It’s become quite normal for us to share personal information online. Because of this data protection regulations need to be updated to ensure security standards are being met.
These regulations set rules for how and when you (the ‘data controllers’) can collect personal data (such as name, email address, location, postal address, IP address) and sensitive personal data (such as race, health status, sexual orientation, religious or political beliefs) from users on your website (the ‘data subjects’).
There’s been a lot of talk over the last six months about GDPR, and with it a lot of questions and worries about how it will affect bloggers, freelancers and small business owners. Hopefully this post will give you an overview of what GDPR means and how to be complicit when it comes into effect this year.
What is GDPR? What is Personal Data?
The General Data Protection Regulations (GDPR) was created in December 2015 to ensure the rights of EU citizens are meeting basic data protection standards. This new regulation is enforceable from the 25th May 2018 and aims to protect the personal data you send and receive. There are already laws in place to do this, but the GDPR will provide uniform regulations throughout the UK and EU.
You will now be required by law to 1) be transparent about the personal data you collect 2) only gather personal data that is adequate, relevant and limited to what is necessary for the intended purpose of collection and 3) gain consent from individuals before using it.
Per the GDPR, personal data is any any information collected where you can make out the personal identification of the individual.
Does the GDPR apply to me?
The GDPR applies to anyone collecting data from UK and EU citizens. You need to comply if you:
- Are within the UK and EU or work with those within the UK and EU
- Offer goods and services (free or paid for) to those within the UK and EU
- Monitor behaviours or activity of those in the EU, either online or offline (like analytics, stats, profiling, etc)
So if you own a blog/website, have a mailing list, send newsletters, run an online shop or gather information for services and some of your users are within the UK and the EU, then you need to comply.
How do I comply with the GDPR?
You need to inform users that you are collecting their personal data and give details of what that data will be used for.
If you need to store that data for a purpose (like a mailing list, shipping address or billing details) then you need to comply with the new standards set for collecting, storing and processing data.
You can no longer use that information for anything other than it’s intended purpose and you need to be explicit about the way you’re using and storing personal data.
- Breach Notification – You must inform users of a breach that might compromise their information with 72 hours.
- Right to Access – Users have a right to access the information you have about them, in a common readable format.
- Right to Portability – Users are able to request that you forward their data to other controllers or services (such as if they are switching phone provider)
- Right To Erasure – Users have the right to be forgotten, meaning they can request the deletion of their accounts and personal information. They are entitled to be erased if their data is no longer necessary legally.
- Privacy by Design – You, the controller, can be held liable for data breaches if your system isn’t secure by design and you fail to take precautions in protecting user information.
- Data Protection Officers – If you handle a huge amount of user information or sensitive data (such as patient information or criminal records), you need to work with a Data Protection Officer (DPO). The DPO is the key officer taking care of managing procedures and maintaining records and are in charge of all activity processing data. At this stage, a blogger or person providing software as a service wouldn’t need to appoint a DPO.
In order to comply you need to know what data you’re collecting about people, why you’re collecting it and how you’re keeping it safe. It really boils down to you being transparent and getting explicit consent.
How to prepare for GDPR
Firstly, there’s no need to panic. A lot of people have been worrying about this but once you are transparent about how and why you’re collecting data, you should be okay. Ask yourself the following questions:
- What personal data do you collect and store?
- Did you get it with the necessary consent? Did you inform users of the specific purpose for how you’ll use their data?
- Are you holding the data longer than necessary and are keeping it up-to-date?
- Are you keeping it safe and secure? Is there limited access to it? Is it encrypted?
It may be useful to create a document or spreadsheet answering these questions above, giving details on what personal data or information you have about individuals from your site or email list, how and where you store it, why you need it and how you got consent.
Add an SSL Certificate to your site. This isn’t necessary but as discussed in 7 SEO action steps for bloggers wanting to grow their traffic Google are now pushing for all sites to be secure. When you get your certificate, a padlock will appear next to your URL in the browsers address bar, your URL will begin with HTTPS rather than HTTP and visitors will know that they can trust your site is secure.
What if I don’t comply with GDPR? What are the fees and penalties?
The GDPR can impose several types of penalties. Depending on the type of violation, you could incur fines of up to €20 million or 4% of your global annual revenue (whichever is greater).
What about email marketing and newsletters?
This is a big talking point of the GDPR. You can no longer send emails without explicit permission/consent, so unless someone has specifically signed up for a newsletter they shouldn’t receive it.
Under guidance published by the Information Commissioners Office, marketers will need to factor the following considerations into future email marketing campaigns:
- Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg. a binary choice given equal prominence).
- Granular: give granular options to consent separately to different types of processing wherever appropriate.
- Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
- Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
If the opt-in is included within another form (like contact form or checkout process) then use an active opt-in so users have to check a box themselves to hear from you. The GDPR specifically bans pre-ticked opt-in boxes as they are an invalid means of gaining consent. You should avoid opt-out checkboxes too since consent can’t be signed by default. The language used to request opt-in must be clear.
Implementing a double opt-in isn’t a requirement under GDPR, but it is a good way to make sure that visitors confirm they want to receive communication from you and is seen as proof of consent. Outline how their data will be used, how often they should expect to hear from you and what content the newsletter is likely to contain.
Individual’s data should not be added to a different mailing list and they shouldn’t be sent information without having explicitly agreed in advance. So it’s best to say now that the list could potentially be used for updates on future products/services and have tick boxes for “yes I’m signing up for mailing list” and “yes for offers and updates on future products and services”. If you are importing your mailing list to another platform (like Facebook) to promote or target for advertising, then you need explicit consent for that in advance.
You need to tell people about their right to withdraw consent and be forgotten, offering them easy ways to do this. In your newsletter, make sure that the option to unsubscribe is visible, that the process is simple and that they have information about how to get their data erased.
Have a long list of newsletter subscribers? It might be a good idea to email all subscribers letting them know that due to new regulations you need to re-confirm their subscription to the newsletter, how they can unsubscribe or contact you to be erased.
What about using Google Analytics?
To anonymize the IP address for all hits sent from a single tracker, add the following to your tracking code to set the anonymizeIp field to true on the tracker:
ga('set', 'anonymizeIp', true);
What is the ePrivacy Regulation?
The ePrivacy Regulation is a piece of legislation that is still being worked on, but is due to be approved by 2019. It is about your right to privacy as an individual and will act as a replacement to the Cookie Law, which currently requires you to inform users if you intend to collect private information via cookies. The new regulation will require you to consent for cookies, consent for online marketing and consent to use private data across platforms (like for ad targeting).
TLTR – GDPR Summary
The GDPR is enforceable from 25th May 2018 and aims to protect the rights of individuals and their data. If you collect data from UK or EU citizens, then you need to comply. Know what personal data you’re collecting, get consent and be transparent about why you need it and how you’re keeping it safe.
Keep in mind that this is still being worked on and guidelines are still being drawn up around certain areas (like cookies and retargeting for ads). There is a lot of information out there but don’t panic, make sure you can answer the what, why and where and demonstrate your intent to protect the data you hold.
Extra GDPR Resources
Official GDPR Info
Information Commissioners Office – GDPR
SuperOffice – GDPR for Marketing (with examples)
Hubspot – GDPR
WPMU DEV – GDPR Compliance
Blogtacular Podcast – GDPR Basics with Zoe Findon
GDPR Compliance for WooCommerce Stores
CodeinWP – Complete WordPress GDPR Guide
Google Analytics and GDPR
Mailchimp GDPR Guide and PDF Guide
WordPress.com and GDPR