A practical guide to GDPR for non-European organizations (without all the legal mumbo jumbo)

If you’ve been overwhelmed by the stream of GDPR (General Data Protection Regulation) information, we’ll try to distill things down for you into a practical GDPR guide. We’re not lawyers, so don’t interpret this as legal advice, but we do have deep experience in the web for non-profit and education organizations.

First, you may not even have to think about GDPR. Ask yourself these questions:

  • Do you target donors/clients/students/readers, or have employees in the EU (including the UK until Brexit happens)?
  • Are you a Fortune 1000 company, an Ivy League college, or an Alexa top 1000 website?
  • Are there malicious people that will tattle-tale on you just to get you in trouble?

If you answered “no” to all of these questions, then you can stop reading now and go back to your regular mission of saving the world. Yes, GDPR technically applies to you, but it’s unlikely that you’ll be targeted for enforcement. Your resources will be better spent elsewhere.

Overarching Perspectives

If you do fall into any of the above categories, it’s important to not be overwhelmed. The GDPR is merely codifying “the right thing.” Chances are, you’re probably already doing many of these things.

However, you should know that the GDPR affects your entire organization; it’s not just about your website. Because most of the people in your organization use the contact information and other private information of individuals, the GDPR could impact everyone at your organization.

You also might not need to learn all the jargon around “data processors vs. data controllers,” “special categories,” or “material scope”. Instead there’s some simple heuristics that you can use to figure out what the GDPR rules approximately are. It all comes down to the fact that your organization does not own the contact information or private data about the people that you interact with; they do. And just like a physical object that you borrowed from someone, you can ask yourself:

  1. Did I get their permission to use it?
  2. Am I only using it for the things that they’ve allowed me to?
  3. Am I doing what I can to keep it safe (think of all the ways that it’s used)?
  4. Am I doing what I can to keep it private (think of all the ways that it’s used)?
  5. Is there a way for them to find out what stuff I’ve borrowed from them?
  6. Is there a way that they can get their stuff back from me (AKA “right to be forgotten”)?

Typical Examples

Let’s look at some of the typical things that your website is likely doing, and what your responsibilities are.

Analytics, Social Media, and Other Third Parties

If your website uses (I think every website built in the last 12 years will be included in this list):

  • Google Analytics
  • a Twitter stream
  • a Facebook “Like” button
  • Google Fonts
  • YouTube videos
  • other third-party services

then you may need to change how those services are used. That’s because you are essentially passing on your visitors’ private data to these third parties (these companies can aggregate data across several websites to create a profile about what kind of person you are, where you live, and how much money you make). However there’s a lot of debate about this. I interpret the GDPR as requiring a visitors’ consent before you load up the third-party images/javascript/etc. But some people interpret the GDPR as suggesting that you only need to update your privacy policy. We may need to wait for the courts to decide this one.

Becoming a Digital Pacesetter in Banking, Seeking a Proven IT Architecture. Huntington National Banks acquisition of FirstMerit combined nearly 1,000 branches and 2,000 ATMs across eight Midwest states. At the same time, Huntington was looking 200-125 exam dumps to use digital innovation to improve customer and employee experiences and rapidly roll out new branch offices without significantly raising costs. This marriage of business and technology offered a much-needed opportunity to step back and review overarching 300-075 exam IT strategy.The most pressing problems included: First, Disparate legacy infrastructure created inconsistent performance experiences for branch colleagues. Mainstream services like guest Wi-Fi access and bring-your-owndevice needed to be deployed. Second, the IT team was spending too much time on things like firefighting circuit failures and applying security patches. Last,The banks IT team needed to spend less time on short-term fixes and more time finding innovative solutions for the business. They had to more quickly and seamlessly integrate new people, processes, and technologies. Also, it was important for the company CISSP Lab material to raise customer services levels while lowering costs. It all came back to the same point, recalls Patrick Drew, the banks assistant VP of network infrastructure. We needed a proven IT architecture to turn the business into a digital pacesetter, so we could fast-track customer 200-125 exam dumps experience improvements and make our staff and business processes more efficient. Achieving Business Outcomes,Faster 300-075 exam Keen to protect 200-125 exam dumps existing investment, Huntington engaged Cisco? Services to help define 300-075 exam and then accelerate its IT transformation. We compared increasing circuit capacity and refreshing hardware with a CISSP Lab material new CISSP Lab material software-defined model, says Drew. The latter, based on Cisco CISSP Lab material Intelligent WAN with the opportunity to deploy Application Policy Infrastructure Controller Enterprise Module software, 200-125 exam dumps won hands down.Cisco’s office in Sao Paulo, Brazil, 300-075 exam has created an innovative work environment that leverages cisco technology and real estate solutions to achieve business and financial goals. The increased staff and business needs the network to provide better service.Cisco’s development team and cisco’s IT maintenance team are once 300-075 exam again working together, this time focusing on cisco’s NAM network CISSP Lab material analysis module. Cisco’s Sao Paulo office has grown rapidly — from less than 20 in 1997 to 132 today.However, there is no land available CISSP Lab material near the office.It is clear that the traditional office environment has failed to meet 300-075 exam the flexibility requirements 200-125 exam dumps of the rapidly developing office in Sao Paulo.It needs to adopt new office solutions based on advanced technology to improve flexibility and mobility.In order to improve the office environment of cisco’s Sao Paulo office on a 200-125 exam dumps large scale, cisco has adopted a variety of technical 200-125 exam dumps solutions.At first, each of the office’s employees was given a mobile phone and a high-speed Internet connection to their home computers.This allows them to do their work at home freely and easily through remote access.With cisco’s secure VPN client CISSP Lab material software installed on their laptops, they can access enterprise applications as quickly and safely as they would in an office. The actual layout of the office has also been adjusted.First, the area of the compartment was reduced, and the height of the partition between the compartments was decreased.This has transformed the office from a separate 300-075 exam workspace into a collaborative environment where everyone can always know where the team members are.This new design promotes collaboration between teams.

