“GDPR? What the heck am I supposed to do!?”
So you’ve probably heard all about the GDPR (General Data Protection Regulations) that come into effect on May 25th of this year. Like many, I was overwhelmed with all of the seemingly lengthy requirements and legal mumbo-jumbo I was faced with when trying to figure out what the heck I was supposed to do as website owner. I’m not going to go over all of the terms and what they mean because there are plenty of Google worthy blog posts on exactly that.
Instead, I wanted to make this post to outline a few important steps that we all need to take to help our sites become compliant with the regulations. It seems really scary, but once you break it down (as I have done for you, yay!) it’s really not that bad.
Please keep in mind that I am in no way a legal expert and am just as confused just as you might be about some things. The following are basic requirements that I’ve been easily able to implement and are a good place to start. If you require more information about the GDPR, please do your research!!
Does this apply to you?
Yes. If you own a website or blog that processes personal information (blog comments, form signups, analytics, logging tools/plugins), the GDPR apply to you, no matter where you live. So read on…
Let’s start with mailing lists. If you are collecting emails and manage an email list, you’ll need to make sure you comply. Here’s how:
Make sure that your subscribers confirm that they want to be added to a list. For example, include a check box on your subscription form that lets them know that by checking the box they will be agreeing to receive your newsletter. Alternatively, use a double opt-in feature, which sends the user an email with a link to confirm that they want to be added to your list before sending them any newsletters. Your mailing list provider should have either of these options in your form settings!
Previously subscribed members that did not consent in these ways should be given the opportunity to re-confirm their subscription. Sending out a message to all of your email subscribers asking them to re-confirm their subscription would be a good idea in this case (clicking a link on the email to re-confirm their subscription could add the person to a new List of approved emails. Check with your mailing list provider on how to set up a new list).
Don’t collect any information that is not relevant to the subscription. For example, Name and Email address should be enough as most newsletters shouldn’t require a user’s full contact information, address, age, etc.
Obviously, subscribers should be given the opportunity to opt out of your mailing list at any time. Make sure your Unsubscribe link is visible and working.
Your website or blog
Now you might be wondering what to do with your website or blog to comply with the GDPR. I’ve tried to make this as simple as possible, so follow these steps to get on the right track:
If you haven’t already made the switch to a secure site (https://), you should do that now. If you have a Blogger blog, there is an option to use https:// in your settings. If your site is hosted through a direct hosting company, find out how to get set up with a SSL Certificate to make your site secure. Contacting your host or viewing their product options on their website should help you get started. There might be a small fee for a SSL certificate depending on your host.
Not sure if your site is already secure? Type in your site address/domain name in your browser with “https://” before the URL instead of the standard “http://”. If it works, you’re good.
Registering with the ICO
There is a new requirement that website owners should register with the ICO if they fall into a certain category.
I’ve noticed many people saying that they are going to stop blogging because they only do it as a hobby and paying a fee every year to be registered with the ICO is not in their budget. The thing is, many bloggers will not have to register at all. The ICO site has a little quiz you can take that will tell you if you need to register or not. Most bloggers fall under the “not-for-profit exemption”.
The details and requirements of registering are still a bit fuzzy, so use your best judgement here and take the quiz to see if you qualify.
Consent, consent, consent!
If you haven’t noticed already, the GDPR is all about CONSENT! Whenever you collect and store information on your website, you need to be sure that you have the consent from the individual to do so. That means:
- No emailing your subscribers something they didn’t consent to receive (for example: they subscribed to your email list for one thing but you’re sending them something else as well)
- No using other people’s email lists or contacts that didn’t agree to be contacted by you
- No storing of information that the user did not consent to
- No pre-ticked boxes for forms/signups
- No hiding or disregarding opt-out options (you need to tell people about their right to opt-out or withdraw)
As long as you follow this main rule, everything else should come easily.
Removal of information
You need to be able to secure and remove all user’s information easily if necessary. Your site MUST be secure and you need to think about how you store your user’s information. What would happen to it if you were hacked? Always make sure that proper technical measures are used, or simply don’t store personal information on your server/site.
I hope this helped a little bit, and I will update this post should any new information come to light. If you have any tips, questions, or requirements I might have missed, leave a comment below to help the community here!