Disclaimer: This post has been created to help bloggers better understand GDPR. I am not a lawyer and this is in no way legal advice. As the owner of your site, it is your responsibility to be aware and make sure you are in full compliance with GDPR regulations. I am not liable for any advise taken from this post.
As you’ve probably heard over and over by now, there is a new piece of legislation for the European Union (EU) called the General Data Protection Regulation (GDPR) that went into effect on May 25th. If you’ve felt a little overwhelmed about getting your site GDPR compliant, you’re not alone!
I’m definitely a dummy when it comes to technical legal stuff like the GDPR. I need stuff like this broken down into the simplest terms possible in order for me to understand it, so that’s what I’ve tried my best to do here for you today. I’ve gone through (to the best of my ability) all of the legal jargon and have simplified it in the hopes of helping other blogger dummies out there like me better understand it.
Hopefully, these simplified explanations will help you understand GDPR for bloggers a little better and will help you in getting your site GDPR compliant.
What is GDPR?
GDPR is a new set of regulations designed to give EU citizens more control over their personal information. If your website collects or stores any data related to an EU citizen (even if you aren’t located in the EU), then you are subject to this law because you have the information of an EU citizen. If your website serves even one EU citizen, then the law requires you to do the following:
- explain to EU citizens who you are, why you collect data, and how long the data will be stored
- allow EU citizens to access and/or delete their data
- get consent from EU citizens before collecting any of their data
- let EU citizens know if any data breaches occur
Does GDPR apply to me?
If you can answer yes to any of the following questions, then yes, GDPR applies to you and you need to get your blog GDPR compliant.
- Do you have at least one blog reader, email subscriber, customer, etc. that lives in the EU?
- Does your site allow commenting?
- Do you sell products or make any type of money from your blog or website?
- Do you have a mailing list that collects the personal information (name, email address, etc.) of its subscribers?
- Does your site use a contact form?
- Do you use any security tools or security type plugins?
- Does your site use Google Analytics?
How do I make my blog GDPR compliant?
This is by no means an exhaustive list but gives you a few main things you can do to get your blog GDPR compliant (remember, it’s your responsibility to make sure your site is fully compliant):
- Update WordPress: if you are using WordPress, be sure it is updated to the latest version.
- Plugins & Themes: make sure all of your plugins and themes are updated to the latest version. Also, double check that all of the plugins you use are in compliance with GDPR rules and remove any that aren’t.
- Audit Your Data: go through your site and make a list of everywhere users data is stored. This might include things like cookies, comments, order forms, forums, physical documents, email, third party services, etc. Document what personal data you hold from each, where it came from, and who you share it with.
- Secure your site: ensure that your site has an SSL certificate, which will show your site as https instead of http. Contact your hosting provider for help with this.
- Install a GDPR plugin: I recommend WP GDPR Compliance, which adds checkboxes to your contact forms, comments, etc. and provides a feature that allows users to request an email notifying them of the data collected by your website.
- Third Party Services: make sure all of the third party services you use (your newsletter platform, your payment system, your ad networks, your affiliates, your analytics service, etc.) are all in compliance and that you understand how they will be using & storing the information they collect from your readers. Most of these companies have been busy over the last few months making improvements to their platforms to be compliant, which in turn makes you compliant, but you should still double check each one to make sure you’re covered.
- Email list: make sure your list provides an easily accessible way for subscribers to opt-out or unsubscribe.
- Opt-ins: make sure your site does not have any auto opt-ins enabled (this means that you can’t be automatically subscribing people to your mailing list or other lists without their explicit permission)
- Examples of this:
- automatically subscribing users to a list when they purchase/download a product from your site, submit a contact form, email you, etc. << NOT OKAY! USERS DID NOT GIVE EXPLICIT PERMISSION
- when users go to a checkout page and you have a checkbox that reads something like “[x] Yes, sign me up for your newsletter” and you have the box checked by default << NOT OKAY! USERS MUST BE THE ONES TO CHECK THE BOX–IT CANNOT BE AUTO-CHECKED.
- Examples of this:
RELATED: Why Keeping WordPress Updated is a Must
How do I Update My Privacy Policy to be GDPR compliant?
First off, if your blog doesn’t have a privacy policy in place, you absolutely need to get one added ASAP in order to be GDPR compliant. Having a privacy policy in place provides a safeguard for both you and your visitors.
A great service you can use to generate a privacy policy is TermsFeed.* Their generator will ask you a series of questions related to your blog/website. Based on your answers, it will construct a privacy policy specifically designed for your site. It will even add all of the legal jargon required to show that your site is GDPR compliant. This service does cost money, but if you enter the code DSCNTMONTH10 at checkout it will give you 10% off any premium agreement.
What happens if my site isn’t fully GDPR compliant?
If your site isn’t fully compliant, the ultimate fine is $20 million Euros (or $23+ million U.S. Dollars)! Ouch! But here’s the thing. They aren’t going to slap you with a fine like that without a warning first. According to the European Commission, the process for non-compliance goes as follows:
To be honest, the likelihood of a blogger being fined is probably pretty low, BUT you should still do everything you can to make sure your blog is fully compliant. It not only will ensure you don’t get fined, but it also makes the internet a safer place for everyone.
This obviously only skims the surface of the complexities of the GDPR. Hopefully, it has simplified the main points enough to help you feel like you have a good enough handle on it. For all of the technical details about the GDPR, please visit eugdpr.org.
*TermsFeed is an affiliate, which means your clicks and purchases help support Designer Blogs at no extra cost to you. We only recommend products we absolutely love.
Thanks so much for sharing this info! The WP plugin is super helpful, too!