Unless you have been living under a rock, you are probably aware that today is The Day for the GDPR to come into effect. Now, you may have been burying your head in the sand, or actually busy with other important things but, whatever the reason if your site isn’t ‘GDPR compliant’ right now, don’t panic 🙂

There’s a lot of hype all over the internet, in Facebook Groups and on various forums about what being GDPR compliant actually means. For many people the answer is, frustratingly, not clear. So, this post aims to give you an overview of the steps you should take for your blog and how you can do some of them. As well as a handy GDPR compliance checklist at the bottom.

Disclosure: While reading this, please remember none of the FTB Admins are lawyers or have a legal background. This post describes what we have done to the FTB website, our own sites and how. It is not meant to be a replacement for real legal advice so, if you are unsure, please consult a lawyer.

GDPR

What is the GDPR?

If you’d like some light bedtime reading, this overview is for you. 

If bedtime reading isn’t your thing, this summary by Cookie Bot says that

“The GDPR is a set of EU regulations that represent the most significant initiative on data protection in 20 years. The purpose is to protect “natural persons with regard to the processing of personal data and on the free movement of such data”, e.g. the website user.”

Does the GDPR impact me?

The short answer is yes.

Unless you block all European traffic to your website, the GDPR impacts your site.

Even if you are only blogging for fun, don’t collect email addresses, don’t take payment for anything, etc etc. Your site will still, in all likelihood, store some cookies and collect some personal data, therefore, it does need to be GDPR compliant.

The GDPR considers a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address as personal data. If your website processes any of this data, it has to meet the GDPR requirements. The primary aspects to consider are how you store customer and user data and the first and 3rd party cookies on your website.

What do I need to do to my website to be GDPR compliant?

Although many of us have been caught up on GDPR being all about cookies, that’s not true. In fact, cookies are a very small aspect of the 88-page document and there are several other aspects you need to consider.

In a nutshell, this is what you need to have on your site as soon after 25th May 2018 as possible to be GDPR compliant

Updated Privacy Policy
GDPR Cookie Banner
Cookie Policy
GDPR compliant mailing lists
Clear, concise email optin forms
A system to enable users to request/withdraw their data
Checkboxes to capture people’s agreement to your Privacy Policy in places that you collect their data

How do I make my website GDPR compliant?

Sadly, as yet, no one has made one plugin to add everything you need to your site! But there are simple ways to add each component:

Updated Privacy Policy

The main focus of the GDPR is the protection of personal data and digital privacy. Therefore, your Privacy Policy is central to being GDPR compliant. The GDPR rules mean that all websites need to state exactly what data they collect, what they do with it, how it is collected and for what purpose. This is the purpose of your Privacy Policy. 

The key things to think about when creating your Privacy Policy are:

  • Do I process data that is capable of identifying an individual (including cookies and IP addresses)
  • What types of data do I process?
  • What are my lawful grounds for collecting this data?

Once you have the Privacy Policy, you need to make sure it’s accessible from all pages of your site. An ideal place is in the footer but you can also put the policy on your menu or site header – whatever works for your theme.

You should also send this Privacy Policy to all your subscribers so that they understand how you collect and process their personal data, for what reasons, the legal grounds you have for this, how you keep their data secure and their legal rights.

Tools

The most recent version of WordPress has a Privacy feature tucked away under the Settings menu from the dashboard. From there you can either save your current Privacy Policy as the official privacy page or you can create a new one. Those guys at WordPress have made the template that should cover most aspects of privacy that your site would need.

This handy Checklist

GDPR Cookie Banner

Having a Cookie notice has been a European requirement for some time but up until now, letting users know you use Cookies was sufficient. The GDPR has redefined what constitutes consent and now consent has to be:

  • Informed: It must be clear what cookies you use on your site and what they are consenting too. It must also be possible to opt-in and opt-out of various types of cookies.
  • Based on a true choice: A user must have access to the website and its functions even if they choose to reject some cookies
  • Given by means of an affirmative, positive action that cannot be misinterpreted.
  • Given as soon as they land on the site before any data is processed
  • Withdrawable. It must be easy for a user to withdraw their consent while using your site

Simply put, a simple ok button or saying “if you continue to use this site I will presume you’re ok with cookies” isn’t enough. In order for a user to be informed, there needs to be a link to your Cookie Policy, in the cookie banner. On the FTB website, we have a combined Privacy and Cookie Policy so is where a user is taken too if they choose to find out more information about how we use Cookies.

