GDPR, which stands for General Data Protection Regulation, is a privacy law that was enacted to protect the rights of EU citizens and their personal data.
The GDPR law has caused quite a bit of panic among website owners because violations can incur large fines. But you don’t need to panic!
First – you won’t ever be fined right off the bat. If you are in violation, you’ll be warned first and given ample opportunity to comply.
Second – there are lots of easy steps you can take to keep your website GDPR compliant.
There are tons of resources online about GDPR, so we aren’t going parse out every detail of the law here, but this post will give you a generous head-start in getting GDPR-compliance-ready.
When You Need to be GDPR Compliant
The law applies not only to EU-based websites, but to all websites that collect data from EU citizens. This means if you receive any traffic from EU countries, you need to be in compliance with GDPR.
Personal data might be things like location, IP addresses, demographics, connected social media accounts, cookies (tracking viewing history), etc. that you might then use to deliver relevant content + ad campaigns.
Step 1 — Give an Actionable Option for Consent
Today, user information cannot be collected + processed unless website owner’s obtain explicit consent from the user.
Step 2 — Remove Pre-Checked Boxes
If you sign up for a freebie — like my Newsletter, for example — you’re doing so on a sign-up form that you fill out manually. You type in your name + depending on what form you use, you sometimes manually check a box to become a Newsletter Subscriber, too.
Some sign-up forms — like, but not limited to, Newsletter Subscriptions — come with pre-checked options. Under GDPR, it is not acceptable to use pre-checked boxes when obtaining consent to collect + process personal data.
Users must provide clear consent and if checkboxes are used, they must be manually checked by users.
If you’d like to add an opt-in checkbox to your Mailchimp signup forms, see this article.
Step 3 — Post a Consent Notice
A consent notice should include:
- How data is collected (in easy-to-understand language)
- How long their personal data will be retained
- Who you’ll share the data with (if anyone)
- The exact types of data that will be collected through use of the website
- Whether or not the website uses “cookies” to achieve that
You should only be collecting the minimum amount of data necessary per your intended task + GDPR requires all personal data to be stored securely. Note these 2 factors in your consent notice, too.
Step 4 — Visible Contact Page
Website visitors need an obvious place to get in touch with website owners regarding their information. Your basic website contact page is fine for this purpose, so long as you test it periodically + keep any addresses listed on the page up-to-date.
It must be easy for visitors to make contact should they wish to exercise their right to be forgotten, request a copy of any data that is collected and processed, and check their personal data for accuracy.
Step 5 — Add a “Cookie Notice”
A cookie notice is a requirement for GDPR and EU cookie law compliance.
To add a cookie notice to your site, I recommend this plugin, which features lots of customization + placement options.
Step 6 — Have a Data Removal + Data Breach Emergency Plan
In the event that a website visitor chooses to be “forgotten” — aka have its data removed from your possession — it is useful to have a mechanism in place that allows that to happen automatically via the website. Manually completing that task would be time consuming, especially if you receive multiple requests.
I only use user data for sending + advertising relevant content to people who have opted-in on my email list. Since I use MailChimp to store my email list — and I highly recommend that you do, too — MailChimp handles all of the GDPR compliance for me (so long as I use their GDPR-friendly tools). Users can unsubscribe in one-click + have all of their data erased entirely.
In the event of a data breach, which is something I never expect from a robust platform like MailChimp (but it still happens), they also have policies in place to deal with data breaches from their back-end.
If were to have printed my email list + it got into the wrong hands, I would need to contact the GDPR Supervisory Authority manually within 72 hours of that data breach happening. I’d also have a more personal email sent out to my followers explaining as much detail + direction possible.
Step 7 — Edit Your Analytics
As of Summer 2018, Google Analytics was not GDPR compliance out-of-the-box. This gives you two options:
- Make some manual adjustments within Google Analytics. Here is a helpful article that goes over 5 steps you can take to improve GDPR compliance.
- Forego using the Google Analytics script (obtained directly from your GA dashboard) and use this plugin instead, which has an “EU compliance add-on” for their Basic Plan.
Step 8 — Edit Your e-Commerce Platform
I’m not familiar with other e-commerce platforms at-length, but if you’re using WooCommerce on your site, there are steps you can take to be GDPR compliant. Here are some helpful articles:
- WooCommerce and the GDPR (official guide from WooCommerce)
- 12 steps to make a WooCommmerce website GDPR compliant
There is no “one size fits all” solution for GDPR compliance, since every site is made differently. If you would like to learn more about GDPR and compliance in WordPress, here are some great articles:
- The Ultimate Guide to WordPress and GDPR Compliance
- The Lowdown on GDPR Compliance for WordPress Users
- GDPR Compliance Tools in WordPress
- GDPR for U.S. Based Websites
The recommendations above are not exhaustive — even if you follow every suggestion, that doesn’t guarantee your website will be fully GDPR complaint. Full compliance will depend on what plugins, scripts, etc. you are using on your site.
I am not a lawyer — + I don’t play one on the internet. This article should not be considered legal advice. Please consult a lawyer for specific information regarding your website + GDPR compliance.