This post is part of the monthly Author ToolBox Blog Hop, organised by Raimey Gallant. We now have over 40 blogs participating. To find more Blog Hop posts:
GDPR and Your Website
My April #AuthorToolBoxBlogHop post introduced GDPR. Here are the main highlights:
- The GDPR is the General Data Protection Regulation, and comes into force on 25 May 2018.
- If you process or hold the personal data of EU residents, it applies to you no matter where you are based.
In other words, GDPR applies to me even though I’m not based in the EU. It probably applies to you as well.
Since writing that post, I’ve read thousands of words of blog posts and watched or listened to hours of YouTube videos and podcasts to try and understand what we have to do by 25 May to comply with GDPR.
First, the PSA. I’m not a lawyer, so none of the information in this blog post is legal advice. It’s my best guess as a layperson who has studied the subject. If you want legal advice, you ask a lawyer who is qualified to practice in this area. In this case, that means a lawyer based in the EU with a background in privacy, data protection, or similar. You don’t get legal advice off the internet.
The first thing to remember is that the world is not ending. As British lawyer Suzanne Dibble says:
“The GDPR mandates organizations to put into place comprehensive but proportionate governance measures.”
“Proportionate” is important. It means that you and I, as a one-person organisations, aren’t going to be expected to have all the data protection bells and whistles of, say, British Airways. But we still have to be responsible about the way we collect and process personal data, and we’re still accountable for that.
It’s the Golden Rule in practice.
We need to treat the personal information we hold in the same way we’d want them to treat our data.
Note that personal information is defined as any information relating to an identified or identifiable natural person. This includes name, email address, and can also include an IP address, and website cookies. At the most basic level, GDPR is about respecting the privacy of individuals. I’m sure we can all agree with that.
The other thing to remember is that the ICO isn’t going to be actively monitoring our GDPR compliance. Organisations will be investigated only if a complaint is made against them.
What Do I Need to Do?
There are actually a few things you can or should do if you have a website. Here are eight points I think are the most important:
1. SSL Certificate
If your website doesn’t already have an SSL certificate, it may be worth getting one for the added layer of security and the Google benefits. If you haven’t yet set up your website, I would definitely recommend using SSL from the beginning.
Many web hosts (e.g. BlueHost) provide a free SSL certificate with their hosting packages. Alternatively, NameCheap offers SSL certificates starting at $9/year (see this blog post from Nuts and Bolts for more information).
There are plenty of free and paid resources online to help you. I’ve checked out several options:
DGD Deutsche Gesellschaft für Datenschutz
The only free GDPR-compliant policy I found was from a German website (click here). The policy is customisable, and available in your choice of English or German. However, the stilted English suggests the policy has been written in German and translated. I’d rather have a policy that was written in English.
Privacy Policies charge $29.99 for a commercial policy (with “commercial” including anyone who is using affiliate links, or marketing or selling any product or service). The policy is customised, but I didn’t buy it so I don’t know how good it is or whether it covers GDPR.
Another good option is Zegal.com, which offers free privacy policies tailored for New Zealand or Australia. Mine was clear, easy to read, and easy to understand, but it’s not GDPR-compliant (although there is a paid version which is).
Suzanne Dibble, a British lawyer and expert in the subject, has put together a full GDPR pack. It’s not cheap (GBP 197) but covers everything. To see what’s in the pack, check out this blog post from Shannon Mattern: How to Get Your Website Ready for GDPR.
Suzanne also has a free Facebook group and lots of videos. This is the most important (and the longest):
Even if someone has given permission to copy their policy, read it carefully and revise if necessary. It might not include the information you need, either because they use things you don’t, or because you use things the policy doesn’t refer to. And it might use the wrong language for your brand. For example, this NSFW policy from Writers HQ contains all the necessary legal information, but the language is all wrong for my audience. And probably yours.
3. Terms and Conditions
If you use WordPress, check out the GDPR Cookie Compliance plugin.
5. Update Your Email Signup Forms
Your signup form must also make clear that they are signing up for your email newsletter, and that they will receive marketing information. You can also give them a free book or other gift for signing up, as I do. But it has to be in that order:
Sign up for my monthly newsletter and receive a free gift.
Is probably acceptable (probably. Not definitely). This is not:
Want a free gift? Sign up here.
Why is that second example not acceptable? Because it doesn’t make it clear that the user is being signed up to an email list. What about this?
Want a free gift? Sign up here, and I’ll add you to my email list.
This isn’t acceptable under GDPR because it ties the free gift to signing up to the newsletter. Yes, this looks the same as my first example. Semantics. Even the lawyers I’ve listened to don’t agree on this one.
6. Update Your Contact Form
Most websites have a contact form (e.g. Contact Form 7, Gravity Forms, or Ninja Forms). Contact forms collect information such as the person’s name, email address, and IP address. You’re allowed to collect this information, as it’s a legitimate business interest that will enable you to answer their query. But you still need to disclose you are collecting and storing this information (even though it seems obvious).
7. Update Your Comments Form
Most blogs have a comments section. This collects your name, website, email address, and IP address, as well as your message. This is private information, and is stored by WordPress, so we need consent to store this information.
The WP GDPR Compliance plugin also handles comments, which means you’ve covered two items with one plugin.
8. Create or Update Your Cookies Policy
If you use WordPress, check out the GDPR Cookie Compliance plugin. It’s easy to install and customise.