Home » Updating Your Website for GDPR (an #AuthorToolBoxBlogHop Post)

Update Your Website for GDPR

Updating Your Website for GDPR (an #AuthorToolBoxBlogHop Post)

This post is part of the monthly Author ToolBox Blog Hop, organised by Raimey Gallant. We now have over 40 blogs participating. To find more Blog Hop posts:

Click here to visit the main Blog Hop page
Click here to find our posts on Twitter
Click here to find our Pinterest board

GDPR and Your Website

My April #AuthorToolBoxBlogHop post introduced GDPR. Here are the main highlights:

  • The GDPR is the General Data Protection Regulation, and comes into force on 25 May 2018.
  • If you process or hold the personal data of EU residents, it applies to you no matter where you are based.

In other words, GDPR applies to me even though I’m not based in the EU. It probably applies to you as well.

Since writing that post, I’ve read thousands of words of blog posts and watched or listened to hours of YouTube videos and podcasts to try and understand what we have to do by 25 May to comply with GDPR.

First, the PSA. I’m not a lawyer, so none of the information in this blog post is legal advice. It’s my best guess as a layperson who has studied the subject. If you want legal advice, you ask a lawyer who is qualified to practice in this area. In this case, that means a lawyer based in the EU with a background in privacy, data protection, or similar. You don’t get legal advice off the internet.

The first thing to remember is that the world is not ending. As British lawyer Suzanne Dibble says:

“The GDPR mandates organizations to put into place comprehensive but proportionate governance measures.”

“Proportionate” is important. It means that you and I, as a one-person organisations, aren’t going to be expected to have all the data protection bells and whistles of, say, British Airways. But we still have to be responsible about the way we collect and process personal data, and we’re still accountable for that.

It’s the Golden Rule in practice.

We need to treat the personal information we hold in the same way we’d want them to treat our data.

Note that personal information is defined as any information relating to an identified or identifiable natural person. This includes name, email address, and can also include an IP address, and website cookies. At the most basic level, GDPR is about respecting the privacy of individuals. I’m sure we can all agree with that.

The other thing to remember is that the ICO isn’t going to be actively monitoring our GDPR compliance. Organisations will be investigated only if a complaint is made against them.

What Do I Need to Do?

There are actually a few things you can or should do if you have a website. Here are eight points I think are the most important:

1. SSL Certificate

If your website doesn’t already have an SSL certificate, it may be worth getting one for the added layer of security and the Google benefits. If you haven’t yet set up your website, I would definitely recommend using SSL from the beginning.

Many web hosts (e.g. BlueHost) provide a free SSL certificate with their hosting packages. Alternatively, NameCheap offers SSL certificates starting at $9/year (see this blog post from Nuts and Bolts for more information).

Neil Patel at Kissmetrics has a detailed post on the subject.

2. Update Your Privacy Policy

If you don’t already have a Privacy Policy, now is a good time to develop one. You already need one under Californian law (CalOPPA), if you use Google Analytics, or if you’re an Amazon affiliate.

There are plenty of free and paid resources online to help you. I’ve checked out several options:

Auto Terms of Service and Privacy Policy WordPress Plugin

Auto Terms of Service and Privacy Policy is a free WordPress plugin. I added this to my author website, and found it had no customisation, no reference to GDPR, and fails the plain English test. I’ll be replacing this ASAP.

Free Privacy Policy

Free Privacy Policy is customisable and produces a solid policy, but has no reference to GDPR. On the plus side, free meant free, and the form was easy to fill out. But it won’t be valid after 25 May.

DGD Deutsche Gesellschaft für Datenschutz

The only free GDPR-compliant policy I found was from a German website (click here). The policy is customisable, and available in your choice of English or German. However, the stilted English suggests the policy has been written in German and translated. I’d rather have a policy that was written in English.

Terms Feed

Terms Feed offer a “free” Privacy Policy, but you have to pay for certain necessary customisation, like the GDPR verbiage. My quote was $61, so I didn’t download it.

Privacy Policies

Privacy Policies charge $29.99 for a commercial policy (with “commercial” including anyone who is using affiliate links, or marketing or selling any product or service). The policy is customised, but I didn’t buy it so I don’t know how good it is or whether it covers GDPR.

iubenda.com

Randy Ingermanson of Advanced Fiction Writing recommends iubenda.com. The free policy covers next to nothing, so most authors will need the paid version, which is $27 per year. The policy is customisable, but I found there were too many options to choose from, and it didn’t include some of the plugins I use. I didn’t get a policy, but you can see Randy’s here: Privacy Policy. Note that it’s stores at the iubenda website, not on Randy’s own site. I prefer something that’s stored on my own site, so I know it isn’t updated without my knowledge.

