Skip to main content

What about GDPR and my website? We use Google’s services on it



Good question, glad you asked. So GDPR is the new “General Data Protection Regulation” and comes into force May 25th 2018 for us EU residing souls. Although in principle it seems like headache inducing bureaucracy, it is in fact a well needed set of laws that prevent the current systemic interchange and flow of personal data on a massive scale. It’s kind of like someone finally inventing the seat belt for the automobile. It’s not perfect and it’s overly complicated so this is definitely a V1.0 but it will improve over time.

Anyway, back to my question – GDPR in a nutshell has beef with any company using data for purposes that aren’t strictly essential to justify their collection – and it’s particularly hormonal towards companies that hoard data about individuals (versus business). For most of us, that’s probably not a major concern, tighten up your policies, document them and you’re good. However, there is a bit of a sticky spot when it comes to the concept of ‘third party data controllers’ – a data controller is someone who can control the data, manipulate it if you like. Data processors are the other side of the coin and they simply provide the means to collect data and store it normally, nothing else. However, Google does fall in to the ‘third party data controller’ category and where it gets particularly sticky is the fact that our websites these days use TONNES of Google provided goodies. These include but not limited to:
  •          Maps – so you can have that nice zoomy map showing everyone where the office is
  •          Fonts – yes, fonts(!), are now mostly downloaded directly from Google’s servers
  •          Jquery – a nerdy programming tool for web developers, is hosted on Google’s servers
  •          Analytics – the thing that tells you how few visitors have visited your website
  •          Adwords – this is a biggy – the thing that serves up yours and others advertisements

Ordinarily, most of these tools would be collecting anonymous data, which is largely OK, however, since it all gets filtered back to Google HQ on US based servers, it’s not at all difficult for Google to use basic device fingerprinting (ie. The combination of computer you’re using, the web browser, the updates it has and the homepage that is set) to form a unique picture of exactly who the visitor is. 

All in all, you need to find out Google’s policies on data retention, processing, usage and storage to be fully compliant. This is no mean feat and all tolled, personally, is more paperwork that I’d care to think about just so someone can have a clicky map to find out where my office is. 

This is definitely non-essential for business use and collection of such data is unwarranted. Same goes for the font we use on our website. Worst of all, pretty much all of Google’s servers are US based, meaning they don’t strictly comply with GDPR. If these tools are essential to the website, you’ll need to do homework, otherwise weigh up how much they’re needed. Here’s a quick checklist to solve many issues:

  • Right click your website in Chrome and click ‘View Page Source’ and look for the word google. If you see links to Google websites then your website is accessing Google resources remotely. Eg: http://fonts.googleapis.com/css?family=...... You’d therefore be wise to ask your developer to copy that resource (if allowed) to your web host directly so you’re not going all the way to Google’s servers to access it, rather just access it locally. Same applies to JQuery.
  • Analytics is also a sore point, it’s a great tool but it sets dozens of cookies and you need to have a watertight privacy policy. Why not analyse your own logfile if you don’t heavily rely on Analytics – tools such as weblogexpert.com or goaccess.io for example. Critically, digest my point below on the big change on the implicit acceptance of cookies change, it’s now not allowed.
  • Update your cookie policy, the Civic UK tool is a great wizard to get it GDPR compliant https://www.civicuk.com/cookie-control - a big change these days is that implicit acceptance of cookies is not allowed, they have to click ‘Accept’ before they can be set. If the user doesn’t click the ‘Accept’ button, then Google Analytics et al will not collect jack and basically become a pretty much irrelevant tool, since the data it reflects will only be that of those who accept the privacy policy. How many ‘Accept’ buttons do you click? Not many, and that won’t change.
  • Adwords is even more intrusive as far as GDPR is concerned, if you host other people’s adverts on your website and it’s a big revenue generator that you can’t do without, again get ready for the homework, otherwise it might be cheaper to remove them.
I’m not Google bashing here, I’m simply highlighting touchpoints – the fact is we ALL use Google. There are other providers that also have equally opaque policies on data collection (eg. Chat bots or chat forms on your website) and you will need their data policies and document them to continue using their tools too.

The era of downloading a cool widget and plonking it on your website for all and sundry has alas come to an end, by doing that you’re exposing the data of your visitors and customers to third parties that could lose or abuse it (just look at the recent Facebook leak and mark my words, Google will be on the leaky list very soon if it isn’t already)

GDPR is a bit of a headache but we all have to endure it, think of it as your virtual seat belt and maybe that will make the whole process a bit more digestible.

Labels:

Comments

Post a Comment

Popular posts from this blog

The struggles of number porting

There is one part of my business I truly hate. It's laborious, expensive and boring. No, it's not the accounts or staff appraisals. It is the number porting process. The what? You know when you change your mobile phone provider and you want to keep your old number? Well moving that number to the new provider is called porting. You get given a PAC code and the process is seamless (mostly) and done within 24 hours. Porting also exists in the landline world. Except it's the complete polar opposite of the mobile experience. It's slow, costly and fraught with pitfalls. For example, the process of porting your old landline number to a new provider requires you to get as much information about your line from the old provider as possible. However, you'll soon find: * Your old provider doesn't have a porting desk, or even has the faintest clue as to what porting even is. * If you do find someone who can talk to you, they'll likely give you the wrong ins
Post a Comment
Read more

Why Our Love Affair with the Cloud is Changing

There's a new thing called Cloud Repatriation in the computing world. I suppose it's the opposite of expatriation which officially means 'to withdraw oneself from residence in one's native country'. In this context however, the term refers to repatriating your servers and computing power into your office and getting it off the cloud. In simple terms, take all that effort you spent shoving your stuff into the cloud - and reverse it. 'But why!?' I hear you cry. Or perhaps you’re not, since by asking that very question you probably already know full well why. But in case you are still asking 'But why!?', let me jog your memory. Go Cloud, go go go! The concept of shoving all of your worldly digital belongings onto someone else’s kit was all the rage some years ago. It was 'safe', 'fast', 'cheaper' and 'convenient'. It seemed like a good idea, for only a few quid per month, I could have the latest version o
Post a Comment
Read more