This document is intended to help you take steps to comply with the GDPR if you own a WordPress website and an online business such as a monetised blog. We cannot cover everything you may have to think of for your business, as after all, it is your business. Only you know what you do inside your business.
This document is intended to provide a set of prompts to help you find out more and get started. To be GDPR compliant you may have to do more research of your own or hire a specialist. As with anything like this, it is open to much interpretation. What I’ve written here is not legal advice, but could provide some pointers.
- Managed WordPress Hosting
Make sure your site is hosted at the best host you can afford. I use WP Engine as they take WordPress security and performance seriously. Many security measures are put in place, and WP Engine are fast to respond to security threats which means I rarely have to think this aspect of WordPress. I also do not worry about the technical aspects of running a WordPress site, other than to make sure I set my site up well in the first place, of course.
Quality hosting is not a requirement of the GDPR. But it is part of keeping your site secure and that in turn helps with keeping any personal data it may hold, secure.
- SSL Hosting
- Your site must be hosted under https (SSL). This is also not a requirement of the GDPR, but it will help with keeping your site secure and that in turn helps with keeping any personal data it may hold, secure.
- Assign A Data Protection Officer (if required)
You may not need a data protection officer. According to the GDPR the most likely reason a small business would need one is if “your core activities require large scale, regular and systematic monitoring of individuals”. They then go and cite online behaviour tracking as an example of large scale monitoring.
But if your online behaviour tracking is not of identifiable individuals, (as it is not with a basic Google Analytics set up), then you are not tracking individuals as much as traffic. However, if you’re building an email list, this is individual data, but is it your core activity? As an affiliate marketer it may be. This is my interpretation. You must consider your own interpretation or get a legal opinion.
The role of a data protection officer and other information to do with data protection officers can be found here.
- GDPR Mapping Document
- Create a spreadsheet that lists all the data you collect and hold and how you process it, what its for and how you can find (and erase) it if necessary. I have created one here. Its purpose is to summarise all the data you collect, process and hold in one place for all your sites. You can add your own fields, these are just the ones I have come up with.
- GDPR Overview Document
Create a document that lists the following, per website.
- Name your data protection officer
- Overview of the data you collect on the site (and elsewhere) and how it is collected (detailed in the mapping document above)
- All third parties that store your data
- Where you store data you hold and how long it will be held for
- Can you easily access the data to delete it or change it if asked by a subject?
- Can you download the data if asked send in a portable format to subject
- State if data profiling is used and if so, you must get consent
- Procedures in the case of a data breach
- Is data transferred outside the EEA?
- Google Adsense
If you are using Google Adsense on some sites, then you will almost certainly be automatically serving ads to visitors based on their personalised information collected by Google’s tracking cookies.
In order not to do this and perhaps fall foul of the GDPR, you can easily turn this off for relevant Europe-based visitors. Google Adsense have made this easy. Here is a Fleeq video I made to help you.
Making Adsense GDPR Compliant
- Google Analytics
You must make sure you own your own data – so if an agency or web designer has your analytics on their google account, get it moved. This is pretty simple to do. Just add the Google Analytics email of the agency to your Google Analytics account. Add them as a user with full privileges. Then they can move the analytics over to you from their account.
In terms of Google Analytics compliance with the GDPR, you must make sure no personally identifiable data is collected by Google. If you are using your Google Analytics account just to collect visitor numbers and not to track anything else, you should be OK.
Google Analytics does collect IP addresses from your visitors, but as a user of Google Analytics, you cannot access the IP addresses. Google wipes this information before you can see it. Google made a decision years ago not to track by IP address. Therefore unless you use Google Analytics to collect other personal information, based on my research and in my opinion, (please feel free to form your own) you do not need to worry about IP addresses in Google Analytics with relation to the GDPR.
- Any Other Tracking
For example, I also use Clicky mfor tracking. It’s a fantastic tool for reporting on visitor numbers for revealing success and failure points on your site.
Clicky is itself GDPR compliant.
- Enquiry Forms
Site visitors often complete enquiry forms if they want more information about your service or product. To do this they supply a name and contact details and sometimes, details of any relevant issues they may be experiencing. These are all examples of personal and/or identifiable data.
The information must be held by the website in order for any questions to be answered. If you use a product like Gravity Forms, then you are the controller and the processor of the data. One of the items that Gravity forms collects about a form submitter is their IP address. You could anonomise this programmatically, but there is little point as they will also have provided their name and email address. In other words you already have their personal data. You can of course delete the entries from the database once you’ve processed each enquiry.
Remember to add a checkbox (that is not checked by default) saying something along the lines of “I consent to my submitted data being collected and stored by this website”. Also don’t forget to make it a required field.
- List Building
If you are building an email list, this should be through a reputable and quality list management service. I use Active Campaign. List management services allow for confirmed opt-in and also for easy search and erasure of data when necessary, as well as a user controlled unsubscribe.
I changed the wording on my homepage to focus on my newsletter instead of lead magnets.
This is how I am approaching it:
- All list sign-ups should be confirmed opt in signups. This means people’s personal data can only be added to my list with their consent.
- You can no longer merge permission for a lead magnet with permission to generally market or email the contact.
- You must separately ask for permission to send any content you send
- You can only send content the subscriber agreed to receive and you must be able to prove when they agreed if asked.
So how can you still sign people up to your marketing list but still comply with GDPR? I think the answer is to lead with your newsletter subscription, and see it as a newsletter as a service.
- What About UK Based Websites?
If your online business is a UK business, you also need to adhere to the Privacy and Electronic Communications Regulations (PECR) which sit alongside the Data Protection Act and the GDPR. They give your site visitors and your customers specific privacy rights in relation to electronic communications.
The EU is in the process of creating a new e-privacy regulation to work alongside the GDPR. However, the new regulation is not yet agreed. For now, PECR continues to apply aside the GDPR.
Specifically, with regard to cookies you must :
- tell people the cookies are there;
- explain what the cookies are doing and why; and
- get the site visitor’s consent to store a cookie on their device.
The PECR applies to cookies even if they do not hold personal data. So although you are off the hook with a standard implementation of Google Analytics under the GDPR, the PECR still gets you. The only cookies you do not have to get consent for are those that you simply have to have to make the site work or deliver what it promises to deliver.
As it is programmatically challenging and also awkward to individually implement cookies for each visitor, one idea might be to tell them how to switch cookies on on their browsers, thereby taking control of their own cookie interactions. This has the advantage of being simple, and placing control into the hands of the people who feel strongly about cookies without causing the website to jump through hoops.
Here is the cookie consent code I am using.