This page will list all the 3rd parties (apart from clients and customers) with whom your personal information may be shared, what each of them are doing about becoming GDPR compliant and what rights you have.
Below are the tools and software used within this site and Khalifa Media:
- G Suite & Google Cloud
- Google Analytics
- Facebook Pixels
- Ninja Forms
[Last updated 24th April 2018]
ConvertKit is the main choice of email platform for this site when it comes to creating an email list and sending newsletters. This is one area of attention for many people when it comes to being complaint with GDPR.
The company has a dedicated page on how they are tackling GDPR, what new features they will release and what advice to follow [source].
Across the site, you may have spotted various opt-in boxes such as the one below:
Not only will you need to manually insert your details above to be included in the newsletter, but you will also need to “double opt-in” to provide further consent that you are happy to join the newsletter.
However, ConvertKit are also working on creating a consent checkbox, much like the Ninja Forms contact form above, to provide clearer consent. Once that is launched, I will implement them on the relevant opt-in forms, specifically those which offer e.g. downloads, but this does not necessarily mean that you are included in the newsletter too.
On top of that, neither this site nor ConvertKit will process “sensitive personal data”.
You have the right to unsubscribe from any newsletters received by clicking on the ‘unsubscribe’ button at the bottom of all newsletters.
You also have the right to be forgotten, which we can do for you via ConvertKit.
Evernote plays a big part in making sure that I provide value to my clients and my visitors by allowing me to become better organised with my projects. But naturally, this also means that I collect and store data on their platform, which means that it is crucial for me to make sure they are doing something about being compliant with GDPR.
G-Suite & Google Cloud
Another set of Google products are G Suite and Google Cloud, which are platforms that allow you to have business email (Gmail), video conferencing (Hangout), online storage and file sharing (both on Drive).
Like GA above, Google is committed to GDPR compliance across G Suite and Google Cloud Platform services when the GDPR takes effect on 25 May 2018 [source].
As the most popular data analytics tool in the world, Google Analytics (GA) is a useful tool for website owners and marketers. It provides useful details to understand more about how you and your users are accessing your site. It will enable me to gain a better understanding of whether it is providing for your needs and how I can do a better job of providing these for you.
That said, GA does collect a large amount of data.
In this situation, Google is “working hard to prepare for the EU’s General Data Protection Regulation” and “to meet the GDPR’s requirements around Privacy by Design and Privacy by Default” [source].
When accessing this site, the cookie placed on your hard drive will allow GA to collect various data about you, such as the device used, browser used, city location. Nonetheless, Google has a ‘Data Retention‘ option which allows Khalifa Media to “set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from Analytics’ servers” (from 25 May 2018).
This applies to “to user-level and event-level data associated with cookies, user-identifiers (e.g. User-ID) and advertising identifiers (e.g. DoubleClick cookies, Android’s Advertising ID, Apple’s Identifier for Advertisers).”
As of 25 May 2018, the Google Analytics user and data event retention on this website will not automatically expire – this is a choice made by Khalifa Media.
Another step that I will take is to ensure there is no PPI (Personally Identifiable Information) collected when accessing the site. I have already taken the steps to audit and remove any signs of PPI where possible. This includes removing any signs of PPI linked to you using the contact form or opting-in to newsletters and anonymising your IP address.
I only work with 3rd parties who comply with GDPR if they are integrated with Google Analytics. This can help to remove any PPI.
Facebook as a whole is committed and preparing to “comply with current EU data protection law and will comply with the GDPR. Our GDPR preparations are well underway, supported by the largest cross-functional team in Facebook’s history” [source].
This site in particular uses Facebook Pixel – a piece of code which allows me to add a cookie onto your hard drive to monitor your activity and also create targeted adverts when I choose to do so via Facebook’s advertising platform. It also allows me to optimise conversions and create a custom audience, which segments visitors based on specific actions.
As described in my cookies policy, “You can choose to accept or decline cookies. Although most web browsers automatically accept cookies, you can usually modify your browser setting to decline cookies to your preference” and the page will show you how you can do so for your own browser.
My pixel is unique to my site but I do not place the same pixel on any other sites that I have access to.
Our first choice for accounting software to manage finances is FreeAgent.
The company is “constantly improving the technical and organisational security measures we have in place to protect your data and are working hard to ensure we’ll be fully compliant with GDPR when it comes into force. The work we are doing will also help you with your own compliance obligations regarding any customer data held within FreeAgent” [source].
When working with Khalifa Media, along with FreeAgent, we will collect information such as your name, company name, address, phone number, email address, bank account details and VAT number. But FreeAgent “will not collect, store or process data that is labelled as sensitive under GDPR” such as religion, sexual orientation and ethnicity.
Hotjar is a popular analysis and feedback tool which allows me to better understand my users’ needs and to optimize this service and experience. Hotjar is a technology service that helps me better understand my users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables me to build and maintain my service with user feedback.
Neither Hotjar nor I, will ever use this information to identify individual users or to match it with further data on an individual user.
You can opt-out of the creation of a user profile, Hotjar’s storing of data about your usage of my site and Hotjar’s use of tracking cookies on other websites, by following this opt-out link.
According to their site: “Hotjar is fully committed to achieving compliance with the GDPR prior to the regulation’s effective date” [source] and began the process back in June 2017. I have signed a data processing agreement to make sure I comply with GDPR and respect my users’ right to privacy.
The main focus of this is to request consent from you, the user, whenever you are using the contact form.
When using the contact form, you will have to provide consent for me to collect your name and email address, which is mandatory if you want to contact me. You can do so by ticking the checkbox.
And unless you have given consent, your name and email address will not be used for any marketing campaigns like a newsletter.
Below is an example of what that consent looks like, which you can also see in the contact me page:
You have the right to request information on what I have collected from you. You also have the right to request that I delete it, which I will be happy to do.
Slack is committed ensuring they are strengthening and standardising their user data privacy. Their “global team is working diligently to bring Slack’s product offerings and contractual commitments in line so customers can prepare themselves before 25 May 2018” [source].
Even though Slack is primarily a chat tool, it is a powerful place to have automated tasks such as having Drift conversations with a site visitor or to receive notifications about a project completion via Trello.
But it’s all the more reason to make sure that, not only are Slack working on being compliant, but to ensure that I only work with companies that are serious about being GDPR compliant too, particularly if they can be synced with Slack.
As a productivity and project management tool, Trello is a big favourite. But it is also a place that contains information such as clients’ project plans and this site’s content ideas.
Nonetheless, Trello is committed to data privacy by implementing a “company-wide GDPR compliance strategy leading up to 25 May 2018 and beyond” [source] and help me to fulfill any requirements under GDPR.
You have the right to request any data associated to you be removed.
As the main choice of CMS (content management system), the team at WordPress.org “is focusing on creating a comprehensive core policy, plugin guidelines, privacy tools and documentation” [source].
At the moment, by commenting on blog posts, you will also be sharing your name, email address, IP address and potentially your gravatar image. These details will not be used elsewhere, such as the newsletter list or for marketing campaigns.