Driven primarily by the European Union (EU), the General Data Protection Regulation (GDPR) is a large-scale attempt to give users much greater privacy controls. Initially announced 2 years ago, to allow websites to fully prepare, the GDPR became law on May 25, 2018. Moreover, the GDPR is not "finished", rather GDPR is expected to continually evolve and grow over time. GDPR affects website owners situated both inside the EU and those elsewhere in the world.
Our article today is quite long, so if you want to learn more about GDPR and how we met the GDPR challenge, I suggest, reserve 30 minutes to read, make a cup of tea or coffee. Let's begin.
While working with GDPR, one key takeaway I've learned is that at the time of writing, making up 99 documents, the GDPR is a lot more complicated in practice than we may at first think.
Sidebar update August 2018: we have new solutions! If you're running a small organisation, you too may be able to dramatically reduce the amount of work you'll need to otherwise do to make your website GDPR friendly. For details, jump to near the end of this article. If not, please keep reading. GDPR doesn't usually offer shortcuts.
Back to our topic. As web site developers, a big benefit for us is now that we have "gone through the GDPR transition pain", we know what needs to be done, both from legal perspective and website technical standpoint.
Yet for anyone who is already too busy running a small business, meeting the GDPR stipulations is especially hard. In fact, it's really hard! Which is why I've also made this in-depth article freely available, to share what I know and hopefully to help others.
So if you want some GDPR insights, please stay with me and read all of this article - at least once.
Let's get started.
Is GDPR About More Than Websites?
Without doubt, yes. The GDPR affects a range of areas, including:
- Communications by email.
- How we use social media.
- Email marketing.
- Web site contact forms.
- Website registrations.
- Website subscriptions to products or services.
- Web site memberships.
- How websites sell products and services online.
- How we use e-commerce through websites.
You can learn more about GDPR at the websites below:
- The official EU GDPR website.
(if you're feeling brave, scroll down the page to read the details).
- Arguably, a more user friendly explanation of GDPR.
- Another good plain-English information reference about GDPR.
- The UK Information Commissioner's Guide to the General Data Protection Regulation (GDPR)Guide to the General Data Protection Regulation (GDPR).
Here in the UK, we've had a law in place since 2003 that UK organisations can only legally send marketing emails to individuals if they have:
- Consented to receive such emails. Or have ...
- An existing customer relationship with the email recipients, with an opportunity for subscribers to opt out at any time for any reason.
While striving to build and run web businesses, like many others around the world who also try their best to be considerate and respectful to users, we too have already been following such "good practice" stipulations, both to website visitors and registered users alike.
A short summary: it's not hard to be nice to others online. We can just imagine how we might feel as the recipient.
Nevertheless, the new GDPR specifications are a significant step-up in the requirements for doing business on the web, especially impactful to small businesses. Medium- and large-sized organisations most likely already have the resources and people available to help meet the new GDPR requirements more easily. For a small one-, two-, or three-person business however, the GDPR challenges are huge.
From a website perspective, GDPR involves making key changes in two areas:
- Legal website text updates.
- Technical web site code enhancements.
Key tip: attention to both legal and technical aspects is usually needed to meet GDPR requirements.
Some organisations have discovered more about the complexities and additional costs of meeting the requirements for GDPR.
While a website is only one aspect affected by the GDPR, here at Internettips.com, we spend a lot of time and money working with websites. So GDPR web site impact is where our main focus here will be.
Some Alternative Approaches For Integrating GDPR Into A Business Or Organization Website
Some folks believe that GDPR can be a huge hurdle and marketing disadvantage for EU-based website owners and users, compared to others around the world.
Perhaps understandably, some web site providers have opted to use various stealth techniques that arguably reduce the impact of GDPR stipulations on their website users, clients, customers.
Others are choosing to help overcome "the problem of GDPR" by moving user registration to the point of sale. Why: the idea is that people who are in the mood to buy our products and / or our services are more likely to "jump through the GDPR hurdles" while at the point of buying.
However, in the paragraphs below, we talk about a different approach based on "first contact user registration", which may seem more simple, straightforward: we ask visitors who want to contact us, to first register, then log in, thereafter use our contact forms as required.
