Today, let’s start with two caveats and a thank you. The thank you goes out to Charlotte who emailed me with a question that made me sit my butt down and write an article that I have been avoiding. The caveats:
- I try to avoid any hint of self-promotion in these newsletters. Any self-promotion in today’s topic is by necessity, not design.
- I am not a lawyer. This is not legal advice.
GDPR stands for General Data Protection Regulation. It is the new data protection law in the EU, it comes into force in May 2018, it has serious penalties, and it applies to data collected about EU citizens from anywhere in the world.
This means that pretty much every winery site anywhere needs to care about this.
The aim of the GDPR is to give citizens of the EU control over their personal data and change the approach of organizations across the world towards data privacy. There are two main aspects of the GDPR: “personal data” and “processing of personal data.”
- personal data pertains to “any information relating to an identified or identifiable natural person”, such as name, email, address, or even an IP address,
- processing of personal data refers to “any operation or set of operations which is performed on personal data”, such as storing an IP address on your web server logs.
In plain-speak, GDPR states that if a website collects, stores or uses any data related to an EU citizen, it must:
- Tell the user who is collecting it, why they are collecting it, for how long the data will be retained, and who receives it.
- Receive clear consent before collecting any data
- Let users access their data, and take it with them
- Let users delete their data permanently
- Let users know if data breaches occur
Here are some common ways in which your winery site might be collecting user data:
- user registrations
- purchasing history
- contact form entries
- analytics and traffic logs
- security tools
If this topic seems daunting, that’s because it is. And most of the information online is geared toward large companies with big budgets. But what about small businesses who want to comply and don’t know where to start?
Before we can even touch GDPR, we need to talk about two very naughty habits common to small, in-house web teams:
- Secure hosting. People, Imma tell you, you get what you pay for. Cheap hosting isn’t always safe hosting. On Monday, email your site host and ask whether they are GDPR compliant or have measures in place to become compliant by the end of May.
- Site maintenance. I can’t tell you how often we go into winery ecommerce sites and discover that the platform/integrations are not updated, and often haven’t been updated for months (or years!). Forget GDPR, this is a major security risk to your site and your data. Schedule a couple hours every month to keeping your site up to date.
GDPR has kept our team up to our eyeballs in new client work for the past four months. I AM NOT A LAWYER, and there is no way that a 5-minute Sunday newsletter can address all things GDPR. But let me help you understand some key takeaways based on months of cleaning up winery sites.
First, how can I convince you that GDPR rocks?! Anyone who has read this newsletter for long knows that I liken your relationship with your customers to a friendship, and compliance with GDPR is the equivalent of transparent, honest communication with your friends. Clear commitments, trustworthiness, and respect. No dark patterns, or subversive defaults and fine print. When in doubt, speak plainly, be truthful, and don’t ignore their concerns.
Here’s your list:
- Get those green locks! If your site does not yet have an SSL certificate, you MUST address this now. Websites that use HTTPS send data over an encrypted connection, an absolute necessity for compliance.
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
- Include or improve your cookie consent. Right now, most cookie notifications are set up to assume opt-in (“if you proceed, you accept…”); alter your cookie notification to require clear consent before a cookie can be placed in the user’s browser. See image blow as an example.
- Forms default option. It’s been common practice on checkout and contact forms, etc, to set default states of checkboxes, etc, to OUR preferred customer choice. GDPR means that we need users to actively select their preferences. We should no longer pre-tick YES to choices such as “create account” or “sign up for newsletter”.
- Emails. I have a love-hate relationship with Mailchimp, but they are on the ball with GDPR (so much that, despite my dislike, we are moving all of our clients to Mailchimp). Mailchimp has GDPR-friendly sign-ups. And, don’t forget, ALWAYS have an unsubscribe button on your emails.
- Breach notification. GDPR states that you have 72 hours to notify users if there has been a data breach. These users may include not only registered users but possibly even commenters and contact form submissions, making breach notification an intimidating task for a small site. “Good defense is the best offense.” Now is the time to look at what kind of security you have protecting your site.
Still seeking solutions
Two requirements are still in active development, with only one month to go. It is now possible for a user to both access and delete their data in WordPress, but I haven’t been able to find these features in other DIY or wine-specific ecommerce solutions. If you know more, please tweet me.
I’m way beyond 5 minutes and feel like I’ve only touched on this topic. If you want more information, or need to talk with me about your GDPR concerns, reach out. I skype with wine folks on Fridays, and you are welcome to book a time if I’ve left you with more questions than answers.
[Photo by Eder Pozo Pérez on Unsplash]