Good question, glad you asked. So GDPR is the new “General Data Protection Regulation” and comes into force May 25th 2018 for us EU residing souls. Although in principle it seems like headache inducing bureaucracy, it is in fact a well needed set of laws that prevent the current systemic interchange and flow of personal data on a massive scale. It’s kind of like someone finally inventing the seat belt for the automobile. It’s not perfect and it’s overly complicated so this is definitely a V1.0 but it will improve over time.
Anyway, back to my question – GDPR in a nutshell has beef
with any company using data for purposes that aren’t strictly essential to
justify their collection – and it’s particularly hormonal towards companies
that hoard data about individuals (versus business). For most of us, that’s
probably not a major concern, tighten up your policies, document them and you’re
good. However, there is a bit of a sticky spot when it comes to the concept of ‘third
party data controllers’ – a data controller is someone who can control the
data, manipulate it if you like. Data processors are the other side of the coin
and they simply provide the means to collect data and store it normally,
nothing else. However, Google does fall in to the ‘third party data controller’
category and where it gets particularly sticky is the fact that our websites
these days use TONNES of Google provided goodies. These include but not limited
to:
- Maps – so you can have that nice zoomy map showing everyone where the office is
- Fonts – yes, fonts(!), are now mostly downloaded directly from Google’s servers
- Jquery – a nerdy programming tool for web developers, is hosted on Google’s servers
- Analytics – the thing that tells you how few visitors have visited your website
- Adwords – this is a biggy – the thing that serves up yours and others advertisements
Ordinarily, most of these tools would be collecting anonymous
data, which is largely OK, however, since it all gets filtered back to Google
HQ on US based servers, it’s not at all difficult for Google to use basic
device fingerprinting (ie. The combination of computer you’re using, the web
browser, the updates it has and the homepage that is set) to form a unique
picture of exactly who the visitor is.
All in all, you need to find out Google’s
policies on data retention, processing, usage and storage to be fully
compliant. This is no mean feat and all tolled, personally, is more paperwork
that I’d care to think about just so someone can have a clicky map to find out
where my office is.
This is definitely non-essential for business use and collection
of such data is unwarranted. Same goes for the font we use on our website. Worst
of all, pretty much all of Google’s servers are US based, meaning they don’t strictly
comply with GDPR. If these tools are essential to the website, you’ll need to
do homework, otherwise weigh up how much they’re needed. Here’s a quick
checklist to solve many issues:
- Right click your website in Chrome and click ‘View Page Source’ and look for the word google. If you see links to Google websites then your website is accessing Google resources remotely. Eg: http://fonts.googleapis.com/css?family=...... You’d therefore be wise to ask your developer to copy that resource (if allowed) to your web host directly so you’re not going all the way to Google’s servers to access it, rather just access it locally. Same applies to JQuery.
- Analytics is also a sore point, it’s a great tool but it sets dozens of cookies and you need to have a watertight privacy policy. Why not analyse your own logfile if you don’t heavily rely on Analytics – tools such as weblogexpert.com or goaccess.io for example. Critically, digest my point below on the big change on the implicit acceptance of cookies change, it’s now not allowed.
- Update your cookie policy, the Civic UK tool is a great wizard to get it GDPR compliant https://www.civicuk.com/cookie-control - a big change these days is that implicit acceptance of cookies is not allowed, they have to click ‘Accept’ before they can be set. If the user doesn’t click the ‘Accept’ button, then Google Analytics et al will not collect jack and basically become a pretty much irrelevant tool, since the data it reflects will only be that of those who accept the privacy policy. How many ‘Accept’ buttons do you click? Not many, and that won’t change.
- Adwords is even more intrusive as far as GDPR is concerned, if you host other people’s adverts on your website and it’s a big revenue generator that you can’t do without, again get ready for the homework, otherwise it might be cheaper to remove them.
I’m not Google bashing here, I’m simply highlighting touchpoints
– the fact is we ALL use Google. There are other providers that also have
equally opaque policies on data collection (eg. Chat bots or chat forms on your
website) and you will need their data policies and document them to continue
using their tools too.
The era of downloading a cool widget and plonking it on your
website for all and sundry has alas come to an end, by doing that you’re
exposing the data of your visitors and customers to third parties that could lose
or abuse it (just look at the recent Facebook leak and mark my words, Google
will be on the leaky list very soon if it isn’t already)
GDPR is a bit of a headache but we all have to endure it,
think of it as your virtual seat belt and maybe that will make the whole
process a bit more digestible.
Comments