NOTE: I am not a lawyer, nor am I an expert on GDPR law. These are just my own thoughts and opinions regarding the law and how I feel it may relate to web designers and their clients at this time. This isn’t to be taken as legal advise.
On May 25th the laws regarding the processing and storing of personal data are changing. I’ll be honest and admit that until recently, I didn’t know what the GDPR was or what it meant. BUT I DO NOW!
Any company that intends to process and store data on EU citizens regardless of the country their business operates in, must comply with the regulations or face heavy fines and damage to their reputation.
When I first learned about it I was terrified. The first thought that entered my head was, “will I be held responsible for clients websites? If so, I’m out!”. But have since tried to educate myself on the matter. I even read the GDPR regulation document to try and understand it for myself.
I searched online and found many opinions in the web design community about what a web developers role might be regarding a clients GDPR responsibilities.
Some felt that we have no role in ensuring a client is compliant. Others suggested that web designers will become the processor for each client. With others then arguing that this couldn’t be the case.
Some things do feel like they’re somewhat open to interpretation. People will have their own opinion about what something means. So I figured I would read the documents myself to develop my own informed opinion, based on the actual text of the regulation its-self.
I believe we are. But I also believe that there are varying degrees of responsibility depending on what the client is asking you to do for them.
If its a simple website with just a contact form that sends an email with no storage of data on the server, I’d say there is minimal responsibility. Note the use of the “minimal” and not “none”.
Outside of this simple website, how the client uses the information sent to them is outside of your control.
Where I believe responsibility starts increasing is when you’re dealing with email subscription forms, directory/listing type sites and more importantly, e-commerce websites. Basically any site that will actively process and handle data (in volume) with an intent/need for collection and storage in more of a digital capacity (i.e. on a server).
It would be my assumption that once a project has moved into a more advanced state, you will most definitely become the processor. At least for a short time.
I don’t think it would be fair for a freelancer or small business to be held to the role of processor for every client they ever work for. It would be impossible to manage and work for 10’s or hundreds of clients long term in that capacity, and ensure compliance every day.
When you are putting a site together for a client (ESPECIALLY ones that will collect more data), the burden of responsibility WILL fall on you.
A client cant build the site themselves, so they’ve come to you. If they can’t code how are they going to be able to make their site compliant? They can’t!
In reading the GDPR documentation I believe (at least right now), that nearly the whole of chapter 3 will become the responsibility of the web designer putting a site together for a client. Perhaps more. But at the very least we need to make sure all articles under chapter 3 can be met.
Your client is running a business and coming to you for a website. They need to be able to provide data on request, and delete data on request (only 2 examples from chapter 3).
If you build a site that doesn’t let the client do these things, you become part of the reason they aren’t able to comply with those GDPR requests. So you could be held accountable for that!
GDPR is quite confusing, so it would make sense for us all to understand it fully so that we aren’t providing clients false information or working on assumptions (or our own interpretation of the law).
Again, I’m not a lawyer and so only offer opinions here. But as I said previously. I believe you will become the processor for the data controller (client). BUT. You shouldn’t be held to it once the site leaves your hands. So long as you’ve fulfilled your obligations and can prove it, I would imagine you would be safe (or at least hope you would be).
One idea might be to have something like a “contract of release”. If you’re 100% happy that the work you’ve done is GDPR compliant come time to put the site live, maybe list what you’ve done and what you put in-place to ensure the client can fulfil their obligations with regards to GDPR.
If you made a WordPress site and researched and vetted the plugins you used for compliance and provided a way for the client to access/delete data as and when needed to comply. Note the plugins and how you made sure everything was compliant.
If the client was to then go rouge and add non-compliant plugins or somehow changes the site and ends up breaking the law, its not your fault as the client did that themselves. You’d have proof of the plugins that were installed when the site was released to the client.
Perhaps even add that if they choose to add new things to the site they must consult a professional developer who can advise them and help maintain continued compliance by installing and configuring it for them.
We’re heading in to murky waters and over time these matter will become easier to understand, and hopefully a little clearer. But if you’re offering web design for other businesses. You owe it to them and yourself to understand what GDPR is, and how you can better serve your clients.