Over time, more options can become available to anyone who logs in too.
Nevertheless, we'll measure responses, monitor, discuss, exchange ideas and opinions with other website providers to help better determine how customers and clients feel about the additional GDPR barriers. So during the coming weeks and months, we too may also move GDPR hurdles to the point of sale.
While accepting that there are different ways to help make a website GDPR friendly, for now, below is an outline of what we have done with InternetTIPS.com, to strive to become a GDPR-friendly web site.
The GDPR pays little heed to how nice we think we are. To meet the GDPR requires:
- Some business re-examination.
- A little introspection about how we connect with web visitors.
- Tracking of some things.
- Deletion of other records.
- Monitoring still more activities.
- Specific steps to be completed, and ...
- Further actions to be taken.
However, I could be wrong. I realise that some of the steps we have taken below may be viewed by some as an unnecessary overreaction. Though perhaps erring on the side of caution offers a better plan, until at least, we understand more fully how GDPR rules are best interpreted.
The Biggest GDPR Changes For InternetTIPS.com
Our website changes included:
- Learning more about and striving to understand GDPR.
- Creating GDPR policies.
- We decided to delete thousands of old, non-active subscribers on multiple old website subscriber lists, and on our current website, made up of people who have double-opted-in during previous years. Why: if previous users were no longer active, why should we pester them today? Anyone who wants to hear from us can easily resubscribe.
- Researching technical solutions to complex GDPR challenges.
- Making multiple technical changes to Internettips.com website functionality to help become GDPR friendly.
- Installing a surprising amount of GDPR technical changes that actively take place "in the background", behind the public face of our website.
- Application of incredibly strong "Security by design" initiatives.
- The application of "Explicit Consent" throughout the website.
- Creating a modified web site registration form.
- Creating new, modified general purpose website contact form.
- Creating a new website design services contact form.
- Making website application changes to "notify users of profile field changes".
- We have built in website functionality that runs automatically and irreversibly deletes inactive user accounts (GDPR Requirement).
- Implementation of "Consent tracking".
- We designed "access to submitted information" for our registered users.
- Contact form users can also export records of their own submitted information in standard electronic formats like CSV and PDF.
- Automatic legal text change monitoring with new consent prompting. Once our GDPR changes were activated, when our website terms of access get changed, in order to proceed, our website systems now prompt and require users to consent to our new updated terms. So every change means new consent is required.
- Our new GDPR system now includes an option for registered users to remove or delete their own submitted information (relates to website contact form information).
- As part of security enhancements, we now use further application of two-factor authentication log-ins using Google Authenticator, which is now available both for website admin logins and registered users if they choose that option too. We never, ever use the older, flawed mobile-phone based text message so-called authentication methods.
How We Enable Our Users To Take Control Of Their Web Form Messages
With GDPR, website contact forms become more special, more protected. Suddenly, web forms have just got more complex. Why: the GDPR reminds us that user consent is required when using web contact forms:
- For each web form.
- That the date and time of each instance of user consent must be recorded.
- Every individual time- and date-stamped record of user consent must be able to be produced later, as required, on demand.
To meet the new GDPR requirement of consent when sending a web form, while we could simply just add a check box with the name: "I give InternetTIPS.com permission to collect my details through this form." to our main website contact form, we have two problems with that simple approach:
- A check box alone is not enough: we need to record the actual check box consent, monitor any changes to consent, and build in reporting options.
- The data records of such a web form would be publicly visible to everyone, rather than to just each individual specific web form user, and us, as website admins.
In addition, "open" web forms are less secure today, even if we were already using HTTPS (remember, "S" stands for secure). Why: because our web form would then be publicly visible to everyone, rather than a web form installed behind a unique login barrier.
So, in the GDPR context, for our purposes, having a built-in log-in functionality really helps.
To recap, here's why a public web form doesn't meet our GDPR requirements:
- We would still have no easy way to: (a) record the form information, and (b) make the form data available only to the sender, (c) should they at any time, choose to exercise their rights under the GDPR to (d) review, (e) download, (f) export in a (g) standard, machine-readable format, or (h) delete one, or more, or all of their form messages.
