GDPR is coming here.
Chances are that you may have heard of it in the context of a mind-blowing €20,000,000 fine if you are found to be non-compliant.
From my research, I can see that there is a lot of fear-mongering on the topic. Lawyers and consultants are using it as a cash grab to sell expensive kits and training.
Quick summary: GDPR, which stands for the General Data Protection Regulation, is a new law that became enforceable on 25 May 2018. It is designed to promote greater transparency, enhanced rights for individuals and increased accountability of organizations. While it applies specifically to EU citizens, in practice it affects every website in the world because EU citizens can visit your little corner of the web wherever they are.
Thankfully, my research also found some plain-speaking and straight-shooting resources to explain what GDPR is and how to get compliant. This article aims to outline what I’ve learnt and share these resources with you.
TABLE OF CONTENTS
- Are Website Owners Really At Risk Of A €20m Fine?
- Big Honking Disclaimer
- Making A Commitment To Data Protection
- Getting Your WordPress Site GDPR-Compliant
- Conclusion and Further Resources
Are Website Owners Really At Risk Of A €20m Fine?
First, let’s talk about the elephant in the room – the €20 million fine. Elizabeth Denham, the Information Commissioner of the UK said in a recent speech:
Yes the GDPR gives me greater sanctions and tools for those that flout the law – those that play fast and loose with the personal data that’s been entrusted to them.
But there is a carrot as well as a stick. And I have always preferred the carrot.
…
This is a long haul and preparations will be ongoing. But if you self-report a breach, engage with us to resolve issues, can demonstrate effective accountability arrangements, you will find us to be fair.
Enforcement will be proportionate and, as it is now, a last resort.
This sounds to me that the regulators aren’t trigger-happy bureaucrats out to punish everyone. Their main goal is to foster a “culture of transparency and accountability” with regards to the handling of personal data. And thankfully, they appear to be more interested in your “commitment over compliance” (source).
Looking through the list of enforcement actions that the ICO has taken, I’m relieved to see that there are no listings for “Punishing bloggers for non-compliant email opt-in forms” ?
After numerous privacy breaches and data leaks in recent years – I’m looking at you Facebook – that’s something I can get behind. I think you would too.
But Europe has no jurisdiction over me where I am
My country is NOT subject to the laws of the European Union. We cannot be prosecuted under European law, so I don’t need to comply with GDPR requirements.
That might be true, but you might use services with businesses like Mailchimp, ConvertKit, Google Analytics, AdSense, your web host and much more. And all of these businesses have customers in the EU, so they have to comply with GDPR. And when you signed up for their service, you agreed to their Terms of Service.
Now, if you use Mailchimp, ConvertKit, Google Analytics, AdSense in a non-GDPR compliant manner, you’ll be in violation of your ToS. These companies would have the right to terminate your account because of your ToS violation.
So even if you might not face direct action from the ICO, you could find yourself without some of the most important services to operate your website.
I know GDPR is not fun, but I think we can agree that handling personal data in a responsible and secure manner is a good thing. So let’s now focus on how to get compliant, or at the very least ensure that we demonstrate a good commitment to data protection.
Big Honking Disclaimer
At this point I want to make clear that I’m not a lawyer and the following should not be considered legal advice. What the following is my understanding of what bloggers and website owners can do to make a best effort to comply with GDPR. This is what I’ve told my wife to do with her own website. If you are a more than a hobbyist, I suggest that you consult a lawyer like I have.
If you run a WooCommerce site, the steps are much more complicated. Read this article instead:
How To Make A WooCommerce Website GDPR Compliant? (12 Steps)
This guide is to help you follow the spirit of the law, even if you are not able to fully follow the letter of the law. As the Commissioner said, “The GDPR mandates organisations to put into place comprehensive but proportionate governance measures” (source).
Even if your website makes a small side income, you’re nowhere in the same league as Facebook and Google. I would argue that the measures I’m outlining below are comprehensive and proportionate for an entity of your size.
Based on what I’ve read, GDPR compliance guides I’ve purchased and speaking with legal experts in various Facebook groups, I believe this will be enough for bloggers and most website owners. Worried that what I’m suggesting is not enough? Please consult a lawyer.
This guide is NOT for you if are a business with more than 3 staff. In that case, you should follow the letter of the law as closely as you can and get legal advice.
Full Compliance Is Impossible
After wrestling with GDPR for the past 2 months, I’m not sure that any organization can be fully compliant. To follow the strict letter of the law would require a full time compliance team, which most bloggers and small businesses don’t have.