Zegal.com

Another good option is Zegal.com, which offers free privacy policies tailored for New Zealand or Australia. Mine was clear, easy to read, and easy to understand, but it’s not GDPR-compliant (although there is a paid version which is).

I’ve used the Zegal policy as the basis for my updated Privacy Policy, and added extra sections as advised by WordPress.

Suzanne Dibble

Suzanne Dibble, a British lawyer and expert in the subject, has put together a full GDPR pack. It’s not cheap (GBP 197) but covers everything. To see what’s in the pack, check out this blog post from Shannon Mattern: How to Get Your Website Ready for GDPR.

Suzanne also has a free Facebook group and lots of videos. This is the most important (and the longest):

 

Don’t copy someone else’s Privacy Policy without permission, or you will be infringing on the copyright of the lawyer who wrote that policy. As writers who want our copyright to be respected, we need to respect the copyright of others.

Even if someone has given permission to copy their policy, read it carefully and revise if necessary. It might not include the information you need, either because they use things you don’t, or because you use things the policy doesn’t refer to. And it might use the wrong language for your brand. For example, this NSFW policy from Writers HQ contains all the necessary legal information, but the language is all wrong for my audience. And probably yours.

3. Terms and Conditions

If you are selling directly from your website, you should consider a terms and conditions policy. I’m currently using the extreme legalese of Auto Terms of Service and Privacy Policy, but I will look at this again.

4. Cookie Policy

Most websites use cookies, and EU law requires website owners to advise visitors of this fact, and obtain their consent to using cookies. WordPress plugins such as the EU Cookie Law Widget help site owners comply.

Click here to learn more about cookies. Cookies can be addressed as part of your Privacy Policy, or in a separate Cookie Policy.

If you use WordPress, check out the GDPR Cookie Compliance plugin.

5. Update Your Email Signup Forms

Once you have created (or updated) your Privacy Policy, you will need to update your email signup forms to include a reference or link to your Privacy Policy.

Your signup form must also make clear that they are signing up for your email newsletter, and that they will receive marketing information. You can also give them a free book or other gift for signing up, as I do. But it has to be in that order:

Sign up for my monthly newsletter and receive a free gift.

Is probably acceptable (probably. Not definitely). This is not:

Want a free gift? Sign up here.

Why is that second example not acceptable? Because it doesn’t make it clear that the user is being signed up to an email list. What about this?

Want a free gift? Sign up here, and I’ll add you to my email list.

This isn’t acceptable under GDPR because it ties the free gift to signing up to the newsletter. Yes, this looks the same as my first example. Semantics. Even the lawyers I’ve listened to don’t agree on this one.

6. Update Your Contact Form

Most websites have a contact form (e.g. Contact Form 7, Gravity Forms, or Ninja Forms). Contact forms collect information such as the person’s name, email address, and IP address. You’re allowed to collect this information, as it’s a legitimate business interest that will enable you to answer their query. But you still need to disclose you are collecting and storing this information (even though it seems obvious).

Your Privacy Policy will need to include what information you collect on your contact form, and what it is used for. The WP GDPR Compliance plugin for WordPress will add a tickbox to your Contact Form 7 or Gravity Forms contact form. It takes about two minutes to install and activate.

7. Update Your Comments Form

Most blogs have a comments section. This collects your name, website, email address, and IP address, as well as your message. This is private information, and is stored by WordPress, so we need consent to store this information.

The WP GDPR Compliance plugin also handles comments, which means you’ve covered two items with one plugin.

8. Create or Update Your Cookies Policy

Most websites use cookies, and EU law requires website owners to advise visitors of this fact, and obtain their consent to using cookies. WordPress plugins such as the EU Cookie Law Widget help site owners comply.

Click here to learn more about cookies. Cookies can be addressed as part of your Privacy Policy, or in a separate Cookie Policy.

If you use WordPress, check out the GDPR Cookie Compliance plugin. It’s easy to install and customise.

 

Is your website GDPR-ready?



Work With Me


Need an editor for your novel?

