On May 25th 2018, GDPR – the General Data Protection Regulation went into effect across the EU. Those of us in Europe heard all about this. Some of us were annoyed by all of the privacy statement update emails we were receiving. When it came time to move forward with Project Ungoverned? in June 2018, build our website, launch our podcast, and make preparations for our symposium, we knew we had to be GDPR compliant.
As a comparatively tiny project supported by an EU-based organization to be a carried out for a fixed-term, not a stand-alone business with an IT department, how was our small team (initially two people) going to deal with GDPR? And what exactly did this mean for us to comply with GDPR and meet requirements of our supporter based in Berlin, also subject to GDPR compliance?
Here are the 7 steps we went through and the solutions we used and created. As we were starting our work just days after the law went into effect, there wasn’t a lot of guidance available. But we muddled through it and want to share what we learned, hopefully making things easier for others.
(1) Accept you are going to have to deal with GDPR, and it’s just going to take some time
This is critical. There isn’t a way around GDPR. Accept that you are going to need to set aside a good chunk of time – hours to days – to learn what it is, figure out how it could impact your project, and what solutions you can use. In our case, we were surprised at just how much time we needed to spend on GDPR-related issues in the beginning. Frankly, we also spent some unnecessary energy moaning.
While we both had experience of implementing websites in the past, it became clear our quick and easy methods were now outdated. We’d need to make some new technology decisions, develop some new processes, and allocate time just for that.
(2) Learn enough about GDPR to understand it, but not go crazy
Nicole trained as a lawyer. Kim is hyper-analytical. We probably could have spent months looking into this if we didn’t have work to do with a fixed timeline and budget. But we needed at least a basic understanding of GDPR – the General Data Protection Regulation 2016/679 (full, intimidating text here). Briefly put, it’s a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area, with the goal to significantly strengthen the data protection rights of citizens of the European Union. Bottom line: it’s a very, very good thing. We found these resources to be really helpful:
- Brief overview from GoDaddy
- Chris Drucker (founder of Youpreneur.com) with GDPR expert Suzanne Dibble – Video / Interview
- What is GDPR? The Summary Guide to GDPR Compliance in the UK (a good, general overview even for those not in the UK, including a good definition of personal data)
- How to design GDPR Compliant Consent
(3) Figure out how GDPR is going to impact the different aspects of your project
In our case, Project Ungoverned? has four components to it: (1) the back-end (team coordination); (2) a website; (3) a podcast; and (4) our online symposium, all of which would be impacted by GDPR. And we’d need to look at each of these components independently. As our online symposium will not happen until 2019, we’ll address this in a later blog post.
(4) Look at your behind-the-scenes processes (the backend) to see what might be impacted by GDPR
We quickly learned that if this is a European issue, European based companies had to comply with GDPR and were actively addressing these issues.Therefore, by using European vendors who complied with all GDPR standards and host their data in Europe, we’d be making our lives easier. These are the tools we decided to use:
Google – We use Google for a lot of our collaboration. Kim, who is based in Germany, set up a German Google account for the project communications and collaborations, which is hosted in Europe. Google provides several pages of text outlining their GDPR compliance initiatives. And, indeed, the terms for Google in Germany and the US are different. We use a lot of the Google tools – gmail, docs, drive, calendar, analytics (with caveats – see below) – which has two huge advantages: facilitating collaboration (and cutting down on email exchange); and setting permissions so the appropriate team members can access their relevant documents.
Hivebrite – Project Ungoverned? takes place within the Bosch Alumni Network. The Bosch Alumni Network uses a software platform for our alumni communications called Hivebrite, which has made it incredibly easy for us to connect with other people in our closed group, who later became collaborators and contributors to this project. As everyone participating in the platform had to agree to participate, chose to share the data they wanted to share, any communication within the network was essentially okay. The data are hosted in Amsterdam, Netherlands. (Tip: If you are looking for a platform to connect a large group of people and facilitate the development of a network, it’s certainly worth checking out.)
(5) Examine the different components of your website with regard to GDPR
Hosting – For a variety of reasons, we decided to go with a hosted WordPress site early on as we knew how to use it and someone on the team could quickly make any changes or updates. It was important for us to find a European-based hosting platform, so all of the data for our website would be hosted on a European-based data platform. As some well known hosting providers only had servers in the US, we went with GoDaddy to host in Europe, which offers two options – 1) set up a new account, or 2) move an existing account to a European server for a fee (see here for more information). After setting up the hosting on our domain name, we then installed and activated an SSL certificate for the site. (See here for brief explanation about SSL, which is reflected in the https:// rather than http:/).