- We would not have fully secure, recording, monitoring and reporting features activated.
However, if we insert our contact forms behind a log-in barrier, we resolve all of the pressing challenges above. Our thanks go to the nice folks at RSJoomla for the idea.
How We Secure Web Site Contact Forms Better
As part of our solution, to help start to "fix the GDPR problem", anyone who registers on our website is automatically assigned a unique ID reference number by our web content management system. So when a user logs in, by referring to the user ID, our website intelligence knows who is logging in.
However remember, logins suggest that something is done to the information when you log in. That's true: now we have one or more databases to manage, protect, monitor.
With the activation of GDPR, the security of website databases becomes even more important. That's why web security also gets a boost too.
Through the use of logins, we can create and provide a standard web form, and design the processing of our contact form so that it responds to each individual logged-in user.
Thereafter, when a logged in user uses our contact form, we have set up an automated system that:
- Knows who the sender is every time they use the web form.
- Receives and processes each message our sender sends.
- Places a copy of each message into a secure "Submissions database", that is only available to the message sender and ourselves, as website admins.
- Allows us to more easily respond and reply to web form messages in a timely manner in the normal way.
That's why users of our contact forms must now log in first, to meet new GDPR stipulations and ensure that website users have, at any time, the option to examine, modify, and delete their own contact form submissions information, yet still keep that information private and confidential only to each relevant user and ourselves.
Do The Simple Website Two-Step To Send Your Message
Before GDPR, like hundreds of millions of other websites, if you wanted to use our website contact form, you could have just gone to our contact page, fill in the form and choose the send button. After GDPR, especially when we were still using our Joomla-based website, the security of your communications take on greater importance and responsibility from us.
We then asked our clients and website visitors to do the quick website Two-Step:
- Step 1: first register with us using our registration page.
- Step 2: then log in, using our then log-in page.
On our website front end, our website visitors of course can access both of those web pages easily through our "Contacts" button and main website navigation menu, and from various other "cross-links" situated on different parts of our website.
Key tip: offering multiple ways to get to the same destination is usually a great idea from a website usability standpoint.
So now that our more enhanced, GDPR-friendly web form feature is now set up and activated, you can:
- Log in.
- Go to our contact form.
- Complete the contact form fields and send your message, in the knowledge that your contacts with us are now even more secure, more private, more confidential than just having a plain old, less secure, "open" public website contact form.
Register For Your All-Aboard The GDPR Express Ticket
Let's recap: before you can log in to Internettips.com, you must first register on our secure website:
- Although we explore registration in more detail here on this page, you can register in minutes.
- Depending on the speed of your Internet connection and email service, sometimes you can register in seconds.
- The most important aspect is to choose and record a unique, long, complex password.
Please note: we hope that within a few years, passwords won't be needed to log in. Even today, often we may log in using our fingerprint, facial recognition, a special key. However sometimes, these new approaches can still remain unreliable until they become properly perfected.
The best password-replacing solution we think, is the promise of DNA sampling - perhaps through our own breath: we just open our device and it knows it's us. No complicated login passwords, no fingerprint scan, and no facial recognition. For today though, we're still stuck with usernames and passwords:
- Asking you to register with us is not to trap you in any way shape or form.
- One way to view GDPR is to realise that it gives all of us much greater protection and transparency.
- Your registration with us is simply our electronic proof, a signal, and a record, to show to anyone who has the authority to ask us, that at the time and date of your registration, you chose to connect with us, verified, proven, beyond any shadow of doubt.
- Your registration with us allows us to have legal conversations with you using our web forms and email.
- Your registration does not allow us to send you promotional emails, news, or website offers, unless we already have a previous existing business relationship with you.
- You're free to unsubscribe at any time.
- Successful user registration also has a second benefit: thereafter, you can, if you choose, connect with us using our now even more protected, more secure, more private contact forms, and thereafter, view, download, or delete any form submission you may choose to send us.
Legal information is always important. However, probably like most of you, we don't like long legal forms either. For now though, we're stuck with these too. However ...
