NOTE: This is not professional legal advice and cannot be considered as such. This is a guide for you to use as a starting point to get your own site GDPR
Well, this is a little overdue, but better late than never, especially since GDPR is in full swing, handing out fines left and right.
If you don’t know what GDPR is all about, then here’s a quick summary.
GDPR, General Data Protection Regulation is a data privacy regulation rolled out by the EU to give online users more control over their private data. A.K.A
At its core, it means businesses and site owners are no longer able to collect data and use data any way they want without first informing and getting the user’s approval. It also means users are allowed to decide at any point if they change their minds and want their data deleted from your databases.
In theory, this is great for all internet users, but in practice, it has become a bit of a nightmare to implicate. And it has made internet marketing a little more tedious than before.
But the law is the law, and no one is above it. So it is time to face the music and learn how to get your site compliant if you want to avoid getting into trouble.
Who does GDPR apply to?
If you process people’s data then GDPR will apply to you. You don’t have to be a big company or brand. Small bloggers collecting emails or using certain cookies also need to comply.
GDPR is implemented by the EU and its protection only covers individuals within the EU.
This means if people anywhere within the EU are visiting your site, then GDPR will affect your site and your site needs to be compliant. However, it’s not so simple. Just because someone from the EU visits your site, doesn’t mean you need to be GDPR compliant IF, and only if, your site is not aimed at individuals in EU.
How you would prove and argue
But let’s not try to be smart asses here and just assume your site is
Common reasons why GDPR applies to you
You collect e-mails
If you collect emails in any shape, way or form and for any reason. Your site needs to be GDPR compliant. Collecting emails is the most common form of collecting people’s private data for your own benefit.
Your lead pages, pop-ups and sign-up forms will all have to be redesigned slightly to be compliant by following the 6 basic GDPR principles.
Here’s a quick tip: Make sure at the point of sign-up the user is fully aware of why they are giving you their email address and what they will get in return. Explore my site and see my pop-ups to better understand the level of clarity needed.
You use WordPress plugins
WordPress is a great open-source software to build websites with, and one of the reasons for this is the massive eco-system of plugins available. But many of these plugins will collect user data in order to work.
Such as spam filters, comment controls, social media buttons etc. All of these collect user data and processes it.
You use analytics
Almost everyone uses Google
GDPR basic principles your site needs to practice
Principle 1 – Fairness and Transparency
There are no clear definitions provided, but by common sense and some online research. Fairness and transparency can be summed up by a site’s genuine motive to inform users in a clear and understandable way on what data is being collected. How it is used. And how they can choose to opt-in or
This means, as long as you are upfront and clear with what and how you use data, as well as provide the opportunity to erase user data under their choice, then your site should comply with this principle.
Principle 2 – Date is used for legitimate purposes that is specified only
The second principle is all about the reason for collecting and processing data. By the first principle, you should have clearly informed what the data is used for. Data can only be used how you said and informed users it would be used for.
So if you say you will send them a free guide for signing up then you can only use their email to send them a free guide. You cannot proceed to add their email to a newsletter
The second principle ensures your reasons are legitimate.
Legitimate reasons encompass a true business need to collect data in order for your business to function properly.
An easy way to comply
Some examples are IP addresses for analytics, e-mail address to send them a free file.
Principle 3 – Data collected is only what is needed
Just because you need to collect user data to reach business goals, it doesn’t mean you can go collecting everything you want.
The third principle is about ensuring websites are collecting the MINIMUM amount of data needed.
If you don’t need their name, gender and age to send them newsletters, then don’t.
Keep your data collecting to the bare minimum and your site will be able to comply.
Principle 4 – Data is accurate and up-to-date
Site operators are responsible for ensuring the data collected is accurate and up-to date.
This means you must correct and edit data, if someone see’s an inaccuracy to their own data. You must do this at a timely fashion, which also means you need to have the means to manually change data collected as well.
Principle 5 – Data is kept for a certain amount of time only
This principle is all about how long you keep the data
For example, if you collected an email to send them a free guide. Then you only needed the email for until the free guide is delivered to the user.
But if the free guide was a lead magnet and the sign-up form specifically said the user will be added to a newsletter list, then you can legitimately store the email for a longer period of time.
Principle 6 – Data must be stored and managed securely
Data security is an increasing problem and under GDPR, it is your responsibility to ensure the data you collect is safe from security breaches.
This means both
Easy ways to get your site on the right track to GDPR compliancy
I used a cookie scanner to easily organise and clearly display what my site was using and how it was being used.
Use simple and easy to understand language to gain consent for data collection
Do not try to use technical language that may confuse some of your users. This will go against the first principle of GDPR.
Keep it simple, with short sentences. Simple words and clear, straight to the point phrases.
Collect only what you NEED
This is to do with principle 3. Stop collecting data you aren’t using and isn’t necessary. Go through your site and make a list of everything you’re collecting then cross off whatever is necessary to make the site edits.
You should also go through your Google analytic configurations to make sure Google
Use only the most reputable software and services for your website
List out all the plugins, software and services you use. Go through the companies one by one and establish which ones are already GDPR compliant and which ones are not.
Make the needed changes and swaps if you find anyone not following best practices.
Did you enjoy this post? If you did, please take a moment to use the social media buttons at the bottom to share this with friends, family, colleagues, your neighbour’s cat, anyone with access to the internet 🙂 Thanks!