You’ll no doubt have noticed the countless ‘GDPR’ emails in your inbox and or panicked posts within your Facebook community. But what does it mean for you, your brand, and your business? Keep reading for what you need to know about GDPR for your business, when it goes into effect, a free GDPR checklist, and GDPR best practices.
Disclaimer/ Legal Disclosure: This post is in no way or means intended to serve as legal advice. We are not lawyers and these are simply the steps we’ve personally taken to ensure that our websites are ready for the new regulations coming into place on the 25th May 2018. We take no responsibility for the advice covered in any part of this article or on this website and it is your responsibility to ensure that you, your brand, business, and website(s) are GDPR compliant. If you need legal advice, then you should consult a lawyer.
What is GDPR?
If you’ve spent any length on the interwebs you’ll no doubt have noticed the countless ‘GDPR’ emails in your inbox or various pop-ups on websites across the world wide web. But what does it all mean? And, more importantly, what does it mean for you, your brand, and your business? Well, basically GDPR stands for ‘General Data Protection Regulation’ and is a new set of regulations to better protect the information and data regarding EU residents. It goes into effect on May 25th, 2018.
What this means for any website or online business owner is that there will be a new set of rules and regulations which will affect you if any (and I really do mean any) of your traffic comes from the European Union. This data regulation will likely even affect you if you’re not an EU resident. This means that GDPR really does impact on pretty much everyone online!
When it comes to running an online presence, you must ensure that you’re protecting peoples’ data. The maximum fine for not complying with the new data regulations can lead to a fine of €20 million or 4% of global annual revenue, whichever amount is higher. Basically, the penalties are pretty high! However, it’s important to note that the first stage of GDPR non-compliance is a ‘warning’, so let’s keep calm.
What not to do about GDPR
PANIC. Karen is the data geek here and she swears that it’s not bad. It took about an hour to become compliant on her blog although finding information during the panic was particularly difficult. Let’s keep calm and work through this. (Keep reading!)
Ban EU Users. I’ve seen a few website owners outside of Europe discussing shutting down their website to European users due to GDPR altogether. This is silly and becoming GDPR compliant should take an hour (or so) if you run a normal website where you’re not retaining significant personal information. There’s a term in the GDPR legislation that individuals who do not give consent should not be treated differently, so if you’ve decided to blacklist anyone from the EU (cough), you’re going against the legislation either way. 😉
GDPR is simply about asking permission from your users rather than assuming it and your users might enjoy having more control over their data. A recent study found that 89% of Americans surveyed said that they avoid companies that they don’t believe protect their data. 74% of that group also had limited their Web activities in the last year as they didn’t know what would happen to their data. That’s a lot of people who are concerned about data and GDPR is a good way to help your business stay in their good books.
Collecting Data, Personal Data & What it Means
If you own a website, then no doubt you’re already collecting pieces of information on your users. If you’re tracking Google Analytics then you’re collecting data. If you have blog comments then you’re collecting data on users. There’s actually quite a few ways that you may well be collecting data on the people using your website. If your business occasionally retains client data or their core business involves analysis, you must have a plan in regards to protecting their data if you don’t already.
When it comes to GDPR for websites, you’ll need to tell users why you’re collecting data, what you’re using it for, and get consent to collect users’ data (more about that under the ‘cookies’ headline). The new regulations also say that you must inform users if there is any breach of data and that EU residents have the ‘right to be forgotten’.
This is also known as the ‘right to erasure’ and essentially means that users can make requests for their data to be removed either verbally or in writing. From the date of the request, you have one month to ensure GDPR compliance and remove the user who has requested erasure’s data. The newest version of WordPress allows you to “forget” users, which helps in this.
Collection of data may include (this list is not exhaustive and there are plenty more examples):
- Contact Forms (i.e. on your about/ contact/ work with me page)
- Traffic analysis (i.e. tools such as Google Analytics, Amazon Associates Codes)
- Email forms/ lists (i.e. sign up/ subscription forms from email services such as MailerLite or MailChimp)
- Embedding content from external sites
- Forums / user registration
- Order forms
- Selling products/ courses/ e-merchandise/ selling subscription services
- Comment forms (i.e. on any blog posts/ articles)
GDPR Compliance Check List:
As has been touched on, when it comes to making your website GDPR compliant, there are several points you’ll need to bear in mind.