I'm available for manuscript assessment services. Or sign up below for my free email course:

Learn to Revise Your Novel in Two Weeks

22 comments

  1. I totally appreciate this overview. I’m getting a little antsy, because I’m on the free version of wordpress, the dot com site, and to date, I have not received one email from them about how they’re planning to comply. They own all of my data. I’ve asked for exports in the past, and they won’t provide them. *twiddles thumbs*

    • Iola says:

      I’m a group admin for two Blogger sites, and it’s been crickets from Blogger as well. I wonder if because they own the data, they are the ones who have to comply? I did search, but couldn’t find anything.

      That’s one of the big reasons the experts recommend self-hosted WordPress. I know there is a WordPress update due this week, but I’m not sure if that’s for both versions, or just WordPress.org. We don’t want to leave this until the last minute, but we don’t always have the choice.

      • I have a self-hosted site and will do my best to comply of course, but it seems a bit daunting at the moment. Thanks for your great (and mildly terrifying) breakdown. I hope WordPress provides some built-in support for this but my husband and I will work to comply as best we can.
        I am really worried about Blogger. Google has a habit of abandoning projects without updating them and I have just been getting this vibe that Blogger is going to end up being another orphaned project. Mind you I have no tangible concrete facts to back this up, just something I worry about since I help a lot of Blogger users with their blogs.
        Keeping my fingers crossed that both platforms help users to easily comply to this new legislation.
        Really Iola, thank you so much for this information and breaking it down for us.

        • I have a Blogger site, and they’ve already updated it so that if you visit via one of the European domains, a warning about cookies comes up. So (and this isn’t meant to be a shameless plug for my blog, just an example…) my blog is emilyconradauthor.blogspot.com. If you visit that, you’ll see nothing new. But, if someone in England visits, Blogger automatically redirects them to emilyconradauthor.blogspot.co.uk, where a warning about cookies pops up–a warning I didn’t have to implement myself. I did take other measures to comply with GDPR as I could, but at least Blogger seems to have dealt with that one part!

          • Iola says:

            I’m a group admin for two Blogger blogs, and I’m trusting they’ve done this because I can’t actually check it (if I try and visit the .co.uk site, it redirects me to .co.nz, which isn’t useful!).

        • Iola says:

          I hadn’t heard that about Blogger, but I’m not active in any Blogger forums. I hope they don’t orphan Blogger. I’m no longer there with a personal blog, but I’m an admin for two established group blogs that run on Blogger. I don’t need the headache of trying to move all that!

          I’ve done a little more research, and have now updated the post with some GDPR plugins to deal with cookies, comments, and the contact form on self-hosted WordPress sites.

  2. Chrys Fey says:

    Great information! I’ve spent a lot of time on my newsletter sign-up form and my Privacy Policy, which includes info about my newsletter, blog, website, and use of cookies. I looked at another privacy policy to help figure what how to do mine because I was clueless. It helped me to get the basis for mine. Plus there’s info from the GDPR that should be added to a privacy policy, such as the data subject’s rights. I wouldn’t have thought to add that.

    One thing you said about adding a tick box for the comment section…I’m not aware of such an option. I did add something about commenting on my blog in my policy, though.

    • Iola says:

      I don’t have a tickbox option for comments either, although I’ve heard WordPress is rolling out their GDPR upgrade later this week. I’m hoping it will either have the tickbox option, or tell us we don’t need it.

  3. And here I thought it only applied to the e-newsletters… Thanks for educating me, Iola. Hopefully WordPress will comply with all the rules and I’ll only have to really worry about this when I roll out my own website.

    • Iola says:

      At first, I thought GDPR only applied to email newsletters as well. Then I did a little more research and discovered how much information my website was collecting on my behalf.

  4. Louise says:

    Great overview. GDPR is a lot more in-depth than I thought it was!
    I’m wondering how much I’ll need to do myself: I’m on the free wordpress plan and have no plans to upgrade any time soon, but they’ve sent no emails about GDPR yet. I think I might dig out the details for support and ask them!

    • Iola says:

      I’m on self-hosted WordPress, but the site is still collecting information whether I need that information or not (although some of that is useful to visitors e.g. the way it doesn’t show the signup popup every time you visit, or the way it recognises you for comments).

    • Iola says:

      Blogger has made changes, but I can’t see what they are because Google defaults to showing me the .co.nz version even when I ask for an EU version. Frustrating!

  5. jofra says:

    When a user first visits a website, the warning that pops up on that website is called a cookie consent banner. A website banner declares the cookies and tracking files present on a website. It also provides them with a choice to either accept or reject the use of all non-essential cookies. This happens prior to any use of cookies for the processing of their personal data.

Leave a Reply

Your email address will not be published. Required fields are marked *