How we applied GDPR to a simple website

In my recent blog, I gave an overview of why marketers needed to move GDPR up their agendas. In this follow-up, I’m going to describe how we have been applying the regulations to a website created for a local business group, Leicestershire Business Voice (LBV), an organisation operated by volunteers, with very rudimentary IT infrastructure.

Website overview

This WordPress-powered website focuses purely on providing information about the organisation (with some external links to EventBrite) and doesn’t have any user-generated content, user-account or transactional/e-commerce functionality. The only cookies used relate to Google Analytics.

Our approach

We began the process by performing an audit of the website and interconnected systems.

One of the first decisions we had to make was how deep we go along the data-processing route. For instance, let’s imagine a membership form is completed. The data flow is something like this:

• The completed form is emailed to the organisation’s administrator. The data is also written to the website’s MySQL database via Gravity Forms (the plugin we use to power the forms).
• The Administrator (who is using Gmail to view email) reads the information and forwards the details to a relevant board member to contact the applicant.
• If the applicant chooses to join the organisation, the administrator adds them to the database (an Excel spreadsheet) and emails or posts an invoice to their company.
• Assuming the new member is happy for LBV to be contacted via email newsletters and event notifications (it would be a bit strange if they didn’t!), the administrator also adds them to the address book/list within Campaign Monitor
• Thereafter, the member will be contacted periodically by email and annually when their membership is due for renewal.

Our view was that given how basic LBV’s process is, we can be quite detailed. For larger organisations, where data might be shared between departments (Sales, Marketing and Financial being obvious examples), tracking the flow of data quickly gets very complex. Many larger clients are of course tackling GDPR obligations in a far broader terms (extending their considerations to include supplier/partner networks, current/past employees and HR/Recruitment) so the work we do has to dovetail into all this rather than be treated separately.

Having gone through the audit process, we can summarise the organisation’s internet marketing communications/management system as follows:

• A WordPress website hosted by WP Engine in the UK
• Two contact forms (powered by WordPress Gravity Forms plugin)  that send membership applications and general enquiries to a single administrative email address (Gmail based)
• An Excel Spreadsheet (stored on the administrator’s PC)
• Individual email accounts (everyone’s a volunteer remember)
• Campaign Monitor (Email marketing platform) used for communicating with members. Hosted in San Jose
• EventBrite is used to manage events (data probably stored in US)
• Google Analytics to analyse web usage

As this list shows, even such a basic structure throws up a number of complications:

• For obvious reasons, Google’s infrastructure is complex and highly distributed, so trying to pinpoint the exact geographic location for email storage would be quite naive. Any other recipients within the organisation are likely to be using personal or business email addresses which makes a truly granular audit extremely difficult
• Having an Excel spreadsheet on an individual’s PC is inherently risky
• EventBrite’s privacy policy is comprehensive, but they skirt the challenge of supplying exact details of data location

With regards to EventBrite, we have taken the stance that as they are a completely separate eco-system that LBV website users link through to, we cannot reasonably track their methods for processing data or using cookies and other tracking technologies.

Before we added any information to the website, we therefore had to help LBV with a few basic rules and processes. Our recommendations were to:

• Set-up an email (data-controller@) that could act both as a conduit for data related communications. Note: Many companies should consider appointing and identifying a specific data-controller, however due to the volunteer nature of LBV, it was suggested that the organisation itself (as an entity) was appointed in this role.
• Stop sending completed forms to the administrator entirely, and instead send through email notifications that alerted the administrator to view the completed application/enquiry form from within the Content Management System. This keeps the form data within a secure MySQL database
• Switch the Excel spreadsheet to cloud-based MS Office 360 or a Google Sheet in the short term and ultimately switch to using  dedicated membership management software
• To set up a protocol that states that if a completed form still needs to be emailed to a board member, then both the sender and recipient have a responsibility to permanently delete the email once it has been processed.

The next step was to involve the legal experts. We needed the actual actual privacy/cookie policies and T&Cs that would appear on the website. Fortunately this was a relatively simple process, and led us to work with a legal firm called Herbert & Ball who have helpfully set up a dedicated website https://gdprprivacypolicy.org where users can download a complete set of templates.

Important note: Cite are most definitely not legal professionals or experts, so although we will gladly share our experiences and opinions, we stress that we do so in purely an advisory role. Ultimately, it is our client’s responsibility to ensure they stay the right side of the law and for this reason, we encourage clients to purchase H&B’s legal pack directly rather than through Cite.

The templates are extremely well annotated with clear instructions of what information users need to find and document. In the case of LBV we had discovered most of the information during our audit process (specifically which services where used, where they were located and where their respective privacy/cookie policies could be found).

Despite the high-quality guidance, completing the templates is still quite time consuming and required us to think very carefully about the choices we made (which bits to keep in, remove or choose from). There were also questions that inevitably required further and deeper investigation.

Obviously, some clients are tackling GDPR in much broader terms, and may have a preferred legal partner on in-house legal team.

Cookies and Tracking

I’m sure all digital marketing professionals hoped all things cookie policy related had been put to bed some time ago. Surely a consensus now existed that our obligation was to inform users when cookies are used (pretty much all the time) and explain that although they can theoretically be disabled, they may have to accept a deterioration in experience as a result?

Although this approach has been acceptable at present, GDPR may change this. At the very least, we will need to identify and list all essential and non-essential cookies (a moot point in itself) and provide instructions and ideally a mechanism to give the user control over which cookies are enabled and disabled. This theoretically should include the ability to disable all cookies.

We emphasised the word ‘may’ because truthfully, no one really knows how practical this forensic level of listing/control will be. Sites with user accounts (such as e-commerce stores) use a vast number of  cookies to shape the user’s experience and help them manage their basket, discounts and accounts. Switching these on/off arbitrarily may play havoc with the underlying software, so a level of pragmatism will surely apply in due course.

For the LBV website we have installed Civik UK’s Cookie Control widget, available from https://www.civicuk.com/cookie-control

On a related note, the policies also require websites to list all tracking pixels used as well as any AI, analytical and profiling software that may be used and require explicit consent. As listed previously, LBV use Campaign Monitor for email communications with the membership. In common with pretty much every similar platform, Campaign Monitor uses tracking pixels to report campaign performance (opens, conversions, clicks and so forth), so these details have also been included.

Challenges ahead

As an agency, we must work very closely with our clients to set up these policies in the first place, but also to keep them maintained. Unless the client wishes to maintain this information themselves (few do), we must be informed when they make relevant changes to the software they use or the way they process data captured online. For instance, if LBV switched from Campaign Monitor to MailChimp there is no way we would know without them explicitly informing us. For this reason, we suggest GDPR is not treated as an ‘add-and-forget’ but instead is included during regular reviews.

Between now and May, we are working with clients to put practical documentation in place and help them make informed decisions. It is our view that a long term consensus on how to best implement GDPR within digital communications will take twelve months or more to reach and therefore the work we do now must be viewed as ‘work in progress’ rather than fait accompli.