Read about the new regulations involving personal data in the EU and find out how to prepare your blog.
*Disclaimer: This is a very brief overview and by no means legal advice. Read the official GDPR rules to find out more.
The General Data Privacy Regulation (GDPR) comes into effect tomorrow, May 25th, and requires all websites that gather personal information from customers and visitors based in the EU to follow a new set of rules.
What is personal data?
Personal data can be anything from the information we actively give to a site, such as our email address, billing address, and credit card details to data collected when we browse, like our IP address and the history of the sites we’ve visited.
This also comes with new rights around access to data. The GDPR outlines eight rights that individuals can exercise including the right to view and download the data, delete their data, and withdraw their consent to have that data be used by the site owner.
Who has to be GDPR compliant?
If you have website visitors based in the EU, the GDPR applies to you. Even if you don’t sell anything, you’re still collecting personal data on your WordPress blog through:
- user registrations
- contact form entries
- analytics and traffic logs (either native to your blog host or through Google Analytics)
- any other logging tools and plugins
- security tools and plugins
To be GDPR compliant, you have to be transparent about the information you gather and how you plan to use it, even if it’s just to track which blog post got the most hits.
How do I make my blog GDPR compliant?
Evaluate how you ask for personal data
Are you aware of all the data collection points on your blog? Take a look at all the places where you gather people’s information both actively and automatically and take inventory of the questions you ask. These could be a contact form, comments, contests, submission forms, and more.
Are you asking people for information that has no relevance to your operations (for example, asking to identify their gender)? Under the GDPR, the recommendation is to limit the information you ask to what’s necessary for you to run your blog successfully.
Also, how are you asking for this information and where is it being stored? The best way for you to move forward with compliance is having a really good understanding of how your blog works and how people interact with it.
Cookies are another element of compliance that should be outlined in your policy. Cookies are tracking codes that allow yourself or third-party advertisers to display messages based on an individual’s browsing history. Anyone can edit their cookie settings in their own browser, but websites under the GDPR should have a cookie disclaimer visible on their site. If you’re using WordPress.com, you can enable the Cookie widget on your site. Self-hosted sites can seek out a plugin to do the same job.
Update your newsletter settings
If you collect email addresses and send newsletters, promotional messaging, or announcements, you’ll need to verify your email service provider (ESP) is GDPR compliant. Luckily, the most popular ones like Mailchimp, MailPoet, and Constant Contact have done most of the work for you.
The changes under GDPR include having the proper consent mechanisms so you can prove someone actually signed up to receive your emails. Under anti-spam legislation in the US and Canada, your emails should already have a clear and timely unsubscribe option. Your ESP should also have a way for you to export personal data about your individual subscribers so this information can be sent to them if they request it.
Update your forms
Your forms should also have explicit consent mechanisms built into them. This goes for subscription forms, contests, and even for submitting comments on your site. It should be obvious what someone is signing up for, not implicit. For example, you can’t sign someone up to the newsletter automatically because they submitted a question through the contact form unless they’ve given their express consent.
In the new WordPress update, consent mechanisms have been added to comments. Logged-out commenters will be given a choice on whether their name, email address, and website are saved in a cookie on their browser.
Provide a way for your readers to exercise their rights
Under the GDPR, individuals have the right to view the information you’ve collected about them. They are also allowed to edit, download, remove their consent for it to be used, and delete it, as long as this doesn’t interfere with your legal or tax obligations as a site owner. That’s why it’s important to make it possible for your readers and subscribers to contact you to request a copy of their data.
According to the WordPress.org site, with the new release, site owners can export a ZIP file containing a user’s personal data, using data gathered by WordPress and participating plugins. They can also erase that user’s personal data. If a user requests access to that data, you have to send it to them.
Check that your partners are GDPR compliant
It’s up to you to check that the third-party tools you use are GDPR compliant. This includes your web host, analytics tool, newsletter tool, plugins, and any partner you might be associated with and sharing personal data with (for example, a contest management tool or partner).
At the end of the day, while these changes may seem annoying and take an hour out of your day to implement, the GDPR is a good thing for all of us. It protects the right to personal privacy and gives more power to the individuals to control their own data.