NOTE: This is not professional legal advice and cannot be considered as such. This is a guide for you to use as a starting point to get your own site GDPR compliant.
Well, this is a little overdue, but better late than never, especially since GDPR is in full swing, handing out fines left and right.
If you don’t know what GDPR is all about, then here’s a quick summary.
GDPR, General Data Protection Regulation is a data privacy regulation rolled out by the EU to give online users more control over their private data. A.K.A its regulating how online site owners and businesses conduct their data collection and data processing behaviour.
At its core, it means businesses and site owners are no longer able to collect data and use data any way they want without first informing and getting the user’s approval. It also means users are allowed to decide at any point if they change their minds and want their data deleted from your databases.
In theory, this is great for all internet users, but in practice, it has become a bit of a nightmare to implicate. And it has made internet marketing a little more tedious than before.
But the law is the law, and no one is above it. So it is time to face the music and learn how to get your site compliant if you want to avoid getting into trouble.
Who does GDPR apply to?
If you process people’s data then GDPR will apply to you. You don’t have to be a big company or brand. Small bloggers collecting emails or using certain cookies also need to comply.
GDPR is implemented by the EU and its protection only covers individuals within the EU.
This means if people anywhere within the EU are visiting your site, then GDPR will affect your site and your site needs to be compliant. However, it’s not so simple. Just because someone from the EU visits your site, doesn’t mean you need to be GDPR compliant IF, and only if, your site is not aimed at individuals in EU.
How you would prove and argue that, I do not know, but by the legal wording provided by the EU, any site that is not aimed for EU individuals are exempt from GDPR.
But let’s not try to be smart asses here and just assume your site is affected, because its best to keep your site safe then get slapped with a fine. (the GDPR fine varies by the level of non-compliancy but it can be up to 10 million euros or 4% of your annual global revenue)
Common reasons why GDPR applies to you
You collect e-mails
If you collect emails in any shape, way or form and for any reason. Your site needs to be GDPR compliant. Collecting emails is the most common form of collecting people’s private data for your own benefit.
Your lead pages, pop-ups and sign-up forms will all have to be redesigned slightly to be compliant by following the 6 basic GDPR principles.
Here’s a quick tip: Make sure at the point of sign-up the user is fully aware of why they are giving you their email address and what they will get in return. Explore my site and see my pop-ups to better understand the level of clarity needed.
You use WordPress plugins
WordPress is a great open-source software to build websites with, and one of the reasons for this is the massive eco-system of plugins available. But many of these plugins will collect user data in order to work.
Such as spam filters, comment controls, social media buttons etc. All of these collect user data and processes it.
A privacy policy and cookie policy page is needed to ensure users on your site have the ability to know exactly what is being collected from them, from who and why.
You use analytics
Almost everyone uses Google analytics, and even if you don’t I’m sure you use some sort of software that provides analytical insight.
These analytics are made possible from collecting user data and then processing them into insight. You need to make this clear and transparent to your users by providing a privacy policy and cookie policy page that outlines all areas your site collects data.
GDPR basic principles your site needs to practice
I briefly mentioned some needed changes to your site above. Such as the wording on pop-ups and the need for a privacy policy and cookie policy page on your site.
But do you know how to create a privacy policy and cookie policy page that is GDPR compliant?
That’s right, just because you already have a privacy policy page on your site, doesn’t mean your site is compliant. This is because your privacy policy page might not cover the nesesarry areas of GDPR.
Principle 1 – Fairness and Transparency
There are no clear definitions provided, but by common sense and some online research. Fairness and transparency can be summed up by a site’s genuine motive to inform users in a clear and understandable way on what data is being collected. How it is used. And how they can choose to opt-in or opt out.
This means, as long as you are upfront and clear with what and how you use data, as well as provide the opportunity to erase user data under their choice, then your site should comply with this principle.
Principle 2 – Date is used for legitimate purposes that is specified only
The second principle is all about the reason for collecting and processing data. By the first principle, you should have clearly informed what the data is used for. Data can only be used how you said and informed users it would be used for.
So if you say you will send them a free guide for signing up then you can only use their email to send them a free guide. You cannot proceed to add their email to a newsletter list, UNLESS you told them you would do so during sign-up.
The second principle ensures your reasons are legitimate.
Legitimate reasons encompass a true business need to collect data in order for your business to function properly.
An easy way to comply to this principle is to ask yourself “if I don’t collect this piece of data from my user, can I reach my business goal?” If the answer is no, then you have a legitimate reason to collect data.
Some examples are IP addresses for analytics, e-mail address to send them a free file.
Principle 3 – Data collected is only what is needed
Just because you need to collect user data to reach business goals, it doesn’t mean you can go collecting everything you want.
The third principle is about ensuring websites are collecting the MINIMUM amount of data needed.
If you don’t need their name, gender and age to send them newsletters, then don’t.
Keep your data collecting to the bare minimum and your site will be able to comply.
Principle 4 – Data is accurate and up-to-date
Site operators are responsible for ensuring the data collected is accurate and up-to date.
This means you must correct and edit data, if someone see’s an inaccuracy to their own data. You must do this at a timely fashion, which also means you need to have the means to manually change data collected as well.
Principle 5 – Data is kept for a certain amount of time only
This principle is all about how long you keep the data for. It’s to ensure you don’t store data for an unnecessarily long time.
For example, if you collected an email to send them a free guide. Then you only needed the email for until the free guide is delivered to the user.
But if the free guide was a lead magnet and the sign-up form specifically said the user will be added to a newsletter list, then you can legitimately store the email for a longer period of time.
Principle 6 – Data must be stored and managed securely
Data security is an increasing problem and under GDPR, it is your responsibility to ensure the data you collect is safe from security breaches.
This means both first party data collection that’s done directly from you and third party data collection done by the likes of Google and Siteground hosting is under your responsibility. In the most basic form, it means you need to make sure that you are following the best practices and all the software and services you use, also follows the best practices.
Easy ways to get your site on the right track to GDPR compliancy
Create a GDPR compliant privacy policy page
You can take a look of the privacy policy page on this site to give you an idea on what you need to include in yours.
NOTE: Every site will be collecting different data and for different reasons, so my privacy policy page will only be accurate for my site. But you can still use it to understand what yours need to include.
Create a GDPR cookie policy page
You can take a look at my cookie policy page to understand how to clearly outline all the cookies your site uses.
I used a cookie scanner to easily organise and clearly display what my site was using and how it was being used.
Use simple and easy to understand language to gain consent for data collection
Do not try to use technical language that may confuse some of your users. This will go against the first principle of GDPR.
Keep it simple, with short sentences. Simple words and clear, straight to the point phrases.
Collect only what you NEED
This is to do with principle 3. Stop collecting data you aren’t using and isn’t necessary. Go through your site and make a list of everything you’re collecting then cross off whatever is necessary to make the site edits.
You should also go through your Google analytic configurations to make sure Google analytics is also collected only what is needed and nothing redundant.
Use only the most reputable software and services for your website
List out all the plugins, software and services you use. Go through the companies one by one and establish which ones are already GDPR compliant and which ones are not.
Make the needed changes and swaps if you find anyone not following best practices.
Did you enjoy this post? If you did, please take a moment to use the social media buttons at the bottom to share this with friends, family, colleagues, your neighbour’s cat, anyone with access to the internet 🙂 Thanks!