Make A Million With My Smart App Product Idea
Here's a new product opportunity idea for someone to consider. Imagine a "smart app" that:
- Uses Artificial Intelligence (A.I.) to understand the meaning of the document from our perspective, as users. Then ...
- Presents us with a score from 1 - 10. Anything over a score of 6 means the legal form has "reasonable", "acceptable", "normal" conditions, so we can then choose "Yes", and move on.
When such apps become commonplace, accepted, trusted, long legal documents no longer become the hurdle they are to many of us today.
We're keeping our fingers crossed, as code is getter ever smarter and our latest generation of developers hold remarkable promise.
GDPR Also Means No More Pre-Filled "Yes" Check Boxes
On our registration page, to meet another GDPR stipulation:
- Automatic "No" settings also mean, if you want to register with us, you can only complete your registration if you agree and therefore explictly change the setting and choose "Yes" to both check boxes or option buttons.
- For those who do choose to register, they are, of course still free to unregister at any time.
- Once you have fully registered, on log-in, you'll discover access to commands and links that can lead to our website contact forms and other options.
- In time, additional reserved, non-public content can also be available only to registered users, as an extra thank you for trusting us by registering.
Registration Double-Opt-In Confirms Your Choices
As part of registration, we use a double-opt-in process. Double-opt-in means that:
- Step 1: when you register (first stage), our website system will automatically send to you a special email containing an encrypted link.
- Step 2: to fully "opt-in" or register, you'll need to choose the encrypted link through click or touch (that's your second stage).
Why do we need to use double-opt-in? Only with double-opt-in, do we have electronic proof that the email address holder has confirmed their choice to opt in through receiving, choosing, clicking, or touching the encrypted link in the confirmation email message.
- Already a legal requirement in Canada and Australia.
- At the time of writing, not yet a distinct requirement for GDPR - though I expect that to change here at least in the EU too.
With GDPR, double-opt-in takes on greater importance. Perhaps double-opt-in will sooner rather than later, become a legal requirement for all G20 nation websites.
Tip: so if you're not already using a registration double-opt-in system for your website, I suggest do so as soon as possible.
By dealing with issues like double-opt-in, and GDPR, you upgrade and enhance your website. You can then focus your most important energies on perfecting how to connect with your website visitors, do business with your clients, and customers in ways that are life enhancing for everyone involved.
Opting Out, Unregistering, Or Profile Deletions
GDPR means that users should be able to opt out as easy as they can opt in. For our users, opting out or unregistering is simple. For now, if you would like to unregister, log in and let us know your instructions. We'll do the rest.
At the time of writing, hardly anyone unregisters through conscious choice (thank you dear users). However, if someone does choose to unregister:
- For now, we prefer to perform the user unregistration task manually so that we can control the process better. Also, when we delete someone's profile from our servers, we need to make doubly sure that if the person has previously purchased products and services, for tax purposes, that information must stay intact in our records and not get deleted until its expiry period is over.
- However, soon the deregistration process could become more reliably automated that would not affect business sales records. At the time of writing, Joomla web content management system latest version is v3.8.8. However, from Joomla v3.9, and beyond, registered users should have a quick and easy way to delete their own personal details that may be stored in the even more secure, heavily protected areas of our website.
- If a registered user account is not actively used by the user within a specified time period, to help meet the "right to be forgotten" GDPR stipulation, we have set up a system that automatically deletes dormant registered user accounts.
- Once a user profile is deleted, the process is not reversible.
- If you have an active but unused subscription, that too will be deleted. If you have a membership subscription, you'll be logging in regularly anyway, so you won't be affected. For those who have only registered but still wish to keep that registration open, the simple solution for now is to just log in at least once every 6 months.
Round-Up: Registered Users At InternetTIPS.com And GDPR
To meet the GDPR conditions, every registered user can now:
- Delete their registered user account at any time (GDPR: “Right to Be Forgotten”).
- Modify, update, download, or remove their submitted personal information stored within their registered user profile. Though for security reasons, for now, we've opted to keep usernames fixed at the time they're created. If a registered user ever wants to change their username, we ask that they simply close down their existing profile and create a new profile with the username they want.