First things first, we’re not talking about that yummy sweet you used to enjoy with a glass of milk as a child. Instead, cookies are small data files which are stored on your computer by a website. When the new data regulations coming on the 25h May, you’ll need to gain explicit consent from users in the form of cookie consent. Technically, the experience of those who do not give consent should be the same of those who give consent, however most
Currently, many of the plug-ins that allow users to disable cookies require a developer as you must customize it to the cookies that you’re using, but we’ll be updating this post we find a better solution and/or a good plug-in for this for those of us who aren’t website developers. So far, the best free GDPR complaint plug-in one that we’ve found is GDPR Cookie Consent if you’re more technical. Otherwise, you can try out Cookie Notice by dFactory.
Do you have a forum on your website? Make sure that your users consent to you storing their personal information, messages, and posts on the forum. This must be unchecked by default. If you share the data with any third parties, you must mention it.
Many businesses have hopped onto the chatbot trend for sending messages, but you need to first ask users if they consent to you storing and using any personal information that they provide. As a safeguard, also mention how long you store these messages or remove data within 24 hours after you’ve read the messages. Also, the box must be unchecked and you must mention third parties.
If you have clients ordering from you, have a checkbox asking if they consent to you storing and using their personal data for the order. This is not the same as your comment. If you want to send marketing emails to them or add them to your mailing list, you must ask this separately with yet another unchecked box. If you share this information with any third parties, please mention it.
Comments and Forms
If you’re on WordPress, update to the latest version, which allows you to wipe people’s data if they request it. Similarly, Karen recommends the WP GDPR Compliance plug-in, which easily adds a checkbox to your comments making clear that their email and name will be retained as part of the commenting process. It also adds a checkbox to forms on your website, but if you use Divi (or another form builder), ensure that you ask explicit permission to contact forms if you haven’t already.
After reading an interesting article in the Guardian yesterday (I highly recommend reading ‘Most GDPR emails unnecessary and some illegal, say experts‘), it turns out that many of the GDPR emails which are likely flooding your inbox are unnecessary and, in some cases, even illegal. (Think how many emails on that list that you don’t remember signing up for!)
The thing is if you explicitly gained consent from your email subscribers, never added users without their explicit permission, never tricked people into signing up for your mailing list, and never bought/ sold email lists and contacts, then you’re probably good to go! Again, we’re not lawyers and this is no way constitutes as legal advice.
If you haven’t always had double opt-in on emails, then this is the time to become GDPR compliant. Services like MailChimp have lengthy blog posts and informative articles on how you can make your mailing list, opt-in forms, etc. compliant. Check which forms you have on your website as your current mail forms may not be GDPR compliant if there’s only single opt-in.
Think through how you’ve grown your mailing list. If you gave away freebies or giveaways as a way to grow your mailing list, then you’ll have to look at whether you asked consent for people to be on your mailing list, etc. If you did so, you will need to get consent again as this portion of your mailing list probably signed up for the freebie and may have not thought about the newsletter. Freebies do not qualify as consent.
You must be willing to send your freebies, even if people don’t consent to the mailing list. Your old freebies that say SEND ME YOUR FREEBIE while adding emails to your mailing list won’t work anymore. It needs to be clear and unambiguous what people are opting into and that your mailing list is OPTIONAL. You can mention all the perks, but it cannot be a given that they’re added to your mailing list. You cannot treat people differently if they do not give consent.
Let’s say that you promise someone that you’ll send them a box of chocolates in the mail if they give your address. If you send them the box of chocolates, great. However, what’s not okay is that the same person sends a clown to your doorstep to say hi, just because they thought that you love clowns and they have their address. (Please never do this to me.) It’s the same idea with freebies. People often say YES to free stuff, but no to clowns and mailing lists. You can’t assume that they’ll love your mailing list or a clown at their doorstep.
This is just an example and you can change the language around your mailing list to sound far more awesome than this example (I’d like to join your mailing list), but it must be clear that your mailing list is not a requirement for receiving something. If you really want to incentivize people, you need to make it clear that your mailing list is a key part of getting it. Something such as Subscribe to our mailing list to access our awesome subscribers-only library and receive monthly updates makes it clear that they’ll be receiving emails from you and they’re fine with it.
