (newsletter)
- Google form (feedbacks)
The checkboxes are unchecked by default as a GDPR requirement - consent must be explicit, not implied.
Contact Form GDPR consent checkbox.
Subscribe Form GDPR consent checkbox
Google Form GDPR consent checkbox.
Implemented explicit contact for GDPR requests
Under GDPR, we must honour requests from users concerning their GDPR rights. The easiest way for us was to create a new subject in our contact form: GDPR Requests. In our Privacy Policy we also inform our visitors about their GDPR rights and how to contact us for GDPR requests.
Cookies alert
If you are using WordPress, there are a lot of cookie consent plugins. Our website is generated by Jekyll and we use this script.
Set Google Analytics to automatically delete user and event data after some time
Thankfully, Google Analytics now lets you manage how long your user and event data is held on their servers. We’ve set data retention for 14 months. After 14 months user data and event is deleted automatically.
Set other self hosted platforms or 3rd parties to automatically delete user data after some time
Google Analytics is not the only platform we use that helps us get better understanding of our customers’ needs. We also use Livezilla, a self hosted platform that collects user data via contact, chat, feedback, visitor tracking etc.
Updated Privacy Policy and Terms & Conditions
I admit this has been the most time-consuming part. We had to combine our old Privacy Policy with the new GDPR requirements. Here’s our final table of contents, maybe it will help you, too:
- Who we are
- Information we collect and how we use it
- Contact/Ticket submission forms
- Chat forms
- Newsletter subscription forms
- Google forms
- Affiliate sign-up forms
- Payment processing forms
- Website Analytics
- E-Commerce
- How do we process payments?
- PCI Compliance
- Fraud Protection
- External Links
- Third-Party Disclosure
- Breach Notifications
- Your rights
- Right to information
- Right to access
- Right to rectification
- Right to withdraw consent
- Right to object
- Right to object to automated processing
- Right to be forgotten
- Right for data portability
- How can you exercise your rights?
- California Online Privacy Protection Act
- COPPA (Children Online Privacy Protection Act)
- Changes to this Privacy Policy
- Business Info
You can have a look at our full Privacy Policy here. Our Terms & Conditions have been updated to reflect the agreement of our new privacy policy.
Newsletter notification
Our subscribers are notified of the changed Privacy Policy, Terms & Conditions and the GDPR compliance. A GDPR implementation statement is a good practice.
Conclusion - here are the main completed tasks for our GDPR implementation
- Implemented checkboxes for opt-in consent in all our forms
- Implemented explicit contact for GDPR requests
- Cookies alert
- Set Google Analytics to automatically delete user and event data after some time
- Set other self hosted platforms or 3rd parties to automatically delete user data after some time
- Updated Privacy Policy and Terms & Conditions
- Newsletter notification
Disclaimer
This article is not intended for use as legal advice for your company in complying with GDPR. Please contact a lawyer for legal advice regarding your business.
demo Mediumish - our most loved WordPress theme