Photographs / Images – As a photographer friend told Kim, GDPR is killing street photography in Germany, as people now yell at photographers to tell them to stop photographing them. GDPR gives people the right to not to be photographed, and permission is needed to put their faces on the internet. For our project website, to play it safe, we mostly use images and photographs that are publically available. When we searched for images to use on our site, we looked for those that were licensed as Creative Commons or allowed commercial use and modifications. We used these sites: Flickr, Search Creative Commons, and Google Images. For some of our posts about our podcast, we have used photos of featured guests with their explicit permission (confirmed with a signed consent form).
We also use a lot of icons and graphics. Many of these were created using Canva (Professional Version), which has been a lifesaver. Nicole and Kim had both been using Canva in their other projects, and it’s a great tool for creating website images, postcards, business cards, ads, social media banners, etc. Images can be downloaded as PDF or PNG files.
Collecting Email Addresses – We quickly determined that a simple contact form linking to an email address would not serve us well, but we would need to use a mail management system. There are many of them out there – TinyLetter (which Nicole has been using for years for another project), MailChimp (main company behind TinyLetter), ConstantContact, AWeber, ConvertKit, etc. Many of these organizations are based in the US, but had released information about how they were addressing GDPR. We were also told about some European-based services, including Mailjet. We ended up going with MailChimp.
- Data protection principles
- Rights you have regarding your personal data
- What personal data we gather
- How we use personal data (including how long we save the data, i.e. for the duration of the fixed-term project)
- Who has access to the data (partners are named)
- How data are secured
- Information about cookies, as well as a link to Google Analytics and their opt-out page
- Contact information for any questions
Analytics and Cookies – We are not tech experts, but we knew enough to know that we would need analytics (it’s helpful to know who is interested in your project, podcast, etc.), which means ticking boxes and configuring our website to collect some information. And this means dealing with cookies. As cookies can be used to identify a person, they need to also be treated as “personal data” and are impacted by GDPR. (Here is a great overview article on cookies and GDPR compliance.) In practice, this means giving the user of the website the option to choose how cookies are used or revoke consent).
Thankfully, there are some great, free WordPress plugins to make this easy:
(5*) (Only if you are running hosted WordPress website) Check into WordPress plug-ins to help simplify things
If you are a user of a site hosted by WordPress, you already know how critical plugins can be in helping to simplify things. As we were muddling through which specific features and functions we wanted, we stumbled into these very helpful plugins to help address GDPR-related issues:
- Really Simple SSL – helps you to avoid a lot of coding to redirect an http:// site to an https:// site (once the SSL certificate is installed)
- Formidable Forms and related plugins (GDPR for Formidable Forms and GDPR Framework) – the first is used used for creating drag-and-drop forms, and the second two plugins are installed to make your form GDPR compliant)
Other important plugins:
- Mail – Depending on which service you use to collect email addresses, such as Mailjet or MailChimp, you will need to install the related plugin.
- Back-up – We installed UpdraftPlus, which we set up to backup on Google Drive account. The plugin gives you the option of specifying where you want to host your backup, including FTP to your server, Dropbox, Google Drive and others. You can configure it to do manual or automated backups.
(6) Consider GDPR issues as they relate to a podcast
Images – We knew that we would want to have at least one blog post related to each of the podcast episodes. Podcast guests and team members all had to sign release forms permitting use of any images they provided for blog posts / social media.
Podcast hosting – We followed our strategy to go with a hosting service based in the EU to host our podcast. After contacting a few providers, we found that Blubrry had European-based servers for podcast hosting.
Podcast editing – Our original plan had been to use a podcasting editing service. After investigating a few of these, however, we ran into some issues with how and where the data would controlled and processed, which are two key issues with GDPR. We ended up working with an individual podcast editor who is an EU citizen and was required to sign the standard data protection agreement with iac Berlin.
(7) Consider GDPR issues as they relate getting the word out, including social media
Here’s the good news. For social media tools tools or platforms such as Facebook, LinkedIn, Twitter, Pinterest, WhatsApp, or Instagram, consent and data use issues are covered by the terms and conditions and privacy notices of each of these social media tools.
As social media ‘name’ is a personal identifier, it is important to consider who on your team will be dealing with social media on behalf of your project. In our case, we had each of these team members sign the required agreement with iac Berlin.
As social media posts can feature images provided by podcast guests, team members, or symposium contributors, we included permissions to share these images in our original consent form.
We hope you find this helpful and welcome any feedback!
Kim & Nicole