GDPR is all over the news, and flooding email inboxes all over the world.
That’s because of GDPR.
GDPR (it stands for General Data Protection Regulation) goes into effect on May 25, 2018, and it’s enforceable worldwide. Basically, it says that anyone who does business with individuals in the European Union must step up their privacy protections.
Keep in mind, as you’re reading this article, that I’ve tried to make it as helpful as possible for my readers, who are mostly bloggers, freelancers, and solopreneurs. However, I’m not a lawyer and this is not legal advice. If you have questions about your own situation you may want to consult an attorney.
Here are some quick links to help you jump around within the article.
- Who Has to Comply with GDPR?
- What Does Compliance Involve?
- Steps to Compliance
- Recommended GDPR Plugin
Who Has to Comply with GDPR?
Unless you collect absolutely no personally identifiable data of any kind, ever, you should take steps now to bring your WordPress site into GDPR compliance.
Personally identifiable data includes obvious things like names and email addresses. It also includes photos, IP addresses, social media monikers, and more.
Do you allow blog comments? You’re collecting data.
Running Akismet or any other program to help cut down on spam? You’re collecting IP addresses.
Basically, if you have a website, you should plan to comply.
“But wait,” I hear you thinking. . . “I’m not located in the EU, what can they do to me?” Well, how does a 200,000 Euro fine strike you? They’re allowed to fine violators 4% of worldwide income or 200,000 Euros, whichever is more.
Now granted, they’re more concerned with the Facebooks, Googles, Amazons, and other big players than they are with going after some blogger, freelancer, or solopreneur, but dealing with a violation can still cause you major headaches at the very least, and will eat up tons of time and probably money.
What Does Compliance Involve?
The law addresses privacy, security, and transparency. It demands that you inform individuals (aka data subjects) whenever you collect personally identifiable information, why you need it, and what you’re going to do with it.
You have to do it in clear and unambiguous language, and the data subject has to opt in – prefilled opt-out checkboxes are not allowed. Consent must be explicit.
You can’t assume consent — if somebody consents to providing an email address to receive your free download, that doesn’t mean you can automatically add them to your list for weekly e-letters. If they opt in to receive emails, they’re not necessarily agreeing to receive marketing messages.
The law specifies several roles. They include a data processor and a data controller. The data controller is the person who determines how data will be used. That’s probably you. The data processor handles the data on behalf of the controller.
If you send your email via a third-party service like Mailchimp, you are the data controller because you ask people to sign up for your email, you put the opt-in forms on your site, and you write and send the emails. Mailchimp is the data processor, acting on your behalf. They actually store the email addresses and other information on their servers, keep records of when the individual opens an email you’ve sent, etc.
If you send email directly from WordPress (something I absolutely don’t recommend, but it’s a good example for purposes of this discussion), you would be both the data controller and data processor.
Another part of the law states that your data subject must be able to access, edit, and even completely delete their stored information.
Here’s a helpful interactive infographic from the European Union about the law.
Steps to Compliance
#1. Take an inventory
Make a list of where and how you’re collecting and storing information. That will include obvious things like your email opt-in. Others may be less obvious — for example, the fact that your hosting company stores IP addresses.
Bloggers, freelancers, and solopreneurs commonly collect data in these areas:
- Opt-in forms
- Contact forms
- Comment forms
- E-commerce purchases
Those aren’t the only places that site visitors’ data is collected and stored. Others include Google Analytics, some social sharing tools, and. . .
Before you can properly notify your visitors how their data is being collected, you need to understand it yourself.
My suggestion would be to look over your list of plugins, then Google the name of each one along with “GDPR.”
Just for fun, I googled Social Warfare (the social sharing plugin I use here) + GDPR. It turned up this exchange. Someone asked if the plugin is GDPR compliant — the response is in the screenshot below.
How about Google Analytics, since you should be using that tool?
This article states that:
Google has updated Google Analytics with a new feature called ‘User and event data retention’. This feature allows the data controller to decide how long to store and retain data.
The feature relates specifically to data associated with cookies, user identifiers, or advertising identifiers. As the data controller, you can set a fixed time limit before expiry. You can also choose not to include an automatic expiry time limit.
So if you follow the instructions to set up that feature, you’ll know exactly how long data will be retained, and you can include that information in what you provide your users.
Once you have your inventory, you’re ready for Step 2.
In it, you should address each type of data you collect and store.
Terms & Conditions is the page that tells readers how you do business with them.
If this sounds like a daunting task, there are templates available online. Or you can use a plugin to help with it.
I tried out a couple, and wrote a whole article about them over on my WordPress Building Blocks site. . . . Take a look at it here.
#3. Update Your Forms
How are you creating forms on your site? With a plugin? With code from a third party like Mailchimp? Google the form source plus GDPR to easily find out what they’re doing to comply, and how you can update your forms.
All the companies I checked are either in compliance already or scrambling to be in compliance by May 25. This includes third parties like:
- Constant Contact
- Convert Kit
Each of them also provides some helpful information about the GDPR requirements.
Forms plugin companies that I checked include:
- Ninja forms
- Contact Form 7
- WP Forms
- Caldera Forms
- Gravity Forms
- Opt-in Monster
WooCommerce is working to become compliant before the May 25th deadline.
I will do my best to update this article as more information becomes available.
While I don’t think you need to worry about having EU officials battering down your doors if you’re not compliant on the 25th, you should start the process as soon as you can.