Marketing Your Creative And Business Ideas Since 1996
A Certified NYS Women's Business Enterprise
Are You Ready for GDPR?

Are You Ready for GDPR?

Disclaimer: We are not attorneys. These recommendations are based on our research and interpretation of the General Data Protection Regulation (GDPR). Sources are cited below. GDPR is complex and interpretations vary, so we also recommend you discuss this with your attorney if you have further questions.

What is GDPR?

The General Data Protection Regulation. GDPR is a European Union (EU) regulation to protect the privacy of EU citizens as they surf the internet. It essentially requires consent to collect any information that could identify visitors to your website, including the numeric IP address of the computer they used to access your website.

Additionally, that information cannot be transferred to third parties without consent. This includes something along the lines of sending their IP address to Google Fonts when you request a font for the website they are viewing.

GDPR will be followed very closely by the ePrivacy Regulation and will complement GDPR. ePrivacy will require consent to leave a cookie on the website, consent for online marketing, and consent for cross platform ad targeting.

Opt-In vs Opt-Out

This is a VERY important distinction. In the past, many websites automatically had the box checked for “join the mailing list” type options when filling out a form. When people did not want to join the mailing list, they would “opt-out” by unchecking the box. Otherwise, it was assumed they wanted to “opt-in.” To comply with GDPR, the box must remain unchecked and users must actively check the box in order to opt-in.

Rights Under GDPR

Under GDPR, individuals have the following rights:

  • Right of access – the ability to obtain all data you have stored on that individual
  • Right to rectification – the right to correct, revise, or remove any information you have on that individual
  • Right to be forgotten – the right to have that individual’s information completely deleted
  • Right of portability – the right of an individual to receive the data you have stored in a machine-readable, commonly-used format
  • Right to object – the right to remove themselves (opt-out) from any service you are using with their data at any time (i.e. analytics, email marketing, etc.)

Data Controller vs Data Processor

GDPR operates under the assumption there are two players every time data is exchanged. The first is the Data Controller, who must be a person. The data controller determines what data needs to be collected and how that information is then processed. For many small businesses, the data controller is going to be the business owner or person charged with setting up databases and keeping track of user data.

The second is the Data Processor. This can be a person or a company/software/other entity. For example, Google is considered the Data Processor for Google Analytics data. Your hosting provider could be the processor if the database containing personal data is stored on their servers. The processor has legal liability if there is a data breach.

Am I affected if my business is US-based?

In one word, yes. GDPR was designed to protect the personal information of European Union citizens. That means that if a person from England, Germany, or any other EU country visits your website, you are bound by GDPR.

What are the penalties for non-compliance?

£20 Million (~$27 Million) or 4% of annual global income, whichever is greater, for failing to ask for consent.

2% of your annual global revenue for failing to disclose a data breach.

What does my company need to do to comply?

This is still very fluid and complicated. While the regulation was approved in 2016 and companies were given until May 25, 2018 to comply, guidance is still forthcoming and the major players (i.e. Google, Facebook, etc.) are still working on their compliance.

Based on our reading and interpretation, we know the following are very important:

  • Create a Privacy Policy – You must have a privacy policy that answers the following questions:
    • Who you are
    • What data you are collecting
    • Why you are collecting the data and how you intend to use it – it is no longer okay to blanket collect everything because you might need it someday. Only collect what is exactly necessary to get the job done.
    • How long you will be keeping that data
    • Who will have access to the data – this includes plugins and third party applications, such as Google Analytics, your CRM (i.e. Salesforce, Hubspot, etc.), accounting (i.e. Quickbooks online), and anywhere else you store personal or sensitive data.
    • How a person gets a copy of the data you have stored on them
    • How a person goes about deleting (not just unsubscribing) all the data you have on them
    • How you will notify users of a data breach
  • Ask for explicit consent everywhere you ask for information
    • Every form should have a “I consent to my submitted data being collected and stored” type statement. It is a good idea to reference your privacy policy. This must be a required field.
    • Consider a plugin to provide a notice that you use cookies and will be collecting and storing information according to your privacy policy.
  • Anonymize IPs for Google Analytics – an IP address is typically in the form: ###.###.###.###, where the complete set of numbers identifies the location of the computer. Anonymizing the IP address will set the last octet to 0, sending ###.###.###.0 to Google Analytics. This protects the privacy of your website visitor but does sacrifice some granularity with geocoding your users.
  • Discover what data your company collects:
    • Review URLs – make sure that you never transmit user ids, IP addresses, or other sensitive data in the URL when a form is submitted. This data will end up in your log files.
    • Review all personal data collected across all platforms – is any personal? Is any sensitive*?
    • Determine where your data is stored and its expiration policy – if you keep backups, for how long do you store and archive data?
    • Determine whether any third parties (i.e. Google Analytics) store any data on your behalf
    • Check the security of your data
  • Consider a Data Protection Officer – each company should appoint a Data Protection Officer to understand and manage all the data you collect.
  • Document everything – what are your policies and procedures for handling and securing personal and sensitive data?

* See “The GDPR: What is sensitive personal data” for a good definition

What About Cookies?

Websites, Shopping Cart, Google Analytics, Facebook Pixels, and others use ‘cookies’ to track where users are on the website and what they do while on the website. The European Union has an ePrivacy Regulation that will take effect later this year or early next. It essentially bans unsolicited marketing and cookies.  As with GDPR, the use of cookies comes down to the consent of the user.

How to Comply

GDPR is complex and even less than three weeks from implementation, WordPress, Google, Facebook, and other major players are still working out exactly what they need to do to their applications to make them compliant.

