GDPR, How To Get Your Website Ready
When I first heard about GDPR, I was not enthusiastic!
The last thing most entrepreneurs want, is more rules and regulation.
But I am here to tell you, it is not such a bad thing!
GDPR is an EU law on data protection and the privacy for all individuals within the European Union.
It comes into effect 25th May 2018.
Simply put, GDPR makes that easier for you and I to manage our own personal data.
It also places greater responsibility on Data Controllers and Data Processors (such as this website).
I can hear some of you saying – this does not apply to me – I don’t live in the EU!
Perhaps so – but unlikely!
If you sell in to the EU or hold EU members data then the GDPR rules apply to you
What is more, it is only a matter of time before other jurisdictions implement similar regulations.
The range and implications of the General Data Protection Regulation (GDPR) is huge – far more than we can cover in a single blog post!
So, in this post, we concentrate on the main things bloggers need to do, in order to make their website and business GDPR Compliant.
Disclaimer: This blog post is for informational purposes only, and you should not consider it legal advice. We recommend that you seek legal and other professional counsel to determine exactly how the GDPR might apply to you.
Additionally: This is one of our longer posts and it is tempting to skim over the main topics. I would encourage you not to do that. The implications of getting GDPR wrong are just too serious, to neglect taking this topic seriously.
What This Website Is Doing to Become GDPR Compliant
A brief overview of just some of the things we are implementing right now. [there will be more to follow]
1. Add checkbox to all opt-in forms, requesting approval to email subscribers. (blog posts, product updates, affiliate launches).
3. Add GDPR compliance link to footer of site where users can request data we have.
4. Add data protection policy to GDPR compliance page so users know what we do with data.
5. Email all current subscribers to reconfirm they want to be on our lists. Anyone who doesn’t confirm, will be removed from our lists.
6. Carry out a complete GDPR Audit – to identify what information we have, where it is stored, and what processes we have for data protection. (This includes confirming the safety of any data we transfer outside the EU to Data Processors)
GDPR, How To Get Your Website Ready
When it comes to GDPR and a typical blog these are the main areas to consider:
- user registrations,
- contact form entries,
- traffic logs,
- security tools and plugins.
#1 GDPR and Getting Permission!
Personal Data is sometimes referred to as the new Oil or the new Gold.
Just ask Facebook!
Until recently many Facebook users felt they were the customer – but they are not.
Advertisers are Facebook’s customers. [Users are the product]
The news about Facebook and Cambridge Analytica plus other data breaches are changing the way people feel about their personal data.
Today’s new subscribers need to feel their personal data will be safe with you.
Not only that – but that we will respect the ‘permission’ they gave us to email them.
By permission – we mean that we will only email them in accordance with the authority they gave us when they subscribed.
If your subscriber requested a free report or video – that is all they get unless they also agreed in advance to receive more broader communications. (For example, promotions)
So often in the past bloggers and Information Marketers (including yours truly) have advertised a Lead Magnet but not explained that going forward you will also get further emails and offers.
GDPR is putting an end to that!
We, ourselves are adding check-box’s to all opt-in forms – similar to what you see in example below – from our friend and Small Business Lawyer Suzanne Dibble.
I am not a huge fan on the word consent and would suggest some better marketing speak, but it cannot be denied – the intention in Suzanne’s opt-in in clear!
Note: The Tick Box is not pre-ticked.
The GDPR specifically bans pre-ticked opt-in boxes.
It requires granular consent for distinct processing operations.
If you also use SMS or Mail you will need separate TICK BOXES for each method of contact.
You also need to tell subscribers about their right to withdraw, and offer them easy ways to withdraw consent (un-subscribe) at any time.
Not only that, individuals have the right to erasure – also known as right to be forgotten
I imagine (but not sure) that in Suzanne’s example, a subscriber could be sub-divided into those who will receive both free legal resources (blog posts etc) and promotions and those that receive free legal resources only – as they did not give consent to promotions.
For another example of Two Tick Boxes Opt-in checkout this Popup* from PopUp Domination
* Currently in Beta testing and available to PopUp Domination customers shortly.
Lead Magnets After 25th May 2018
Have you ever signed up for a FREE REPORT and then been bombarded with a series of unrelated emails or offers?
Or have we been guilty of doing this ourselves, with our subscribers?
For some of you GDPR will feel like bad news – but I want you to look at it differently.
Transparency is the key…
Do you really feel emailing a subscriber about something they did not ‘sign up’ to is good business?
If your opt-ins and forms are clear and transparent about their purpose you will perhaps get a few less subscribers but my prediction is that those who do subscribe will be more likely to do business with you.
Too many bloggers boast about their number of subscribers when what really matters is the number of active subscribers who actually open your email and read them!
Give me 10000 Active interested subscribers where 25% or more open every email over say 50000 subscribers where only 2% open my email!
