Blog

GDPR

GDPR Compliance Guideline

With General Data Protection Regulation (GDPR) around the corner and coming into full effect on May 25th, 2018, it is of utmost importance to make your website fully compliant with this regulation if your website deals with EU citizens in any way. Failing to do so, may result in severe penalties - up to 4% of annual global turnover or €20 Million (whichever is greater) which is pretty much enough to close your business or at least make a big dent to your revenue.

GDPR is a massive document which is the successor of the Digital Privacy Act (DPA). However, although GDPR clearly defines many aspect of privacy, as of time of writing this, there aren't any clear "checklists" of what you should do to make your website fully GDPR compliant as each website has a different "starting position" so it's quite challenging to create one, unifying, approach that is applicable to any website. This means that there is no "set-and-forget" method to make your website GDPR compliant nor is there a plugin which you can simply install and it will miraculously take care of everything. Nevertheless, there is a plugin named WP GDPR Compliance which is created to assist you in the assessment of measures necessary to make your website GDPR compliant and currently supports selected plugins but based on their roadmap, they're constantly adding new features and expanding functionality of the plugin.

Of course, the best option for your business would be to hire a lawyer to create privacy policy specifically tailored for your business and that is what most of "big players" will certainly do. For example, based on recent survey, 68 percent of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements.

Not sure what Tickera is? Go here to find out!

But, we understand, this might represent quite an investment for your business so we will try to create a guideline as precise as possible to help you make your website GDPR compliant. Of course, we're not by any means lawyers nor are we competent for giving any legal advice. So, all of the following is based strictly on research about recommended practices for GDPR compliance found all over the web.

 

Main Principles

There are five main principles of GDPR which combined, represent a cornerstone of this regulation:

  • Increased territorial scope - The legislation affects not only businesses operating in Europe, but also those processing the personal data of any EU citizen (which is pretty much any website in the world).
  • Consent - When collecting any data about your website visitors you must get clear and unambiguous consent from them. And by 'collecting data' is not considered only the data collected through the forms on your website but also the data such as IP address, cookies, analytics and other data collected in the background.
  • Right to access - Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
  • Right to be forgotten - Also known as 'consent withdrawal'; it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
  • Privacy by design - This means that data privacy must be incorporated into the design of a system from the outset.

 

Knowing this makes it easy to draw a conclusion that GDPR is pretty serious step forward in personal data protection and that every website should become compliant to these regulations. So, here's what that means for you as a website owner or administrator...

Know your position

GDPR recognizes two different entities when it comes to data; data controllers and data processors.

Data controller - is the entity which determines the purposes and means of the processing of personal data. In laymen's terms, this is, simply put, you. You will be deciding where and for which purpose the data on your website will be collected and as such, you must get a clear consent from the site visitor for every bit of personal information you want to collect from them. Obviously, the first thing that comes to mind is the contact form or any other type of form on your website where, logically, you will be putting a checkbox that visitor needs to click in order to proceed and which implies that they agree with your terms of use and privacy policy.

Contact forms and newsletter subscription boxes are not the only data you will be collecting from your visitors as there are also cookies and other various data, mainly for site analytics that will be collected automatically "under the hood".

This is why it is important to let customers know where you are collecting this data and for which purpose and also to give them a right to choose not to opt in for collection of such data. Of course, if portion of your website requires cookies and visitor wants to opt-out, you must let them know that portion of your website might become unusable if they fail to accept cookies. All the cookies and their purpose must be listed in your cookies policy. Same goes pretty much for all the third party services you might be using on your website for literally any purpose that processes visitor's data in any way. But, we'll be discussing cookies policy along with privacy policy and terms of use later in this post.

Data processor - is the entity that processes the data in the way that data controller requires. Again, in laymen's terms, this would be your hosting provider or any other third party service to which you will be forwarding your visitor's personal data. Data processor must also clearly declare GDPR compliance and you need to have a contract with any and all the data processors you will be using which guarantees that they will implement appropriate technical and organisational measures in such manner that processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject.

 

Privacy policy, cookie policy and terms of service

You're right if you're thinking that nobody reads any of that. And if someone does, it's mostly written in legalese which is pretty hard to understand to any average website visitor. But here's the catch; first of, GDPR requires you to have all of these; privacy policy, cookie policy and terms of service and these now must be written in easily understandable manner. Surely, even if you write it like this, this certainly won't guarantee that things will change and that visitors will start read this all of a sudden. But, not having clearly stated, easily understandable privacy policy, cookie policy and terms of service will make you vulnerable to reporting for GDPR compliance violation which, given the penalties proposed, is the luxury you don't really need.

 

When it comes to creating solid privacy policy, cookies policy and terms of service, it is advisable to hire a lawyer who will take care of covering all the aspects that need to be covered.

 

However, there are also online services ran by and/or affiliated with professional lawyers that may help you generating privacy policy, cookie policy and terms of service based on neatly designed wizards and answering plain, understandable questions. Of course, these services are not free but are well worth the money. One of such can be found here and is highly appraised and recommended by many.

 

What all this means for you as website administrator who's using Tickera?

Well, since Tickera will require your customers to leave their names, email addresses and potentially other personal data, you will, obviously, have to create solid privacy policy where you will be clearly stating how and why each and every bit of their information is processed. Now, in order for this privacy policy to make some sense, you will have to get a clear consent from your customers that they agree with your privacy policy. To make things as easy as possible, we recommend you to utilize our Terms & Conditions add-on where you can put all the information needed to let your customers know how their data will be processed and have a checkbox on the cart page which they will have to click in order to proceed with the ticket purchase.