IMC is offering the following GDPR Checkup based on our research. Again, we are not attorneys and suggest that you have an attorney review any documents created. However, with so many questions still surrounding what exactly US-based companies need to do to comply, we recommend taking some basic steps now, that are considered good practice anyway.

We recommend the following steps:

  1. Website Audit – during a website audit, we will click through every page and complete every form to determine the following:
    • Are there any 3rd party applications in use – what data do they collect and will they comply with GDPR?
    • Are there any links/urls that contain personal or sensitive data?
    • Do you ask for consent every time you collect information on an opt-in basis?
  2. Software Additions/Upgrades – we will do the following:
    • Upgrade you to WordPress 4.9.6 to help with your Privacy Policy generation
    • Install a GDPR Compliance plugin to help guide us through your website
    • Install a warning bar stating the website uses cookies and tracks your IP address
  1. Review your Google Analytics Settings – this is done to make sure the IP addresses are anonymized and that sensitive data, such as usernames, are not sent to Google.
  2. Review Data Storage Policies – what do you do with any data sent to you via the website?

The cost for this service will depend on the size of the website and the number of 3rd party plugins and applications.

Sources

General Data Protection Regulation
Wikipedia: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
Last Accessed: 5/8/2018

EU GDPR Information Portal
https://www.eugdpr.org/

Last Accessed: 5/8/2018

IT Governance – The GDPR: What is sensitive personal data
https://www.itgovernance.eu/blog/en/the-gdpr-what-is-sensitive-personal-data
Last Accessed: 5/8/2018

Information Commissioner’s Office: Key Definitions
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/
Last Access: 5/9/2018

Google: Our Commitment to GDPR
https://privacy.google.com/businesses/compliance
Last Accessed: 5/8/2018

Google Support: IP Anonymization in Analytics
https://support.google.com/analytics/answer/2763052?hl=en
Last Accessed: 5/8/2018

Elegant Themes Blog: How to Make Your Websites GDPR Compliant
https://www.elegantthemes.com/blog/tips-tricks/how-to-make-your-websites-gdpr-compliant
Last Accessed: 5/8/2018

Elegant Themes Blog: A Quick Guide to Data Protection Regulations in 2018
https://www.elegantthemes.com/blog/resources/a-quick-guide-to-data-protection-regulations
Last Accessed: 5/8/2018

Constant Contact Blog – GDPR: What You Need to Know and How Constant Contact Helps You Comply
https://blogs.constantcontact.com/gdpr-how-to-comply/
Last Accessed: 5/8/2018

WPMUDEV – Is Your Website GDPR Compliant?
https://premium.wpmudev.org/blog/gdpr-compliance/
Last Accessed: 5/8/2018

Download this document as a PDF: What is GDPR

Twitter Security Issue – Time to Change that Password Again

Twitter Security Issue – Time to Change that Password Again

What’s with that popup we all got this morning? Due to a bug that has since been resolved, every Twitter account password was being stored in an internal log, unmasked. There is no evidence that the log was hacked, but out of an abundance of caution, Twitter representatives strongly encourage everyone change their password.

Twitter representatives also urge users who use the same password for multiple accounts across the internet (i.e. – users who used the same password for Twitter as they did for platforms such as Facebook, email, mobile banking, etc) change those as well. It is also suggested that users set up two-factor authentication on whatever platforms allow.

For more information, check out the official Twitter Blog article on the subject here, or the Mashable article with some additional commentary here.

22 Years

22 Years

22 years ago, I took a leap of faith.  I had just finished graduate school and looking for a job. After a few people told me they could use me as a consultant, I started a consulting company. The first project I got was for a website.  The rest, as they say, is history.  I focused on websites for a long time — I even had a local business leader tell me I was wasting my time because the internet was “just a fad.”  That fad is still here and definitely not going anywhere.

18 years ago, I added my first employees.

In the past 22 years, we have built close to 300 websites. We currently host 200 websites. We are most proud of the 20 non-profit organizations we have helped.

As times changed, so did we. IMC also offers print design, branding, email marketing, and social media consulting/management.

Here’s to seeing what the next 22 years will bring!

Beth

Customer Support & WordPress Specialist

Customer Support & WordPress Specialist

IMC is Hiring Again!

We are looking to fill an entry-level professional position dedicated to supporting our existing customer base and new customers from our Arts Spark project.

The successful candidate will be a technically-oriented person with stellar communication skills. Tasks begin with answering the phone and providing 5-Star customer support by:

  • Updating websites with new content using a variety of CMS platforms
  • Assisting customers as they setup email on new devices
  • Answering questions customers have as they update sites using WordPress
  • Troubleshooting email and website issues, handing off to a programmer if necessary
  • Performing security updates on CMS software and plugins/modules

The successful candidate will have the following minimum skills:

  • Excellent communication skills, both written and oral
  • Ability to multi-task and prioritize as well as think on your feet
  • Ability to work as part of a team
  • Ability to ask questions
  • Advanced knowledge of HTML, & CSS
  • Basic knowledge of WordPress systems
  • Working knowledge of Adobe Photoshop
  • Working knowledge of PC, Macintosh, mobile, and Gmail email systems
  • Ability to work in our office in Saratoga Springs – remote work is not an option
  • Attention to detail

IMC is a fast-paced environment tracking multiple projects in development concurrently, with a primary goal of delivering a quality product on time. The right candidate will receive a competitive salary, personal time, paid holidays, and contributions toward health insurance.

To be considered for this position, please send:

  • a letter of introduction
  • your resume
  • names and contact information for your references

to jobs@imediaconsult.com.

Please note, this is not a coding or design position. This is an HTML/CSS and customer support position.

Page 1 of 612345...Last »