Tools

Free Plugin: GDPR Cookie Consent 

Free Plugin: Cookie Notice

Free Website Trial: Cookie Bot 

Note: None of the free plugins we have tried meet every single requirement – if you know of one that does, let us know!

GDPR Cookies

GDPR Compliant Cookie Policy

Your Cookie Policy should inform users what cookies you use and be accessible to them as soon as they land on your site so that they can make an informed decision on whether to accept cookies or not. The policy should also include what data you share with third-party services and how the data is processed.

A GDPR cookie policy must meet the following requirements:

Transparent
Give the user a clear and accurate picture of how cookies are used on the website at any time in clear and understandable language.
Overview and accountability for cookies on your website
You should provide an overview of the data processes that are going on in connection with your website.
Possibility to withdraw the consent at any time
Your users must have the ability to withdraw their consent of the use of cookies at any time. Therefore you do need to enable them to have access to their current consent state at all times and can change the settings or withdraw their consent entirely.
Renewal of consent
Every 12 months, the consent should be renewed upon the user’s first visit to the site.
Consents must be recorded as evidence
All consents must be securely stored so that they can be used as evidence in case of control.

Tools

Most Cookie plugins will help with generating a cookie policy and if not, there are plenty of templates online.

Cookie Bot has tons of great info and will run a scan of your site letting you know exactly what cookies you’re using.

IT Governance also has lots of helpful info.

If you’ve seen the FTB Privacy Policy, you’ll have probably noticed that we have a table of all the cookies used on this site. This was generated on the Cookie Bot website like this:

  1. Create an account
  2. Save your domain and run prompt a scan of the site (this takes 24 hours)
  3. Embed the bottom code that is generated from the scan, on your policy page

Anonymize Google Analytics

The GDPR encourages website and business owners to ensure that the cookies they use are necessary for the action the user takes. In addition to giving users the option to reject cookies, you can manage the way cookies are handled. For example, it is possible to anonymize Google Analytics, meaning that a user’s IP address won’t be saved. According to Google, this is what the process does:

“When a customer of Google Analytics requests IP address anonymization, Google Analytics anonymizes the address as soon as technically feasible at the earliest possible stage of the collection network. The IP anonymization feature in Google Analytics sets the last octet of IPv4 visitor IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to the Google Analytics Collection Network. The full IP address is never written to disk in this case.”

Tools

Plugin: To do this using the most popular plugin Google Analytics Dashboard for WP (GADWP), you can find the ‘anonymize’ option in the advanced settings of the tracking code settings.

Code (and plugin): If you don’t use the plugin, you need to edit your header code to include the following code, with your own GA tracking ID (editing your header can be done from a plugin like this):

<!– Global site tag (gtag.js) – Google Analytics –>
<script async src=”https://www.googletagmanager.com/gtag/js?id=GA_TRACKING_ID“></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag(‘js’, new Date());

gtag(‘config’, ‘GA_TRACKING_ID’, { ‘anonymize_ip’: true });
</script>

If you already have the GA Tracking ID set up, you just need to add { ‘anonymize_ip’: true }); after the last tracking ID.

GDPR Compliant (clear, concise) email optin forms

Gone are the days of offering someone a freebie and then adding their email to your mailing list so you can contact them to announce your Grandmother’s impending nuptials, or in any other way you like. The GDPR enforces the rule that users should know exactly what their email address is going to be used for before they enter it into an optin. At first, this sounds confusing and had many people worrying about how they will be able to capture emails and build that all-important mailing list. However, as long as the wording on your optin is GDPR compliant, you are good to go. Yes, that means your users don’t have to see all the GDPR options when they sign up as long as you say exactly what their email will be used for (and have a double optin).

You can say something along the lines of “Enter your email here to receive my monthly newsletters, marketing materials, and promotional offers”

You cannot say “Enter your email here to get this wonderful freebie” and then send them an email promoting your new travel planning services.

Although not mandatory, it is a good idea to also have a checkbox indicating that users have read your Privacy Policy and therefore understand how their data will be used. However, there’s also controversy about the right use of checkboxes. This article talks about why they aren’t necessary if you word your optin blurb correctly. https://www.linkedin.com/pulse/why-gdpr-doesnt-require-checkboxes-peter-austin

Tools

It is likely you can use the same service provider you were using pre-GDPR to collect emails as long as you make the wording GDPR compliant.