So it becomes a question of how compliant can you practically be? If you are Facebook, you’d better aim for 99+% compliance because the ICO will be watching you like a hawk thanks to your track record and your huge audience. But if you own and operate a small website, 80% compliance may be all that you can practically achieve. And I sincerely believe that that’s ok.
Even if you are found to have unlawfully used or processed personal data and the ICO even realizes your “offence”, you will likely receive a warning and guidance on how to fix your mistake before receiving punitive measures.
Cool with all that? Let’s proceed.
Making A Commitment To Data Protection
On the Information Commissioner’s Office (ICO) website, they suggest 8 steps to get prepared:
Based on these 8 steps, I’ve boiled down what you need to do into the following:
A) Make a list of all the personal data you hold
List out all of the personal data you collect, how you collected it, why you need it and whether you have consent for collecting it.
Andy Budd from ideea has got an excellent data map template which you can download and use in your audit. Once you’ve completed the audit, it’ll look something like this:
For each data source, you want to ensure that you have consent to collect the data (more in section C below) and that it is actually mission critical or required to your operations. If you don’t have either of these, you should stop collecting this data.
Print the map out, fill it in with a pen, write your name and the date on it and put it in a folder for safekeeping. This is proof that you have completed this audit and goes to show your commitment towards data protection.
B) Audit your data handling and vendors
Next, you want to ensure that where you keep the personal data you collect is secure and that any vendors you use are GDPR-compliant themselves.
For most bloggers, the data collected is stored in WordPress on your hosting account. Ensure that you use strong passwords for both the WordPress dashboard and also your hosting account. This is where a password manager may be useful (more info).
Many bloggers also use email marketing services like Mailchimp and ConvertKit. Both of these are compliant for storing your data, but you’ll still need to ensure you obtain consent on your website forms (e.g. email newsletter and contact forms).
C) Obtain consent at point of data collection
Hoo boy. Here’s where it starts to get hairy. This will require some technical skill, or you may need a web developer to help you.
GDPR requires a high standard of consent to data collection and processing. It says that consent must be:
Informed. Notify website visitors (the data subject) at the point of data collection
Freely given. Don’t pre-select checkboxes on forms. The data subject must make the choice themselves.
Specific. Don’t subscribe visitors to 3 extra things when they only meant to signup for your newsletter.
Because this section requires some technical implementation, I’ve dedicated a whole section below (Getting Your WordPress Site GDPR-Compliant) to cover this step.
D) Create or update your legal documents
In the previous section we mentioned linking to a privacy policy on your website. This is where you inform website visitors the data you collect, how and why you collect it, how it is secured and how they can control that data. You may also have a separate cookie policy or roll it together.
WordPress 4.9.6 now includes a simple privacy policy page generator (Settings → Privacy). It’s really simple, but helpfully includes suggestions from different plugins about the data they collect. For example, the WooCommerce plugin will suggest text including info about the payment processors that you use on the site. The WordPress privacy policy generator also includes a section about cookies so you don’t need a separate policy for that.
If you’re underwhelmed by the WordPress tool, you can create your own or buy a template. Depending on your risk profile, you can choose to adapt a free privacy policy template or purchase one. Here are a few that I’ve found:
- Shopify Privacy & Cookie Policy Generator (free)
- TermsFeed template Privacy Policy and template Cookie Policy (free)
- TermsFeed agreement generators (premium)
- Suzanne Dibble’s GDPR Pack (premium)
Whatever option you choose, make sure it covers all the necessary info. The ICO has provided a helpful privacy notice checklist.
Create your policies and publish them on your website. Make sure to include a link to your Privacy Policy somewhere noticeable, like in the footer of your website.
E) Have a plan for when people ask about their personal data
The other bit of GDPR that you need to be concerned about is the data subject’s rights to rectification (correction), erasure (to be forgotten) and data portability (to export their data). In practice you’ll probably only need to deal with requests to opt-out of your email marketing lists. Most email providers make this easy and include a mandatory 1-click unsubscribe link which in your emails as well as a profile update function.
WordPress 4.9.6 has now added tools to export and delete personal data from the site. They can be found under Tools → Export / Erase Personal Data.
Finally, if your website or email marketing account gets hacked, be sure to be upfront about it and notify your website members / subscribers. Again, prevention is better than cure so make sure you have strong passwords!
Getting Your WordPress Site GDPR-Compliant
In this section, we’ll get down to the nuts and bolts for your website. A lot of people get very stressed and worked up about this, so I want to remind you again that:
GDPR is not just about checkboxes and cookies. These are minor details in implementation. The way you handle data and your approach to privacy are much more important.