#2 GDPR – The Scary Legal Stuff!
We don’t want to unduly scare our readers.
But it is essential to fully understand the implications of getting GDPR wrong.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
GDPR – Key Changes are detailed here
In particular note this comment reference penalties for GDPR non-compliance:
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
As much as anything at this stage, the regulatory approach seems to be focusing on training and education as it is on investigation.
Businesses that demonstrate respect for customer data are likely to reap big rewards.
In any case, we should be protecting users Personal Data not just because the law requires us to – but also because it’s the right thing to do.
Plugins To Manage Cookies
Your website may already have a Cookie Notification that pops up requesting users to agree, but almost certainly that will also need updating to conform to GDPR.
A popular solution is: Cookiebot
Please don’t consider this a recommendation (I have heard both good and bad about Cookiebot) – but so far Cookiebot is one of the few plugins that allow you to do a number of variations on the Cookie Display notice.
In the example below – users are only committed to accepting Necessary Cookies.
This user has already un-ticked Marketing cookies, but if they wish, the user could also un-tick Preferences and Statistics.
This is the Ultimate in giving the website user control…
However, CookieBot also allows you to edit the cookie notice so that the user has to accept all cookies. [see below]
(or leave site)
=> Cookiebot allows users to click on “Show Details” and see a display of all the different cookies being used on the website.
=> Cookiebot is free for websites of less than 100 pages. (This includes: category pages, tag pages, site map etc – so reaching 100 pages on your website may be easier than you think)
Additional Resources: (That IncomeDiary has used and recommend)
Both of the above services also offer FREE options.
WordPress Support For GDPR
It is understood that WordPress is planning to include GDPR support in core release 4.9.6.
#4 Get Existing Subscribers to Re-confirm their Subscription
In most instances your subscribers will need to reconfirm their subscription – unless you are one of those bloggers who have been very diligent in your sign-up process and can demonstrate that your systems at time your subscriber joined was GDPR Compliant.
This is upsetting Information Marketers.
I want you to look at it differently.
How many on your list actually care about your message – open your emails?
If only a small percentage of subscribers are opening your emails, I will put it to you, that your list in reality, is much smaller than you think.
The time has come for re-engagement and honesty.
If every email you send out is selling something and you are not offering real value, then your days as an Information Marketer are numbered.
Begin an Email re-engagement campaign
Go back to your roots and deliver more of that compelling info that your subscribers signed up for in the first place.
Perhaps your Lead Magnet is a little dated – re-do it and send it to your list (a bonus free gift with no intent accept to thank your subscriber for being a subscriber!)
Or do a Survey – find out why people subscribed in the first place?
What do they like best about your emails? What do they like least?
If you have any connection at all, some people will respond, giving you valuable info that will help you address their need and write more engaging content.
Even ask – why are you not opening my emails? (Use that as a Subject line to your un-opens)
You may be surprised at the answers
And don’t be afraid to have your subscribers un-subscribe if your message or material is no longer applicable for them. (Don’t take it personal)
Sometimes bloggers tell me they are afraid of emailing too often – and that is possible, but perhaps an even bigger risk, is you don’t email often enough.
I am told that most people on average get 88 emails per day (32,120 per year) – so think of it this way, if you only email once a month (12 times) how can you with that ‘competition’ hope to keep the relationship and connection going?
People really do forget they subscribed!
GDPR is acting as a wake-up call for bloggers and how they build relationships with their list.
That has got to be good!
Remember the 3 E’s – Educate, Entertain and Engage.
Finally – and before 25th May 2018 – email your list asking them to reconfirm their wish to receive email from you?
Give some serious thought to the message you wish to convey.
Explain the benefits your subscriber gets as a subscriber!
I have heard varying opinions on the following suggestion and it requires a degree of programing knowledge – but when it comes to that re-confirmation, give your subscriber two options:
a) Confirm – Yes Please, keep sending me emails on [detail service or benefit]
b) No Thank you – please un-subscribe me.
In other words, a positive YES or a positive NO.
Apparently with this option more people are likely to opt for YES – but of course you have got to get users to open your email in the first place.
To be clear, if your subscriber does not respond, you will need to remove that subscriber from your list.
This is not an exact example, but look how Sainsburys use this method when asking for contact permission.
Here is a great example of both the ‘stay-connected’ email and the re-confirm form from BMW.
Note how they detail the benefits of re-confirming! Best still, I did not need to re-enter my email because their tracking system knows it is me at my email address, re-confirming.
Perhaps this will give you some inspiration.
#5 Personal data, Sensitive Data and Explicit Consent
Even though most bloggers and Information Marketers will not be handling Sensitive Personal Data it is important to note the differences and MORE IMPORTANTLY when explicit consent rather than unambiguous (implied) consent must be obtained.