For some businesses: Sensitive data, joined data & secure data storage
This is only the case for some businesses, however, you must try to ensure your client’s data is stored in a secure way if you’re retaining it for your records. This does not mean leaving excels unencrypted online or on your desktop without a password. (Avoid any sensitive information if possible.)
Similarly, you cannot join different data points about an individual without their permission, especially if you are joining sensitive information together with their identity. Let’s say that you have marketing data about your user as well as basic demographic data about your user that was collected separately. You did not ask for permission to join these two bits of data and this principle goes against GDPR. If you want to join data or match a person’s name to their marketing information, you must explicitly ask permission of those impacted. If not, delete the merged excel and stick to what you have permission for.
It’s important to keep contact information separate from information that might identify a user. A recent study has shown that anonymized data may not stop people from identifying individuals in data. Take some important cues from this study and avoid having an individual’s full name in your data. Better, do not retain user data if not necessary.
The best way to ensure that your data is GDPR compliant is to keep at the aggregate level. Instead of having lines with all the user information, you’ll be looking at aggregate data when doing your analyses. It’s not to say that you’re banned from analyzing your data at a smaller level, but you must ask explicit permission prior to doing so.
This part is far trickier than the other GDPR compliance bits and if you’re dealing with significant data that you’re retaining, I recommend taking a step back to take account of what you have, how sensitive it is, what steps you’ve taken to secure it, and your personal data practices. Beyond this, hire a professional (not us).
Website GDPR compliant best practices
No pre-checked boxes
People should not be able to accidentally sign up for an email, marketing service, or any sharing of their information without their explicit consent. There should be no pre-checked boxes anywhere on your website and this definitely includes for when people are commenting on your blog. People have to choose to check the box.
No legal speak
The best way to verify where your site is collecting data (other than through contact forms, emails, tracking codes) is to conduct a full plugin audit. These audits should be done on a regular basis anyway in order to see what is being used, how it’s being used, and whether your site really needs it or not. (Side note, old plugins that are not supported, updated, or activated should be deleted to aid in website security as these are vulnerable to hacks).
Anonymize Google data
As the new regulations state that you need to get user consent before collecting data, you’ll want to anonymize the data you can’t specifically get consent for collecting before you start collecting it, as it were. One of these topics is Google Analytics. Anonymising Google Analytics data typically means that you don’t collect the last three characters of the users’ IP address. Find your Google Analytics and anonymize it. I have my Google Analytics script in my header.
Many are concerned that anonymizing the data will impact some things and it will skew your data a bit, however the main difference is that you won’t be able to analyze your data down to the IP level. I never snooped at the IP level, so for me, it wasn’t a big loss, but it will mean that I can’t do this going forward.
Check Google Analytics Settings
Check your Google Analytics settings for data retention and which data you’re collecting. Depending on your settings before this, you’ll want to head into Analytics -> Property [Your Blog] -> Administrator -> Property Settings. From here, you’ll want to shut off enable Demographics and Interests report unless you get permission to do this.
Next, head to Tracking Info within the Administrative tag then Data Retention to check how long individual data is retained. The lowest amount if 14 months. At the moment, cookies may not expire, but it’s a safe bet to decrease the amount of time that data is retained to minimize your risk with retaining users cookies.
You’ll also want to look under Tracking Info for Data Collection. At the moment, you can temporarily see people’s advertising information even if they’re logged into their their personal Google account. This may reveal personal information that a person may not intend to reveal and it’s best to shut off this feature as it’s a liability to your website’s data. Similarly, you must ask permission to have Advertising Reporting enabled for your users.
If your site is not already encrypted, then now is the time to get that certificate and transform your URL from HTTP to HTTPS. Hosting providers like Siteground give you the opportunity to encrypt your website using a free SSL certificate. In order to be GDPR compliant, you need to make sure that the data you’re collecting is as safe as possible and adding an SSL certificate to your site ensures extra protection.
Either way, it’s important to have a SSL certificate as Google is about to change the ranking algorithm to penalize HTTP websites without SSL certificates. Not having a SSL means that your users’ data might be vulnerable to leaks.