Hierarchical integrated defense: cisco SAFE that successful security solution should CISSP Lab material adopt integrated protection on the network infrastructure, and not only consider some special safety equipment.As a result, cisco has integrated security capabilities into its various network products to ensure that the entire network CISSP Lab material is fully integrated and three-dimensional.Guangdong development bank has implemented such a three-dimensional integrated security defense.Take the guangdong development bank’s outreach network system, for example, which USES three CISSP Lab material layers of integrated security protection, including 200-125 exam dumps routers, firewalls and switches.1, the first layer security protection provided by the router to achieve router in Internet/extranet wan connection of public information network, such as DNS server with guangdong development bank, the WWW server 300-075 exam and E-mail servers located in external PIX firewall, with these servers CISSP Lab material as part of the opening to the outside world, the ministry of internal and external users to provide the corresponding services, its itself also become a part CISSP Lab material of the public information network.These servers in order to 200-125 exam dumps provide effective security, prevent the outside of the user to the illegal operation of the server, the server, delete, modify, or the content, should be carried out to external access can strictly control.With the firewall function of Cisco router, the operation of external users on the servers can be restricted to prevent the servers from being damaged from the outside.2. The second layer of 300-075 exam security protection is CISSP Lab material protected by PIX firewall, which completely separates the internal network of enterprises from the external network. PIX is the only outlet for the internal network subsystems.By using PIX firewall to isolate the internal and external network, the security of the internal network 300-075 exam is further guaranteed.PIX provides a complete record of all access, including illegal intrusion attempts.PIX realized from the network layer 300-075 exam to application layer security protection, can be CISSP Lab material based on packet source address, destination address, TCP port Numbers 200-125 exam dumps 300-075 exam and 300-075 exam packet length on the communication control, as a move method to access is prohibited.3, the third layer security protection provided by the LAN switches Catalyst 6500 core switches deployed IDS and firewall module, CISSP Lab material monitoring the safety of the complex intranets effectively, is the third barrier against external attacks to prevent, is a good method to prevent internal attacks.Another 300-075 exam Catalyst series switches have MAC address filtering function, therefore can be defined according to the need to switch each port, only allow specific MAC address of the workstation through the specific port access, port to communicate CISSP Lab material with the 300-075 exam connection PIX.Due to the uniqueness of the MAC address and not configured, this kind of control, in fact, from hardware to control a specific machine, compared with the IP 200-125 exam dumps address filtering, this protection has 200-125 exam dumps 200-125 exam dumps higher security.Through the above three layers of security protection, guangdong development bank network system to realize the reliable from link 200-125 exam dumps layer to application layer security control, have the effect to prevent illegal access 200-125 exam dumps external, 300-075 exam has the very high security.Reading this wasn’t the first time Ive paused to consider whether my hearts and my people’s infatuation with autumn is not a worldly indulgence. The promise of the Kingdom is fullness of life, not pretty death. Halloween just means the night before the Saints and all 200-125 exam dumps the gruesomeness on display represents the demons coming out one last night before the Saints arrive and drive them all away. A Christian may secretly treasure the festival for that reason, but how can she join in when her place is not with the demons and decay, but with the Saints and salvation? Whence this covert delight in the seasons celebration of fear and death?

A box that appears at the bottom of the page asking the visitor to acknowledge the use of cookies.

