web analytics

7 Steps to Address GDPR for a Project Website and Podcast

On May 25th 2018, GDPR – the General Data Protection Regulation went into effect across the EU. Those of us in Europe heard all about this. Some of us were annoyed by all of the privacy statement update emails we were receiving. When it came time to move forward with Project Ungoverned? in June 2018, build our website, launch our podcast, and make preparations for our symposium, we knew we had to be GDPR compliant.

As a comparatively tiny project supported by an EU-based organization to be a carried out for a fixed-term, not a stand-alone business with an IT department, how was our small team (initially two people) going to deal with GDPR? And what exactly did this mean for us to comply with GDPR and meet requirements of our supporter based in Berlin, also subject to GDPR compliance?

Here are the 7 steps we went through and the solutions we used and created. As we were starting our work just days after the law went into effect, there wasn’t a lot of guidance available. But we muddled through it and want to share what we learned, hopefully making things easier for others.

(1) Accept you are going to have to deal with GDPR, and it’s just going to take some time

This is critical. There isn’t a way around GDPR. Accept that you are going to need to set aside a good chunk of time – hours to days – to learn what it is, figure out how it could impact your project, and what solutions you can use. In our case, we were surprised at just how much time we needed to spend on GDPR-related issues in the beginning. Frankly, we also spent some unnecessary energy moaning.

While we both had experience of implementing websites in the past, it became clear our quick and easy methods were now outdated. We’d need to make some new technology decisions, develop some new processes, and allocate time just for that.

(2) Learn enough about GDPR to understand it, but not go crazy

Nicole trained as a lawyer. Kim is hyper-analytical. We probably could have spent months looking into this if we didn’t have work to do with a fixed timeline and budget. But we needed at least a basic understanding of GDPR – the General Data Protection Regulation 2016/679 (full, intimidating text here). Briefly put, it’s a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area, with the goal to significantly strengthen the data protection rights of citizens of the European Union. Bottom line: it’s a very, very good thing. We found these resources to be really helpful:

(3) Figure out how GDPR is going to impact the different aspects of your project

In our case, Project Ungoverned? has four components to it: (1) the back-end (team coordination); (2) a website; (3) a podcast; and (4) our online symposium, all of which would be impacted by GDPR. And we’d need to look at each of these components independently. As our online symposium will not happen until 2019, we’ll address this in a later blog post.

(4) Look at your behind-the-scenes processes (the backend) to see what might be impacted by GDPR

We quickly learned that if this is a European issue, European based companies had to comply with GDPR and were actively addressing these issues.Therefore, by using European vendors who complied with all GDPR standards and host their data in Europe, we’d be making our lives easier. These are the tools we decided to use:

Google – We use Google for a lot of our collaboration. Kim, who is based in Germany, set up a German Google account for the project communications and collaborations, which is hosted in Europe. Google provides several pages of text outlining their GDPR compliance initiatives. And, indeed, the terms for Google in Germany and the US are different. We use a lot of the Google tools – gmail, docs, drive, calendar, analytics (with caveats – see below) – which has two huge advantages: facilitating collaboration (and cutting down on email exchange); and setting permissions so the appropriate team members can access their relevant documents.

Hivebrite – Project Ungoverned? takes place within the Bosch Alumni Network. The Bosch Alumni Network uses a software platform for our alumni communications called Hivebrite, which has made it incredibly easy for us to connect with other people in our closed group, who later became collaborators and contributors to this project. As everyone participating in the platform had to agree to participate, chose to share the data they wanted to share, any communication within the network was essentially okay. The data are hosted in Amsterdam, Netherlands. (Tip: If you are looking for a platform to connect a large group of people and facilitate the development of a network, it’s certainly worth checking out.)

Data Protection/Agreements – We needed to think through which members of our team would be dealing with data containing personal identifiers, such as email addresses, names, voices, etc. In our case, this means individuals recording the podcasts, posting on social media, facilitating the symposium, and accessing back-end information on our website. As this project takes place within the Bosch Alumni Network (BAN), which is coordinated by the iac Berlin, these individuals needed to sign an agreement with BAN/iac Berlin, agreeing to certain terms. What happens to the data, including the period for which data are stored and how data are used, is disclosed in our Project Ungoverned? Privacy Policy.

Team Calls – For some teams, it used to be common practice to automatically record calls. Now, it’s important to make sure you have consent to do so. Any recordings made also need to comply with your privacy policy(see below). When we’ve recorded calls, we’ve used Skype in conjunction with add on program called Ecamm’s Call Recorder for Skype.

(5) Examine the different components of your website with regard to GDPR

Hosting – For a variety of reasons, we decided to go with a hosted WordPress site early on as we knew how to use it and someone on the team could quickly make any changes or updates. It was important for us to find a European-based hosting platform, so all of the data for our website would be hosted on a European-based data platform. As some well known hosting providers only had servers in the US, we went with GoDaddy to host in Europe, which offers two options – 1) set up a new account, or 2) move an existing account to a European server for a fee (see here for more information). After setting up the hosting on our domain name, we then installed and activated an SSL certificate for the site. (See here for brief explanation about SSL, which is reflected in the https:// rather than http:/).

Photographs / Images – As a photographer friend told Kim, GDPR is killing street photography in Germany, as people now yell at photographers to tell them to stop photographing them. GDPR gives people the right to not to be photographed, and permission is needed to put their faces on the internet. For our project website, to play it safe, we mostly use images and photographs that are publically available. When we searched for images to use on our site, we looked for those that were licensed as Creative Commons or allowed commercial use and modifications. We used these sites: Flickr, Search Creative Commons, and Google Images. For some of our posts about our podcast, we have used photos of featured guests with their explicit permission (confirmed with a signed consent form).

