Know your cookies: checklist to make your Readymag website GDPR-friendly
In the months that have passed since the launch of GDPR we’ve learned a lot about how to make a website in accordance with its rules — and today we’d like to highlight the key points to help you along your GDPR journey when creating web projects with Readymag.
The GDPR (short for General Data Protection Regulation) act was issued by EU Government and came into effect on May 25th, 2018. GDPR obliges any individual, non-commercial or commercial enterprise collecting personal data of European citizens to restore such data back to the hands of the individual.
At Readymag we’re highly committed to following all GDPR rules. That’s why we’ve made a significant effort to achieve Privacy Shield Certification, a rating that proves our full compliance with GDPR.
Put simply, the two most important ideas of GDPR are explicit consent and readily available opt-out: users should be well-informed about any activities concerning their data and they should be able to revoke their consent to such actions at any time. Also, under GDPR users can request you to show them all of their data that is stored on your site in an accessible electronic format or to erase all their personal data permanently.
The definition of personal data according to GDPR is very broad: for example, a number of cookies are regarded as such. So the chances you need to adjust your Readymag website to oblige GDPR rules and regulations are rather high.
OK, how do I begin?
First, identify all the types of personal data you’re collecting and processing.
GDPR puts it this way:
‘Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
In practice, there are three main types of personal data you might collect on your Readymag webpage:
- ‘Straightforward’ personal data (e.g. names, surnames, or e-mails of visitors), usually collected with forms.
- First-party cookies, created and used by your own code.
- Third-party cookies, used by third-party widgets.
Wait, all cookies are personal data?
Mikhail Nikolaev, project manager at Readymag:
‘Most of them are. Technically some cookies don’t give the opportunity to identify the user, meaning that they are not personal data from a GDPR point of view, but they’re extremely rare in Readymag projects.
The key difference here is between session cookies and persistent cookies.
Session cookies expire after a user’s session ends. Persistent cookies don’t go away after the end of a session and may allow a user to be identified over a series of sessions. You might use most session cookies without explicit user consent, but not persistent cookies.’
The EU Internet Handbook puts it this way:
‘Consent is not required if the cookie is used for the sole purpose of carrying out the transmission of a communication, and strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.’
OK, I have put together a list of personal data I collect and work with. What does GDPR require me to do with it?
Mikhail Nikolaev, project manager at Readymag:
‘The key idea behind GDPR is to keep customers well-informed on your use of their data. Moreover, they should be able to opt out if they aren’t satisfied with your explanation. That means you must explicitly state what you plan to do with your visitors’ data and to directly and clearly request their permission: no legalese or silent consent.’
We recommend the following steps:
1.Put together a clear Data Governance Policy
A Data Governance Policy is a document that informs visitors and other sides that might become interested (e.g. the state), what exactly you do with their data. GDPR doesn’t offer strong regulations or formal restrictions on the data governance policy; the most important aspect is that it should be clear, without legalese or caveats. You can design such a page using Readymag and add it to any of your projects.
No doubt you’ve seen the cookie consent bar by now: usually, it’s a banner hanging below the webpage, interrupting your user site experience until they close it (interrupting the user is its purpose).
3.Make your mail processing GDPR compliant
If you have a mail receiver it’s important to be sure it works correctly from the GDPR point of view. Users should be able to learn where their emails are stored and for what purposes they are used (you might simply list all relevant user information relevant before or after the form). Moreover, you should clearly state if you plan to send users anything in the future and acquire their consent to do so.
4.Be ready to show your user their data or to erase it
Under GDPR users can request you show them their stored data or to erase such data permanently.
5.Check all third-party widgets
Youtube, Google Analytics, and other third-party widgets may take your users’ data without informing them. If you use one of these widgets it’s your responsibility as the site creator to inform your visitors. A Data Governance Policy might be a good place to explain all this.
We’re committed to helping you meet GDPR requirements and keep your users’ data safe. We’ll continue to improve our service in this regard and to offer advice to customers. For more information please write to us at email@example.com. We also advise you to consult the original text of GDPR here.