Another GDRP regulation is that minors should be forbidden to make any purchases on any website without explicit agreement of their parent or other legal guardian. Now, there is not much you can do about an average minor who stole their parent's credit card but being a regulation, you must comply with it so we have added an option in Tickera Settings to add a checkbox on the cart page which can say something like I hereby declare that I am 16 years or older (or anything else you see fit) and which they must click in order to proceed with the purchase.

age_regulation

 

 

 

 

 What about Tickera add-ons?

There are several add-ons for Tickera which rely on third party services. Wherever that is the case, we have placed a checkbox within the settings of each of these add-ons which will require you, as website admin to check in order to acknowledge that you agree with the privacy policy of each of these services. Failing to do so will result in these add-ons not working at all!

Below is the list of add-ons that will require your agreement to the privacy policies as website administrator;

  1. MailChimp Newsletter - this add-on offers integration with MailChimp email marketing campaign service provider which has its own privacy policy to which you need to agree before you start using it. To do that, navigate to Tickera Settings -> MailChimp tab and click checkbox labeled I agree to Mailchimp Privacy Policy (the label is an actual link to MailChimp's privacy policy). Also, MailChimp, as a service takes responsibility to offer opt-out option that customers can click at any time within any of the emails sent by this email campaign service provider.
  2. Sendloop Newsletter - this add-on integrates Sendloop email marketing campaign service provider with Tickera and has its own privacy policy to which you need to agree before you start using it. To do that, navigate to Tickera Settings -> Sendloop tab and click checkbox labeled I agree to Sendloop Privacy Policy (the label is an actual link to Sendloop's privacy policy). Of course, Sendloop as a service provider takes responsibility to offer opt-out options that customers can click at any time within any of the emails sent by Sendloop.
  3. Customer Connect - this add-on makes it possible for Customer.io email marketing campaign service provider to work with Tickera and has its own privacy policy to which you need to agree before you start using it. To do that, navigate to Tickera Settings -> Customer.io tab and click checkbox labeled I agree to Customer.io's Privacy Policy (the label is an actual link to Sendloop's privacy policy). Customer.io as a service takes responsibility to offer opt-out option that customers can click at any time within any of the emails sent by this service provider.
  4. Slack Notifications - this add-on offers integration of Slack chat service which has its own privacy policy to which you need to agree before you start using it. To do that, navigate to Tickera Settings -> Slack tab and click the checkbox labeled I agree to privacy policy of Slack (the label is an actual link to Slack's privacy policy)
  5. Pushover - this add-on offers integration of Pushover push notifications service which has its own privacy policy to which you need to agree before you start using it. To do that, navigate to Tickera Settings -> Push Notifications tab and click the checkbox labeled I agree to Pushovers's Privacy Policy (the label is an actual link to Pushover's privacy policy)
  6. Twilio SMS Notifications - this add-on offers integration of Twilio SMS service which has its own privacy policy to which you need to agree before you start using it. To do that, navigate to Tickera Settings -> Twilio SMS tab and click the checkbox labeled I agree to Twilio's privacy policy (the label is an actual link to Twilio's privacy policy)
  7. Seating Charts - this add-on uses services provided by Google's Firebase. Now, although Firebase integration is not mandatory for Seating Charts add-on to work, it is highly advisable to use it. However, in order for this integration to work, you will have to navigate to Tickera Settings -> Seating Charts tab and click the checkbox labeled I agree to privacy policy of Firebase

Apart from these, you may also use our Check-in Notifications add-on which will send emails to the customers when their ticket has been checked-in. Now, as this clearly falls under privacy policy, you will need to state in your privacy policy that you may do this and your customers will have to agree with your policy in order to proceed purchasing their tickets.

Also, if you are using our Custom Forms add-on to collect some additional information about your customers, you should state in your privacy policy what information you are collecting about them and the clear purpose of that information.

 

OK. I'm done with everything and I want out. How do I delete all the information?

If you need to delete all the data you have collected using Tickera and its add-ons for whatever reason, you can simply navigate to Tickera Settings -> Delete info tab where you will find checkbox for Tickera and all of its add-ons (the ones that store any information to the database) which, if checked, will permanently delete all the data collected by the checked plugin/add-on.

delete_info

 

...and what about other plugins I'm using on my website (not Tickera related)

Well, if the plugins you're using on your website can collect any data from your customers, these will have to be GDPR compliant as well. Of course, vast majority of authors of such plugins realize this and have either made their plugins GDPR compliant or are working towards that. But, as it is better to be safe than sorry, it would be smart to contact authors of such plugins and inquire about their plans about this.

 

I want to know more about this

A good place to find further information, apart from GDPR's official website are the websites listed below;

  • Check out beautiful infographic on the GDPR subject found here.
  • Also, a good guideline related specifically to GDPR for WordPress website administrators can be found here.
  • If you own or planning to build eCommerce website of any kind, you can find a guideline for GDPR compliance here.

All this, including this very post, may seem like the same story told in different ways; and that's not very far from the truth. But, as always, the devil is in the details. We do understand that it is very tedious and boring to any average web developer or site owner to read that amount of legalese (at least it was for us) but, please, take this as seriously as possible and do everything you can to comply with GDPR. At the end of the day, we are pretty sure that you want to protect your business from legal obstacles and astronomical penalties. So, roll up your sleeves, stack enough coffee pods near you, and educate yourself about all the aspects you need to cover, make a list and start working on that one thing at a time. But better hurry up as the 25th of May is right around the corner.

Good luck!