Tool belt

Checklist: Get your website ready for GDPR

Posted on May 11, 2018 by Layla Masri

Stronger rules on online data protection begin on May 25, 2018.

GDPR is coming

The General Data Protection Regulation (GDPR) is a European Union regulation that controls how companies and other organizations handle personal data and user consent.

It has major implications for websites serving individuals from the European Union. And yes, likely applies to you, even if you’re US-based.

Does the GDPR apply to me if my company and clients are in the US?

It does if you process personal data about EU residents (even if you are based outside of the EU).

That means if you have EU residents on your email list, as customers, as employees, as contractors, or as service providers, then it applies.

What does the GDPR mean for my website?

If your website is serving individuals from the EU and either you or embedded third-party services (i.e. Google,Facebook), are processing any kind of personal data, you need to obtain prior consent from the visitor.

To obtain valid consent, you need to describe the extent and purpose of your data processing in plain language to the visitor, prior to processing any personal data.

This information must be available to the visitor at all times, for example, as part of your privacy policy (see below on how you’ll need to edit your existing one).

You must also provide an easy way for visitors to change or withdraw consent. All consent must be logged as proof and all tracking of personal data, including data held by embedded third-party services, must be documented.

So, what do you need to do right away?

1. Notify website visitors at point-of-data collection

GDPR requires a high standard of consent to data collection and processing. It says you must inform people (the data subject) at the point of data collection.

On a website, this would typically happen in 2-3 ways:

a. Cookies for analytics tracking.

If you use any type of website statistics, or display social widgets and buttons on your website, the website visitor is being tracked with cookies. You must inform them that you are doing so with a cookie consent banner or pop-up, like the one we’re using on our own site:

GDPR cookie notice example

 

We recommend the Cookie Notice by dFactory plugin for this purpose.

A typical notice can be provided as follows (image courtesy of ICO.org):

cookies guidance for GDPR

There’s tons of great information and examples in this PDF on Guidance on the use of Cookies.

b. Email marketing subscribe forms.

Your email opt-in forms must obtain consent and clearly notify the data subject what data you are collecting and why. For example:

  • A checkbox that is NOT pre-selected (i.e. “I agree to receive email with information and commercial offers from [Your Website]”)
  •  Privacy Policy (i.e. “Your personal data will be processed in accordance with our [Privacy Policy]. You may unsubscribe at any time by clicking the link in the emails we send.”)

Click to see how we did this on our own website.

c. Other website forms, such as comment and contact forms.

WordPress plugins and Drupal modules collect personal data via forms. For example, to comment on an article you need to provide your name and email address. You will need to add a checkbox or disclaimer to your website forms to obtain consent.

The WordPress team is working on adding native GDPR features into the software. However, we don’t know when it will be ready and whether it will work with comments and contact forms.

In the meantime, the best option may be to go with a plugin like WP GDPR Compliance (free) or the All-in-One GDPR plugin (paid), but be aware that both of these (and other plugin options) only support certain types of forms. Be sure you get one to match your requirements.

Below is the one we’re using:

GDPR plugin

 

 

2. Have a plan for when people ask about their personal data

The other part of GDPR that you need to be concerned about is the data subject’s rights to rectification (correction), erasure (to be forgotten) and data portability (to export their data).

More often than not, you’ll be dealing with requests to opt-out of your email marketing lists. Most email providers make this easy and include a mandatory 1-click unsubscribe link in your emails as well as a profile update function.

Note that for WordPress users, once GDPR features are added, it should also be much easier to find and delete a data subject’s records from your blog.

Finally, if your website or email marketing account gets hacked, be sure to be upfront about it and notify your website members/subscribers immediately. Prevention is better than a cure, so make sure you have strong passwords!

 

3. Update your Privacy Policy

While you probably have a Privacy Policy on your website, it’s probably not GDPR compliant. Here’s a resource to compare and good and bad Privacy Policies. Your Privacy Policy will need to identify all the data you share third parties.

Don’t forget, your policy must appear on every page of your site, too. Here’s the one Bean Creative is now using on our site

a. Send your GDPR compliant Privacy Policy to subscribers

GDPR requires you to send your Privacy Policy to any of your members/subscribers to confirm how you collect and process their personal data, for what purposes you use their data, the legal grounds of processing such data, how you keep their data secure, and their rights in relation to such data.

b. Add opt-in wording to my sign up box

If you have a sign-up box on your website that collects email addresses etc. in return for your newsletter or other free opt-in service(s), ensure that you have GDPR-compliant opt-in wording at the point of collection (i.e. underneath the sign-up box) together with a link to your Privacy Notice.

c. Obtain GDPR-compliant consent for electronic marketing communications?

If you do not have compliant consent, email your user list to obtain new consent – and make sure you have a system for managing opt-outs withdrawing of consent. GDPR requires you to keep records of opt-outs.

Be sure to confirm that your email marketing system manages this for you!

 

PHEW. If you need a tl;dr version, here’s what we did to get the Bean Creative site ready for GDPR:

  1. SSL/TLS setup (this ensures visitors go to an https site, which is secure and in line with SEO best practices, too)
  2. Added a GDPR plugin to insert a terms and conditions checkbox to our contact form
  3. Added a cookies popup/warning (shown above)
  4. Updated our privacy policy language
  5. Updated our email sign-up opt-in language

 

Need some further reading and resources to get started?

 

Big Honking Disclaimer

We need to make it abundantly clear that we’re not lawyers and we are not dispensing legal advice. This is Bean Creative’s understanding of what website owners can do to make a best effort to comply with GDPR.  

Let us know how we can assist you and we can navigate these waters together! And if you want more goodness like this deep-dive, be sure to sign up for our Bean Beat email newsletter using our GDPR-compliant form 🙂

About Layla Masri

Layla is a co-founder of Bean Creative. She leverages her ad agency background and 15-plus years as a marketing and web copywriter to maximize interactive impact for strategic planning, usability/accessibility, and digital promotion.
This entry was posted in Associations, Digital Best Practices and tagged , , , , , , , . Bookmark the permalink.
Oh ????! What the British Museum learned about toilets from data mining TripAdvisor reviews
HOT or NOT? 2019 digital, tech and web predictions