With Sensitive Data you must always obtain explicit consent from the user.
Explicit consent requires a very clear and specific statement of consent.
Explicit consent must be obtained through a statement that should: “specify the nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer”. (Directive 95/46/EC, Article 29).
Simply stated: the data subject should quite literally and explicitly say “I consent” for consent to be considered explicit.
There is a good general article on Consent here – along with check lists:
Sensitive data is any data that reveals:
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for the purpose of uniquely identifying a natural person
• Data concerning health or a natural person’s sex life and/or sexual orientation
For Personal Data that is not considered sensitive – explicit consent is not required – rather unambiguous (implied) consent will be sufficient.
Recommended Reading: Explicit vs. unambiguous consent: What’s the difference?
Example of Unambiguous Consent:
Personal data is anything that contains:
• Directly identifying information such as a person’s name, surname, phone numbers, etc.
• Pseudonymous data or non-directly identifying information, which does not allow the direct identification of users but allows the singling out of individual behaviors (for instance to serve the right ad to the right user at the right moment).
Want to know more about GDPR and consent?
In particular Item 32:
=> Consent should be given by a clear affirmative act – This could include ticking a box when visiting an internet website.
=> Silence, pre-ticked boxes or inactivity do not constitute consent. (Clicking a submit button is not acceptance of terms)
=> When the processing has multiple purposes, consent should be given for all of them. (Multiple Tick Boxes!)
#6 Google Analytics and GDPR
As bloggers and information marketers we love to measure – Traffic, Cost Of Sale, Conversions etc.
In an interesting move by Google – they have introduced granular data retention controls with Google Analytics.
GDPR – Frequently Asked Questions
At our sister site PopupDomination – we receive a lot of questions about GDPR and the implications for Opt-in forms and Pop-ups.
Unfortunately, there is a lot of erroneous information and confusion.
In these FAQ’s we address some of the most common questions…
a) With GDPR, do subscribers have to DOUBLE OPT-IN in order to join my list?
The short answer is NO.
However, as with many things – it depends.
If for example you have a Tick Box that users have to actively tick in order to subscribe and the consequences of subscribing are perfectly clear (i.e you have explained in detail what the user can expect) then a Double Opt-in is not absolutely necessary.
In addition your systems / data management must be able to demonstrate what the user actually signed up for, should there ever be a complaint.
b) Do my contact Forms / Quote Forms have to be GDPR compliant? (I am a web-designer)
Most web-forms and basic contact forms are processed under a legitimate interests basis and thus no explicit consent is required. [Unless you intend to use the data for anything other than what the user may expect]
Quote Requests can be considered contractual.
c) Is there a limit on how often I can email my subscribers?
There is no limit on how often you can email (but you must include an OPT OUT / UN-SUBSCRIBE)
d) I know I need to have my subscribers, re-confirm their subscription, but what if my subscribers do not respond or open my email?
With respect – in that case, you are better loosing that subscriber from your list. If like IncomeDiary you are spending significant sums on List Management each month, then at the very least, you will be saving some money!
If they do not respond, you will need to remove that subscriber from your list.
The only exception may be subscribers who live outside the EU – provided you can identify them!
e) My American Processor of Data tells me they are part of Privacy Shield and this makes them complaint with GDPR. Is it is safe for them to process my data?
Another short answer – YES
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. You can find out more about Privacy Shield here
f) Do I need a GDPR compliant data processing agreement? (DPA)
This is a big subject and we are not going into detail here – plus on many occasions the larger suppliers and handlers of your Data (Aweber, Google etc) will have already covered this in their agreements / terms of service.
But with smaller suppliers (for example your bookkeeper) you may need to have a DPA in place.
Where a data processor carries out any processing on behalf of a data controller, the data controller does not comply with the DPA unless there is a written contract between the two parties that includes, as a minimum, the following two clauses:
- the data processor must only act on the data controller’s instructions
- the data processor must use appropriate technical and organisational measures to prevent unauthorised or unlawful processing of the data, and accidental loss or damage to the data.
=> Example Data Processing Agreement.
Further GDPR Resources:
This Blog Post covers the GDPR basics only and how they may apply to Bloggers and Information Marketers.
GDPR Law is a deep and involved subject that we just do not have the space to cover in a single blog post.
You should give consideration to:
=> How do you handle and report data breaches.
=> Do you need to appoint a DPO (Data Protection Officer)
=> Processing data on a legitimate interests basis. (when applicable, when not!)
=> Data Transfer – how do you handle it?
=> If you have employees – identify lawful basis for processing employee personal data.
Plus, remember – it is not only your website that needs to be GDPR compliant.
Barry Dunlop is a lifelong Entrepreneur, Angel Investor, Mastermind Facilitator and business coach for entrepreneurs who launched his first Internet Business in 1998.