Stronger rules on online data protection begin on May 25, 2018.
The General Data Protection Regulation (GDPR) is a European Union regulation that controls how companies and other organizations handle personal data and user consent.
It has major implications for websites serving individuals from the European Union. And yes, likely applies to you, even if you’re US-based.
Does the GDPR apply to me if my company and clients are in the US?
It does if you process personal data about EU residents (even if you are based outside of the EU).
That means if you have EU residents on your email list, as customers, as employees, as contractors, or as service providers, then it applies.
What does the GDPR mean for my website?
If your website is serving individuals from the EU and either you or embedded third-party services (i.e. Google,Facebook), are processing any kind of personal data, you need to obtain prior consent from the visitor.
To obtain valid consent, you need to describe the extent and purpose of your data processing in plain language to the visitor, prior to processing any personal data.
You must also provide an easy way for visitors to change or withdraw consent. All consent must be logged as proof and all tracking of personal data, including data held by embedded third-party services, must be documented.
So, what do you need to do right away?
1. Notify website visitors at point-of-data collection
GDPR requires a high standard of consent to data collection and processing. It says you must inform people (the data subject) at the point of data collection.
On a website, this would typically happen in 2-3 ways:
a. Cookies for analytics tracking.
If you use any type of website statistics, or display social widgets and buttons on your website, the website visitor is being tracked with cookies. You must inform them that you are doing so with a cookie consent banner or pop-up, like the one we’re using on our own site:
We recommend the Cookie Notice by dFactory plugin for this purpose.
A typical notice can be provided as follows (image courtesy of ICO.org):
b. Email marketing subscribe forms.
Your email opt-in forms must obtain consent and clearly notify the data subject what data you are collecting and why. For example:
- A checkbox that is NOT pre-selected (i.e. “I agree to receive email with information and commercial offers from [Your Website]”)
c. Other website forms, such as comment and contact forms.
WordPress plugins and Drupal modules collect personal data via forms. For example, to comment on an article you need to provide your name and email address. You will need to add a checkbox or disclaimer to your website forms to obtain consent.
The WordPress team is working on adding native GDPR features into the software. However, we don’t know when it will be ready and whether it will work with comments and contact forms.
In the meantime, the best option may be to go with a plugin like WP GDPR Compliance (free) or the All-in-One GDPR plugin (paid), but be aware that both of these (and other plugin options) only support certain types of forms. Be sure you get one to match your requirements.
Below is the one we’re using:
2. Have a plan for when people ask about their personal data
The other part of GDPR that you need to be concerned about is the data subject’s rights to rectification (correction), erasure (to be forgotten) and data portability (to export their data).
More often than not, you’ll be dealing with requests to opt-out of your email marketing lists. Most email providers make this easy and include a mandatory 1-click unsubscribe link in your emails as well as a profile update function.
Note that for WordPress users, once GDPR features are added, it should also be much easier to find and delete a data subject’s records from your blog.
Finally, if your website or email marketing account gets hacked, be sure to be upfront about it and notify your website members/subscribers immediately. Prevention is better than a cure, so make sure you have strong passwords!
Don’t forget, your policy must appear on every page of your site, too. Here’s the one Bean Creative is now using on our site.
b. Add opt-in wording to my sign up box
If you have a sign-up box on your website that collects email addresses etc. in return for your newsletter or other free opt-in service(s), ensure that you have GDPR-compliant opt-in wording at the point of collection (i.e. underneath the sign-up box) together with a link to your Privacy Notice.
c. Obtain GDPR-compliant consent for electronic marketing communications?
If you do not have compliant consent, email your user list to obtain new consent – and make sure you have a system for managing opt-outs withdrawing of consent. GDPR requires you to keep records of opt-outs.
Be sure to confirm that your email marketing system manages this for you!
PHEW. If you need a tl;dr version, here’s what we did to get the Bean Creative site ready for GDPR:
- SSL/TLS setup (this ensures visitors go to an https site, which is secure and in line with SEO best practices, too)
- Added a GDPR plugin to insert a terms and conditions checkbox to our contact form
- Added a cookies popup/warning (shown above)
- Updated our email sign-up opt-in language
Need some further reading and resources to get started?
- General Data Protection Regulation PDF download
- 2018 reform of EU data protection rules
- Infographic: Better rules for small business
- International Association of Privacy Professionals GDPR resources
- Personal information online code of practice
- Bloomberg Law free trial GDPR Practical Guidance Suite
Big Honking Disclaimer
We need to make it abundantly clear that we’re not lawyers and we are not dispensing legal advice. This is Bean Creative’s understanding of what website owners can do to make a best effort to comply with GDPR.
Let us know how we can assist you and we can navigate these waters together! And if you want more goodness like this deep-dive, be sure to sign up for our Bean Beat email newsletter using our GDPR-compliant form 🙂