Many signup forms don’t have the option to have a checkbox to indicate that a user has read your Privacy Policy. However, if you are using MailChimp and are comfortable adding CSS to your site, you can add this code:

<label>

   <input type=”checkbox” name=”mc4wp-subscribe” value=”1″ />

   Agree to our <a href=”linktoprivacypolicy”>Privacy Policy</a>.

</label>

GDPR compliant mailing lists

Having double optin that requires users to confirm their email address, is highly recommended. Double optins increase the subscriber’s data security because it ensures people aren’t using someone else’s email address to sign up for lists. This article gives great advice on things you should know about GDPR compliant email consent and how to set them up.

Tools

Again, most email list providers have rolled out GDPR functionality to enable their users to be GDPR compliant. FTB’s mailing list is held with MailChimp who have some great GDPR tools. They have added an option to make your lists GDPR compliant. This can be found under ‘List Name and Default’ option under ‘List Settings’. This is where you choose to have double optin activated too.

Ask people to optin again

If you do not already have GDPR compliant consent from your subscribers, you will need to send another email encouraging them to update their profile with their preferences. You could use this email as an opportunity to show off your new shiny Privacy Policy!

Tools

With MailChimp, it’s easy to start a new campaign asking people to optin again. After you have created groups for your old mailing list you can send out an email prompting subscribers to update their profile preferences using the handy link that you embed in the email. This allows you to separate the lists that people have signed up to through various optins, into groups of people who are now happy to receive your newsletter (you can sign up here to the FTB one if you missed the memo), or marketing / promotional emails. Of course, they could also choose to receive anything and everything you send out!

A system to enable users to request/withdraw their data

One of the key points of the GDPR is giving user’s the right to request access to the data you have stored as well as the right to have all data deleted. Many large businesses are appointing Data Protection Officers to deal with this but for the rest of us, it’s important to know you can do this if needed. 

Tools

The newest version of WordPress has added this functionality so that if a user contacts you asking for details on the data they hold, or for their data to be deleted you can do this for them. These tools can be found under Tools from your main dashboard and this video gives great instructions on how to use them.

The WP GDPR Compliance plugin also does this for you. Its method is slightly different in that it creates a page that can be shared with users, for example by being linked to from your Privacy Policy, so that users can request their data or data deletion directly. This can be configured from the Settings panel of the plugin tab.

Data Access for GDPR Compliance

Checkboxes to capture people’s agreement to your Privacy Policy

There’s conflicting info out there about whether these are necessary or not. So, to be on the safe side, adding a few of these little boxes in key areas of your site is a good idea. Importantly, these checkboxes must be un-ticked in order to allow active consent. Unsurprisingly really given that’s really the whole point of the GDPR – to allow people to make active, informed consent! So we talked about doing this with your email optin forms but, another place where data is gathered in the comments section of your blog. Most CMS systems, WordPress included, ask for a user’s email address and name when they submit a comment. Hence why it is important that, at this point, the users are prompted to read and agree to your Privacy Policy.

Tools

There are rumors that the most recent WordPress update included this functionality however, I haven’t yet heard anyone say it has worked for them.

However, the WP GDPR Compliance plugin steps in to offer the ability to add checkboxes to your blog posts encouraging people to accept the Privacy Policy when they leave their details to submit a comment. This can be configured from the Integration panel of the plugin tab.

Data Access for GDPR Compliance

Hopefully, this post will help you navigate through the murky waters of what’s needed to make your site GDPR compliant. We would love to hear how you’re getting on, let us know in the comments!

Are you a Female Travel Blogger?
Request to join our supportive Female Travel Bloggers Facebook community to ask questions and network with like-minded women! All you need is an active travel focused website to be accepted.

Lottie Reeves

Lottie Reeves

Admin

Originally from the UK, Lottie has traveled extensively across 6 continents & lived in Australia, Canada & South Africa.

She ditched the bright lights of primary classrooms to embark on an adventure exploring South Africa in a caravan as a location independent freelancer. Her next adventure is taking her, temporarily, back to the UK where she will be living in a narrowboat and bobbing around on the waterways.

A self-proclaimed princess who loves all things pink and sparkly; connect with Lottie at her site Princess In A Caravan and follow her on Facebook and Instagram, here

FTB NEWS

By submitting your email address, you agree to FTB contacting you with our newsletters, partnership opportunities, product updates and marketing materials

I have read your Privacy Policy

We will never give away, trade or sell your email address. You can unsubscribe at any time.