Good question, glad you asked. So GDPR is the new “General Data Protection Regulation” and comes into force May 25th 2018 for us EU residing souls. Although in principle it seems like headache inducing bureaucracy, it is in fact a well needed set of laws that prevent the current systemic interchange and flow of personal data on a massive scale. It’s kind of like someone finally inventing the seat belt for the automobile. It’s not perfect and it’s overly complicated so this is definitely a V1.0 but it will improve over time.
Anyway, back to my question – GDPR in a nutshell has beef with any company using data for purposes that aren’t strictly essential to justify their collection – and it’s particularly hormonal towards companies that hoard data about individuals (versus business). For most of us, that’s probably not a major concern, tighten up your policies, document them and you’re good. However, there is a bit of a sticky spot when it comes to the concept of ‘third party data controllers’ – a data controller is someone who can control the data, manipulate it if you like. Data processors are the other side of the coin and they simply provide the means to collect data and store it normally, nothing else. However, Google does fall in to the ‘third party data controller’ category and where it gets particularly sticky is the fact that our websites these days use TONNES of Google provided goodies. These include but not limited to:
- Maps – so you can have that nice zoomy map showing everyone where the office is
- Fonts – yes, fonts(!), are now mostly downloaded directly from Google’s servers
- Jquery – a nerdy programming tool for web developers, is hosted on Google’s servers
- Analytics – the thing that tells you how few visitors have visited your website
- Adwords – this is a biggy – the thing that serves up yours and others advertisements
Ordinarily, most of these tools would be collecting anonymous data, which is largely OK, however, since it all gets filtered back to Google HQ on US based servers, it’s not at all difficult for Google to use basic device fingerprinting (ie. The combination of computer you’re using, the web browser, the updates it has and the homepage that is set) to form a unique picture of exactly who the visitor is.
All in all, you need to find out Google’s policies on data retention, processing, usage and storage to be fully compliant. This is no mean feat and all tolled, personally, is more paperwork that I’d care to think about just so someone can have a clicky map to find out where my office is.
This is definitely non-essential for business use and collection of such data is unwarranted. Same goes for the font we use on our website. Worst of all, pretty much all of Google’s servers are US based, meaning they don’t strictly comply with GDPR. If these tools are essential to the website, you’ll need to do homework, otherwise weigh up how much they’re needed. Here’s a quick checklist to solve many issues:
- Right click your website in Chrome and click ‘View Page Source’ and look for the word google. If you see links to Google websites then your website is accessing Google resources remotely. Eg: http://fonts.googleapis.com/css?family=...... You’d therefore be wise to ask your developer to copy that resource (if allowed) to your web host directly so you’re not going all the way to Google’s servers to access it, rather just access it locally. Same applies to JQuery.
- Adwords is even more intrusive as far as GDPR is concerned, if you host other people’s adverts on your website and it’s a big revenue generator that you can’t do without, again get ready for the homework, otherwise it might be cheaper to remove them.
I’m not Google bashing here, I’m simply highlighting touchpoints – the fact is we ALL use Google. There are other providers that also have equally opaque policies on data collection (eg. Chat bots or chat forms on your website) and you will need their data policies and document them to continue using their tools too.
The era of downloading a cool widget and plonking it on your website for all and sundry has alas come to an end, by doing that you’re exposing the data of your visitors and customers to third parties that could lose or abuse it (just look at the recent Facebook leak and mark my words, Google will be on the leaky list very soon if it isn’t already)
GDPR is a bit of a headache but we all have to endure it, think of it as your virtual seat belt and maybe that will make the whole process a bit more digestible.