- Delete all stored copies of their email communications sent to us using our general contact form.
- Request that we also delete all remaining stored communications stored in our off-site email databases (excluding backups). However, to maintain records for tax purposes, we take special steps to ensure we don't delete any emails relating to products or services purchased from us.
- Expect and trust that should the requirement to delete data from backups arise, we will strive to update those too. Automated encrypted website backups get created off-site daily. So should we ever need to restore from a backup, we'll minimise the extra work that may be needed to remove any users who since the previous day's last backup decided to unregister.
More About Our Secure, Confidential Contact Forms
You've read this far: thank you and congratulations. By now, you too may appreciate that GDPR requirements are deep and wide-ranging.
The GDPR suggests that from May 25, 2018, accepting personal information over unencrypted email links is now illegal. However, we already use HTTPS https:// website links, and also only ever use encrypted email links.
- To send a message using one of our contact forms, your message can only be sent to us if as a logged-in user you agree we can collect information through the contact form you're using. You signal and record your agreement at the time of sending your message, by choosing a check box or option button.
- Each contact form agreement signal gets recorded and is tied to the relevant logged-in user using the contact form.
- In each web form Submissions database, our users can check their information and likewise verify that they have given their permission to use that particular contact form.
In this way, under GDPR, website providers are better protected against people who may falsely accuse a website of contacting them without permission. Moreover:
- As GDPR realities become more clear, or perhaps may change, we too may likewise change or modify some or all of the above processes to meet the requirements of changing times. For now, however, we realise that times have changed, we're living in a new age, that's why our contact forms are kept confidential and protected.
- Nevertheless, you are not required to use our contact forms to contact us. Instead, you can simply email us directly.
- Though if you have not already registered, we will ask you to register for all the reasons outlined above.
- Existing clients and contacts already have our email contact details.
- Though using ordinary email means that we have yet another data source to manage too. That's why in time, to free up more time, simplify the management of user data, and more easily meet GDPR requirements, we may use only one data managed communication method managed and focused only through our website.
What About Marketing, News Updates, Offers?
At InternetTIPS.com, we already have lots of free content pages that anyone can access: no registration necessary.
However, for those wonderful folks who do choose to register, remember, GDPR rules mean that simply by registering at Internettips.com does not mean we can send you news, updates, commercial offers, etc. For marketing purposes, we use a separate opt-in / opt-out method to send alerts about any time-limited commercial offers by email.
To engage commercially with new users, we will require you to:
- Register at InternetTIPS.com first. How: simply check under "Contacts" on our main website menu and follow onscreen prompts.
- if you're happy for us to send send occasional website new updates, special offers, sell products, provide services, or make website memberships available to you, we'll ask you to signal agreement in another, second opt-in web form, which may also be embedded into an email newsletter option. Likewise, you can unsubscribe or opt-out at any time usually with a simple check box click or touch.
Some GDPR Benefits And Drawbacks
For website providers, GDPR can seem hard and overwhelming. Certainly some work is needed. With every great momentous change, there are winners, losers, benefits, and drawbacks.
As a result of GDPR changes, some benefits of GDPR to users include:
- Provides a "privacy first", "explicit consent" environment for users.
- Provides greater transparency for users.
- The amount of email a website receives may decrease.
- Amounts of email spam received may decrease.
- Promotes greater emphasis on the use of plain English language and understanding.
- Users can keep better control of who they're signed up with.
- Anyone can subscribe and unsubscribe more easily.
- Promotes "data minimisation" (websites should delete user data when no longer required).
- Users can now have more direct control of their data (data portability right).
- For website providers, once GDPR upgrades are done, being more aware of the user data we hold, can help us simplify our processes.
- GDPR friendly websites have more protection from corrupt users seeking to exploit and blackmail weak website providers (why: strong GDPR equipped website managers will have concrete data evidence).
- Our genuine users can be more assured that our website is even more secure than in the past.
- Know that we are more accountable to protect our users data.
- Users can access their data at any time (data portability right).
