GDPR for Small Business: A DIY guide

What is GDPR? 

There are thousands of websites that define what General Data Protection Regulation (GDPR) is.   This blog intends to provide a basic understanding of GDPR and how Saaby Consulting Company (SCC) is applying both its spirit and its requirements to this website.

GDPR was enacted to protect how data is collected, processed and stored for citizens of the European Union. Even if your business is not in the EU, if you collect and/or process data from EU citizens, GDPR legislation applies to you.

GDPR and Information Collection, Usage and Storage

We all know that companies are collecting and storing MASSIVE amounts of data on all us. It seems like every site you visit on the Internet demands personal data to access the content.   This information is used to build databases, deploy marketing campaigns, create email lists, etc. Many companies are in the business of selling customer lists – data brokers. These lists can be worth a LOT of money.
But some companies have gone too far and don’t have much interest in protecting the information they collect. (data breaches anyone?). That’s not a good thing. SCC supports controlling and regulating the amount and usage of data that is collected on customers, regardless of where they are from. Therefore, SCC has decided to support the GDPR initiative as much as possible and apply it to all customers and site visitors.

GDPR and Small Business

As small business owners, we have long understood the value of our customers. But, A LOT of what we do is best practice DIY. The average small business simply can’t afford to have on-staff legal counsel, financial counsel, marketing counsel, etc. We also can’t afford the fees for GDPR consultants, so we do the best we can to service our customers and comply with all mandates and best practices.
Quick fact: Most of businesses in the United States are small. In fact, according to the Small business & Entrepreneurship Council 85% of business have less than 20 employees. GDPR rules are a little less stringent if you have less than 250 employees, but are still applicable to the collection, processing and storage of data for EU citizens.

SCC review of GDPR and what we did to comply.

SCC’s Internet presence consists of a WordPress created website. WordPress is an open source software content managed system (CMS). In simple terms, we used SaaS (software as a service) to create a splash page that tells visitors what type of services we provide, post our blogs and brand the company.

Determine any essential data that MUST be collected from customers and site visitors to do business.

We started out doing this review based on GDPR, but decided to apply these practices to ALL customers, regardless of where they are from.

Websites collect information in two ways: voluntary or involuntary.

VOLUNTARY collection of information. This one was pretty easy. Customers are asked to sign-up for email lists, receive downloads, opt-in to newsletters, provide consent, etc.
Depending on what this form is asking for, the customer is providing some degree of personal information.
The EU definition of personal information is here. The US definition of Personally Identifiable Information (PII) is here.

SCC GDPR solution: SCC does not sell any products from the webpage. We decided to remove all contact/signup forms, including third party applications, from the website.  Users should limit the personal data submitted via the “contact us” option to that information that is “necessary to do business”.

INVOLUNTARY collection of information.  This gets a little more complicated.  Third party applications and marking companies are collecting information from site visitors including site usage, payment methods, browser, etc.

Cookies identify customers and site visitors. You might not be aware of it, but most websites use cookies. GDPR has compliance rules for cookie use.

Cookie search.

We used www.cookiebot.com.com (free version) to check the site for cookies. Here are the results:

1. First report 5/12/18. Report results: 4 cookies – all cookies were rated as “adequate”.
2. After 5/12/18, a WordPress social media plugin was installed. We re-ran the www.cookiebot.com. scan on 5/27/18. Report results:  48 cookies, some with warnings that these cookies had “no prior consent”. As we understand it, these would be violations of GDPR, therefore, the social media plugin was removed.
3. Third report 6/12/18.  Report results:  28 cookies.  None of the cookies (except Google’s doubleclick.net see below) that were on the May 27th report appeared on this new report.  There are no “prior consent” cookies on our site and all cookies are rated as “adequate”. The summary below will also be posted in the Privacy Policy and will be updated in that Policy no less than quarterly.  SCC receives NO information from any of these companies regarding customers personal data and did not authorize them to collect such.