Your best effort is enough. You might not be able to be fully compliant in some of the areas here, just just endeavor to do your best. Commitment over compliance, ok?
Install a Cookie Notice
Cookies are how Google Analytics tracks you through a website, or how WordPress remembers you so you don’t have to login every time you visit. Because WordPress, analytics, adverts, social media buttons and dozens of other things use cookies, you need to inform your website visitors with a cookie banner.
The cookie banner plugin we recommend is Cookie Notice by dFactory. Install and activate the plugin, then navigate to Settings → Cookie Notice to configure it. Enable the Read More link to point to your Privacy Policy page.
To be fully compliant, you should block non-essential cookies – the ones used for analytics, marketing, ads – before the visitor dismisses the cookie banner. To do this, paste your Facebook Pixel, Hotjar, etc script code into the Script blocking field. The scripts that you put here will only be activated after the website visitor accepts cookies.
In practice, blocking cookies before consent is pretty complicated. Also, the law is still fuzzy here. I wouldn’t sweat it too much if you can’t get it to work correctly as long as you have the cookie banner on the site.
Anonymize Your Analytics
You can also side-step some of the privacy potholes by anonymizing your analytics. This makes for slightly less accurate geographic reports, but you are minimizing the personal data you collect this way. This can be easily done by selecting an option in your plugin settings.
Configure AdSense
If you use AdSense, you should disable personalized ads for visitors from the EU. If you don’t, you may be in violation of your AdSense ToS and incur a policy violation.
Login to your AdSense dashboard and navigate to Allow & block ads → All my sites → EU User Consent tab. Change the setting to Non-personalized ads.
Obtain Consent for Email Marketing
Most bloggers and small businesses have email newsletters, and this is the topic that causes the most stress by far. Let’s start with the easy things first.
Add a privacy statement to your newsletter opt-in form. Something short and sweet to the effect of, “We respect your privacy [link to privacy policy]. You can unsubscribe any time”.
Stop automatically subscribing website visitors to your email list. If you have a contact form or a way to purchase something on your website, you cannot add people who use these forms to your newsletter automatically. Add a checkbox to your form for the option of automatically subscribing, but make sure that the checkbox is not pre-selected.
What about lead magnets? These are the “bribes” where entice website visitors to get on your email list with an offer e.g. Download my free guide/video. Under GDPR, you can’t do that anymore because consent must be specific. In this case, the language on the opt-in form is requesting consent to the free incentive but not the weekly emails.
The easiest thing to do here is to add a checkbox that says “I also want to receive the weekly newsletter” like this:
This is the easiest solution, but it may not be the best solution. The big caveats are:
- You can’t pre-select the checkbox
- You still have to deliver the lead magnet even if the subscriber didn’t select the checkbox
The above is what has caused the most hand-wringing, hair-pulling and teeth-gnashing in all the Facebook groups I’m a part of. Everyone is getting hung up over this although I would say this is a small detail in your overall GDPR compliance.
For more ideas on how to get your lead magnets compliant, check out Thrive Themes’ article:
The Smart Way to Make Your Opt-In Forms & Email Marketing GDPR Compliant
Lots of folks will say that the Thrive Themes guys are being very cavalier about the GDPR, but again I say that forms and checkboxes are a small, tiny part of your GDPR compliance. Do your best, don’t forget the other steps in my guide, and move on.
Conclusion and Further Resources
The above is quite a bit of work and if you were like my wife, you won’t relish it. However try to look at this as an opportunity. By committing to data protection, you tell your website readers that they matter to you. You’ll appear more professional and authoritative, leading to deeper trust and engagement with your audience.
If you want to learn more about GDPR, here are some further resources for you.
- The ICO’s guide to get ready for GDPR (and the entire website in general).
- Small business law expert Suzanne Dibble’s free webinar on GDPR for online entrepreneurs
- Small business law expert Suzanne Dibble talks about GDPR and very small businesses.
- The Lowdown on GDPR Compliance for WordPress Users – WordPress-specific tips from Kinsta
This article will be updated with corrections and new information as I get them. Thank you to members of the GDPR For Online Entrepreneurs Facebook Group for your comments, feedback and support.
M Qasim
Amazing guide. Can you please put some light what settings are required to comply with Adsense TOS regarding GDPR, after I have turned off personlized ads option for eu users from within Adsense.
David
You must also have a cookie notice and privacy policy. I think that should be enough.
Mike Jones
GDPR defines several roles that are responsible for ensuring compliance-data controller, data processor, data protection officer. The controller is really the responsibility for making sure the outside contractor. Thanks for sharing this detailed article. Thankyou
Chris H
Great piece of information. Thank you for sharing across