An example of the Cookie Consent library. Only load 3rd-party tools or sensitive cookies if the visitor approves.

We recommend using the Cookie Consent library to obtain a visitor’s permission before loading these services. This library also has the option of only showing this speedbump to visitors from the EU. But that’s the easy part — the hard part is setting up these services to only load after the visitor has clicked “Okay.”

The Social Share Privacy widget first shows a greyed out "like" button and only connects to Facebook after the visitor clicks the button

Before activation this button doesn’t send information to a third party.

For social media, if you don’t want to use a technique like Cookies Consent, then there’s Social Share Privacy library that shows a phantom like/share button that the user clicks before the real thing is loaded.

Analytics is a tricky one since the whole point is to have it load immediately to track the visit.  You might consider switching to an analytics provider that can give you better assurances in your contract about how they (won’t) use your data.

For videos, if you don’t want to use a technique like Cookies Consent, then there’s the MyTube plugin that shows a thumbnail (with a disclaimer) for the visitor to click before the video is loaded.

Video from the MyTube library with a disclaimer beneath.

The MyTube library shows what looks like a regular video. But no 3rd-party services are loaded until the visitor clicks the play button.

“Contact Us” Web Forms

Here we’re mostly concerned with the perspectives of “keep it safe” and “keep it private.” There’s a few ways that you may need to change how your forms work:

  • Remember that email isn’t secure, so don’t email the full text of the form to your staff. Just a link for them to view it on the website (after logging in) is what you need instead.
  • Ensure that only the necessary people can read submissions.
  • Use HTTPS for your entire website. We’ve been advocating this to our clients for years. There’s no reason for governmental agencies, internet service providers, or malicious actors to know what people are doing on your website.

Email Newsletters

The same pointers for “Contact Us” forms apply here too. Going back to those overarching perspectives listed earlier, here we think mostly about “did I get their permission” and “getting it back”.

We all hate it when all of a sudden we start to get an email newsletter that we didn’t sign up for. This is already illegal in most jurisdictions. Now it’s illegal under the GDPR, too, because you need the individual’s permission first. But more importantly, you need permission specifically about the email newsletter. You can’t add people to your email newsletter just because they interacted with your organization in some other capacity.

If you have been involved in the previously morally ambiguous practice of adding people to your newsletter without their specific consent, you are now in a tough spot. You can’t send all your subscribers a “confirm your subscription” email, because you already don’t have their permission to send that email. Practically, that might be your only option other than restarting your newsletter list from scratch. You’ll need to make that decision for yourself.

If you have built up your existing newsletter subscribership by properly asking permission, then there’s no need to send another “confirm your subscription” email. You’ve already got permission, and sending such an email will likely lose you a good percentage of subscribers that don’t bother to click through, but will still read a future email.

The second important thing here is providing a way for people to get their information back. In this context that means not only unsubscribing from your list, but also getting their contact information removed from your database. It also needs to be as easy as it was to sign up for your newsletter; you can’t just make the excuse that they could go to your website, find the “contact us” form, and send you a message.

CRM

Everything that we’ve talked about above applies to your CRM too. Additionally, the overarching perspective of “find out what stuff I’ve borrowed” applies here. If someone contacts you asking to know what information you have about them (this should either be a dedicated form, or a category on your existing “contact us” form), then do you have a way to export all the data from your CRM about the individual?

There’s also additional responsibilities that you have around how you use your CRM, but that’s more than we can get into in this blog post.  

Cookies

Your website might use cookies to keep track of things like “this visitor has seen this message, so don’t show it to them again” or “this visitor prefers to see a list using thumbnails instead of text.” There’s nothing private or personal about this information and there’s no way to track it back to the individual — so there’s nothing that you need to do here.

But if your website uses cookies to track more sensitive information, then you’ll need to use a similar technique to what we describe above for third parties.

Privacy Policy & Terms of Service

If you do need to make changes in any of the above areas, then you’ll likely also need to make some adjustments to your privacy policy and terms of service. Dang, you’ll still likely need a lawyer to help with this.

This is a lot! I want to scream!

Don’t get overwhelmed. Rather than getting everything perfect, it’s more important to show that you’ve taken steps forward, and that you’re visibly working towards compliance.

My website does so much more

Do you have user accounts, membership log-in forms, or user-generated content? Then you’ve got more responsibilities — more than we can fit in this short blog post. Some of this may be around the way that you sanitize that information when using it internally (or with vendors like us). But we’ve worked through these things with other organizations, and we can help you work through the implications for your website.

Lastly, if you want to know more about the legal details of GDPR, we recommend a GDPR guide put out by Platform.sh.

Photo by Descrier via Flickr, some rights reserved.