We also use a lot of icons and graphics. Many of these were created using Canva (Professional Version), which has been a lifesaver. Nicole and Kim had both been using Canva in their other projects, and it’s a great tool for creating website images, postcards, business cards, ads, social media banners, etc. Images can be downloaded as PDF or PNG files.

Collecting Email Addresses – We quickly determined that a simple contact form linking to an email address would not serve us well, but we would need to use a mail management system. There are many of them out there – TinyLetter (which Nicole has been using for years for another project), MailChimp (main company behind TinyLetter), ConstantContact, AWeber, ConvertKit, etc. Many of these organizations are based in the US, but had released information about how they were addressing GDPR. We were also told about some European-based services, including Mailjet. We ended up going with MailChimp.

Email Opt-Ins – A key part of GDPR compliance is a two-step, opt-in process for emails. In other words, if you see an email pop-up form, simply entering your email address is not enough to provide consent. You also need to an additional “opt-in”, which is usually a tick-box to affirm once again – yes, you agree to share the email address you just typed into the box. Or your ticking a box will generate an email to once again confirm, yes, you want to sign up. Your privacy policy, which needs to be available on your website, discloses what you do with the email addresses and how people can opt-out or unsubscribe at any time from your list. We found this overview on GDPR from SmartInsights and these examples posted on Zettasphere to be very helpful.

Privacy Policy – When it came time to put together our Privacy Form, we looked at several others out there, including the one from iac Berlin, which supports the Project Ungoverned? podcast series and symposium, and another example the iac Berlin team shared with us. We also looked at privacy policies partially generated by using WordPress plug-ins. Our final privacy policy was then reviewed and approved by iac Berlin before going live. Important aspects to include were:

  • Definitions used in the privacy policy
  • Data protection principles
  • Rights you have regarding your personal data
  • What personal data we gather
  • How we use personal data (including how long we save the data, i.e. for the duration of the fixed-term project)
  • Who has access to the data (partners are named)
  • How data are secured
  • Information about cookies, as well as a link to Google Analytics and their opt-out page
  • Contact information for any questions

Analytics and Cookies – We are not tech experts, but we knew enough to know that we would need analytics (it’s helpful to know who is interested in your project, podcast, etc.), which means ticking boxes and configuring our website to collect some information. And this means dealing with cookies. As cookies can be used to identify a person, they need to also be treated as “personal data” and are impacted by GDPR. (Here is a great overview article on cookies and GDPR compliance.)  In practice, this means giving the user of the website the option to choose how cookies are used or revoke consent).

Thankfully, there are some great, free WordPress plugins to make this easy:

(5*) (Only if you are running hosted WordPress website) Check into WordPress plug-ins to help simplify things

If you are a user of a site hosted by WordPress, you already know how critical plugins can be in helping to simplify things. As we were muddling through which specific features and functions we wanted, we stumbled into these very helpful plugins to help address GDPR-related issues:

  • Really Simple SSL – helps you to avoid a lot of coding to redirect an http:// site to an https:// site (once the SSL certificate is installed)
  • Cookie Notice – informs users that your site uses cookies and to comply with the EU cookie law GDPR regulations.
  • Formidable Forms and related plugins (GDPR for Formidable Forms and GDPR Framework) – the first is used used for creating drag-and-drop forms, and the second two plugins are installed to make your form GDPR compliant)

Other important plugins:

  • Mail – Depending on which service you use to collect email addresses, such as Mailjet or MailChimp, you will need to install the related plugin.
  • Back-up – We installed UpdraftPlus, which we set up to backup on Google Drive account. The plugin gives you the option of specifying where you want to host your backup, including FTP to your server, Dropbox, Google Drive and others. You can configure it to do manual or automated backups.

(6) Consider GDPR issues as they relate to a podcast 

Voices / Audio-recordings – We knew that we’d want to interview people for our podcast series and we’d need to cover our bases here as well. In some cases, we recorded our pre-interviews with potential guests on Skype using Ecamm’s Call Recorder for Skype after obtaining their permission verbally to do so (i.e. we then captured their audible consent at the beginning of the recording). These recordings are stored locally, and are managed in compliance with our project’s privacy policy. We worked with iac Berlin to develop a specific release form for the audio recordings of podcast guests and soundbyte contributors, who were all were required to sign and return them before the recording could take place.

Images – We knew that we would want to have at least one blog post related to each of the podcast episodes. Podcast guests and team members all had to sign release forms permitting use of any images they provided for blog posts / social media.

Podcast hosting – We followed our strategy to go with a hosting service based in the EU to host our podcast. After contacting a few providers, we found that Blubrry had European-based servers for podcast hosting.

Podcast editing – Our original plan had been to use a podcasting editing service. After investigating a few of these, however, we ran into some issues with how and where the data would controlled and processed, which are two key issues with GDPR. We ended up working with an individual podcast editor who is an EU citizen and was required to sign the standard data protection agreement with iac Berlin.

(7) Consider GDPR issues as they relate getting the word out, including social media

Here’s the good news. For social media tools tools or platforms such as Facebook, LinkedIn, Twitter, Pinterest, WhatsApp, or Instagram, consent and data use issues are covered by the terms and conditions and privacy notices of each of these social media tools.

As social media ‘name’ is a personal identifier, it is important to consider who on your team will be dealing with social media on behalf of your project. In our case, we had each of these team members sign the required agreement with iac Berlin.

As social media posts can feature images provided by podcast guests, team members, or symposium contributors, we included permissions to share these images in our original consent form.

We hope you find this helpful and welcome any feedback!

To learn more about Project Ungoverned?, which looks at the governance and ethics of online education, subscribe to our newsletter. You can also follow us on Twitter, Facebook, and LinkedIn.

Kim & Nicole

Leave a Reply