Cookies found.

1.  Casalemedia.com: Click here to opt out.
2. Google.com: This is based on my AdWords/Analytics/Search Console accounts. Click here to install the Chrome add-on for Analytics opt-out. *
3. Openx.net: Click here to opt out.
4. Doubleclick.net (also known as Google). Click here to opt out.
5. Pubmatic.com: Click here to opt out.
6. 360yield.com: Click here to opt out.

Third Party partners.

1. Our third party partners are disclosed below. Click on each one to review their respective Privacy Policies. SCC receives no personal data that could identify a single/multiple user(s) from these partners.
   1. PayPal
   2. Cloudflare
   3. GoDaddy
   4. Siteground
   5. WHOIS This link is to an interesting result of GDPR implementation and is provided for educational purposes only.

SCC GDPR solution: We have removed all third party applications that are not essential for doing business.  In the interest of transparency, we have also identified all known business partners, both in this blog, and in our Privacy Policy.  In addition, links have been provided wherever possible for “opt-out” processing.

*An exception to these cookies is regarding data that Google AdWords/Analytics/Search Console accounts collected via this website. That exception is regarding the collection of IP address(es). Since GDPR has ruled that IP addresses CAN be considered personal data, further explanation is required.

There are two types of IP addresses. This blog is not intended to explain IP addresses, but links are included below for further review.

Static IP addresses

You must ASK your Internet Service Provider (ISP) for a Static IP address and pay additional costs for its use. In our opinion, if you, as a company or as an individual, have a need for a Static IP addresses, it’s reasonable to assume you have the capability, and the responsibility, to control access to your own personal data.

Dynamic IP address

Most customers will be accessing websites from this type of IP address. This IP address does not “belong” to a single user and does NOT identify a single user. This IP address “belongs” to the ISP. The ISP CAN identify single users, however, small businesses do NOT have the “legal means” to access or request single/multiple user information from ANY ISP.

SCC GDPR solution: Google account settings allow IP Anonymization.  Google IP anonymization is active on our website and covers both IPv4 and IPv6. For more information on IPv6 (all mobile phones use IPv6) click here.

As a final note on cookies, in the most current report, www.cookiebot.com advised that the website has over 100 pages and the account must up-graded to the paid version. This advisement is not consistent with previous results and sufficient explanation was not provided for this inconsistency.  We will find another way to check the site periodically for cookies.

Even though SCC has NO cookies that require an “opt-in”, we created a cookie notice for the website. We used https://cookieconsent.insites.com/ to create a cookie notice for the website.  This banner displays a notice of cookie sue and a link to the SCC Privacy Policy.

How Users can protect their Privacy

Users have the capability and responsibility to protect their information on the Web.

Included below are links to all the major desktop browser applications for controlling cookies. Android and iOS have more limited settings for disabling cookies. Please review your mobile device operating system capabilities to determine your settings.

1. Chrome settings for cookies
2. Firefox settings for cookies
3. Internet Explorer settings for cookies

Virtual Private Networks (VPN): VPN’s hide your true IP address.  Some websites in the US have decided to block EU users from their websites as a GDPR compliance strategy.   This strategy will affect VPN usage and may require additional review and configuration changes.  SCC highly recommends the use of a VPN service.

Private and Incognito browsing. These applications are NOT 100% anonymous. For general browsing purposes, they should be okay to use to block tracking. For a more thorough private browsing experience, consider DuckDuckGo or Opera.

The ‘surface’ Internet is not private!  These instructions should suffice for the AVERAGE user.   See our blog “How Does Experian Scan the Dark Web” for more information.

This blog is based on research and subject matter expertise, but is specific to this website and the type of business/services provided here.  There is no one size fits all approach to GDPR compliance and each entity should consider their acceptable level of risk and legal ramifications in determining their strategies.

SCC is strong advocate for responsible use of the Internet. If you have questions about GDPR for your business or would like to learn more about our solutions, please contact us.