- Users can export their website stored data at any time (data portability right).
- Users can delete their data (right to be forgotten).
- Users can request we delete certain data (right to be forgotten).
- Users can ask for details about data stored on them, initially for no cost. Follow-up requests may involve a fee.
- Could the GDPR become a world model of excellence for user privacy? Or a tax-raising scheme for an EU forever low on income? Or, will GDPR provide huge commercial advantage to less restrictive countries like the USA?
GDPR User Drawbacks
GDPR is a long way from perfect. Disadvantages include:
- More initial upheaval, hassle, confusion, cost, and for some, irritation, for users, as they may need to re-register on websites.
- Contacting us is now not so straightforward: no more open insecure contact forms.
- Web users have become used to expect "open" contact forms, so may express frustration at having to log in.
- Users must choose and store better passwords.
- Post-GDPR activation date, the number and choice of businesses offering help to users may plummet. Lots of freelancers may choose to support only their own projects instead, selling through other channels.
- GDPR extra demands on businesses may force prices for certain products and services to rise.
- We won't be surprised if thousands, hundreds of thousands, or even millions of websites simply don't comply with GDPR. What happens then? We don't know.
Benefits Of GDPR To Us
Even with all the GDPR preparation pain, we've had some wins, including:
- To meet GDPR, we have had to learn some new skills.
- At the time of writing, the use of "Essential" login cookies, related to security purposes, are exempted from the GDPR. However, that may change in time.
- Once GDPR structure is in place, we receive less spam, we waste less time, our business becomes simpler, more efficient.
- We can spend more time working only with folks who truly want our help.
- We can explore lots of ideas to create content reserved for registered users.
- We can reinvent what we do, cancel some things, and create new offerings.
- Post-GDPR activation date, the numbers of membership subscription websites may rise dramatically creating more service offerings.
- We can use our GDPR experience, knowledge, and knowhow to help others, clients and customers better upgrade for GDPR.
One interesting realisation for us is that should GDPR ever get cancelled, reversing or simplifying our GDPR changes is a lot easier than setting them up in the first place.
Drawbacks of GDPR For Us And Perhaps Other Small Businesses Too
Our GDPR pain revolves around the extra work and effort required, including:
- Full compliance, or getting close to full compliance to the GDPR is especially hard and brutal on small businesses. Why: large companies can weather the GDPR preparation and upgrade storm. However, we don't think many small- and micro-businesses simply have the time, money, or resources to meet the new strict GDPR requirements. We worry about what will happen to them.
- We had to complete a massive amount of extra initial work, testing, tweaking, etc., for zero initial rise in income.
- We've had to spend more on GDPR compliancy, security and website protection.
- Our ongoing running costs have now increased a little.
Solving More GDPR Problems, Plus 8 New Benefits
Update alert: clearly, preparing a website for GDPR is a challenge. We need better answers. Therefore, from late July 2018, since this original web page was written, we've performed some further changes and updates, including:
- We no longer use Joomla or WordPress web content management system for InternetTIPS.com. Now we use a highly secure, static website solution instead. So registrations, logins, using a CMS, are no longer needed for what we provide.
- Furthermore, because we no longer use Joomla or WordPress, no CMS registration or login pages are needed.
- We no longer have an online database to protect. So website security is boosted even further.
- Website technical aspects have now been dramatically simplified even further.
- No database and less code, means a much faster website - especially helpful to mobile users.
- We no longer use standard web contact forms. Anyone can simply email us directly instead using their preferred email tool.
- Moreover, as we have removed the need for registration, log in, and contact forms, most of the functionality outlined in the article above, relating to all of the key areas mentioned, has now been dramatically simplified.
- In the coming weeks, we may opt to add a new GDPR-compatible new email newsletter registration form.
Do You Need Help To Upgrade Or Adapt Your Website To Meet The GDPR?
I hope this in-depth article helps you with consider GDPR implications for your website.
Our website was previously built and managed using the latest version of Joomla - now one of the best, if not the absolute best - web content management systems available today.
However, with GDPR, we realized that in 2018, we simply didn't need the extra complexity that comes with a web content management system.