Often the website operator is told, that Data protection is complex and has to be organized by experts. But what if she doesn’t have the money for that? If it seems somehow nonsensical to shoot at a sparrow blog with the cannon of a paid team of experts? Then — maybe and with the help of Google — she installs some popular WordPress plugins for privacy and/or cookies — in the hope that all goes well. Or she investigates it in more detail. And in the end, she perhaps gathers rules of thumb, from which at least one well-workable way results. Here are my 3.7 rules of thumb:
- I. Use only the personal data that you really need for the functioning of your system.
- II. If you collect personal data, tell the owners,
- that you are going to do so,
- for what purpose you use the data,
- what legal basis authorizes you to do so,
- with whom you share the data,
- how long you will store it,
- how they can ask you which data you have stored over time
- how they can have the data deleted again.
- III. If you store data on the computer of your users, which they did not request directly or indirectly, ask them beforehand for permission.
If I proceed according to this — so I make myself believe again and again — I will design my sites in a way that I avoid the roughest traps1 and errors2. Because I always have one thing in mind: with a mere cookie banner it is not done:
- The first thing I consider is where my blog as a system collects personal data. The ones that I explicitly request in and with forms are the easiest for me to notice and remember. Here I know — qua office — what I do with them and to whom I pass them etc.
- Furthermore, I am aware that IP addresses are also considered personal data — although the internet would not function without them.
- Eventually, my commenters are usually made recognizable via the common Gravatar system.
I have to sort out this mishmash:
- Rule (I) tells me that less is more: the fewer data I ask for and the fewer plug-ins I use, the leaner my data protection concept can be. So I clean out here, e.g. by treating productive and developing systems differently.
- Rule (II) tells me that I must actually describe the remaining data sets in the data protection concept. So I also determine what data my plugins, font requests, and other technical components collect, how they store it, and where they pass it on.
- Rule (III) tells me that I have to get permission to write files, i.e. cookies, to my user’s computer — either by law, as in the case of technically necessary cookies, or by consent of my user. And to get this consent, it is helpful to specify the purpose and effect.
My next posts describe how I have implemented this in my bootScore-based site concretely.