The European Union’s (EU) General Data Protection Regulation goes into full effect on May 25, 2018. The internet and blogdom are all abuzz about getting compliance in place by the deadline. This is just one of a plethora of articles you’ll find on the topic.
The GDPR in its simplest intent makes data processors responsible and accountable for the information people give them.
The concept behind the GDPR is a matter of common sense and respect for people’s personal information. They have a right to know what you intend to do with information they give you and to have information to decide if they want you to have it at all. It’s sort of the same idea as knowing where their money’s going. The GDPR in its simplest intent makes data processors responsible and accountable for the information people give them.
DISCLAIMER: This information is not intended as legal advice or opinion. I do not make any warranty about the completeness, reliability, or accuracy of this information. Any action you take based upon this information is strictly at your own risk. I am not liable for losses and damages in connection with the use of this information. You should seek legal and other professional advice.
Will the GDPR affect you?
So you may be thinking that the GDPR has nothing to do with you because you’re located in the USA, not in the UK or EU. Or that since you’re a sole-proprietor, individual, independent, creative business owner with no employees it won’t apply to you. Or that since you don’t sell anything on your site you don’t need to bother about it.
But here’s the thing: The EU is just a start. I predict that the GDPR is a first step in a coming global policy. Other nations will legislate similar policies, much in the way that copyright laws are pretty much the same world-wide. So for that reason, no matter where you’re located, you should get serious about GDPR compliance.
It’s not about where you’re located. It’s where your potential readers, list members, customers and clients are located.
It doesn’t matter how large or small your business is.
It doesn’t matter where your website is hosted. It matters who visits your site and from where.
No matter where you are located, how large or small your enterprise is, or whether you or not you sell merch on your site, the GDPR will apply to you if one or more of the following apply:
You allow commenting on your blog. Many commenting systems require people to submit their names and web addresses at minimum.
You sell products on your website and collect payment information.
You have a membership platform.
You have opt-in and contact forms on your website or blog. You’re collecting names and emailing newsletters or promotions to your mailing list.
Your website uses cookies. The information cookies track is considered personal information.
You use Google analytics. By default Google tracks IP addresses of visitors to your site. You can access that information on your Google Search Console.
You use Facebook pixel to track visitors to your site from your links on Facebook.
Your web server tracks and records visitors to your site.
You have visitors to your website who are located in the EU.
You are processing data (collecting a person’s information) via sign-up and contact forms, through sales of products and services.
You are using any ad retargeting in your marketing activities.
The foundational ideas of GDPR
You have to process peoples data (personal information) in a way that’s transparent, fair and lawful. For your processing (handling, managing, storing) to be legit (lawful), you have to have people’s specific consent, with a few exceptions. In other words, people have to give you permission to use their data. You have to use the data only for what you say you’re using it for.
Under GDPR you have to justify why you’re collecting a person’s information. You can’t collect it for one thing and use it for another. You can’t collect more information than you need. For example, you cannot add a person’s email address to a list they didn’t give you permission for, and you cannot collect credit card information if all you’re doing is emailing them. And if a person gives you their email so they can download a digital product, you cannot then add them to your mailing list without them agreeing to it.
You may use a person’s information only for what’s necessary and only for as long as necessary.
You have to correct any incorrect data immediately. So if someone requests that you change their information or that you remove them from your list, you need to do so immediately.
Email services such as Mailchimp and AWeber clean bounces and give people the ability to update their information. But if a subscriber asks you to remove them directly, you need to do so as quickly as possible.
You can hold onto a person’s information only for as long as necessary. Clean your lists regularly.
You need to provide people with a secure connection to offer their data and to protect it from unauthorized access. Obviously, you need to run a secure site under an SSL encryption and protect against breaches.
Think of it this way: if you are in any way able to identify an individual via their data, your activities can fall within the GDPR’s governance.

What the Heck is GDPR? (and How to Make Sure Your Blog Is Compliant) from SmartBlogger.com
Infographic courtesy of smartblogger.com
If you’re in the EU, the GDPR applies to you without question. If you’re outside the EU, it applies fully if you target a customer base located within the EU. If you’re not specifically targeting the EU but your content may be relevant to customers or readers located in the EU, it may apply to you.
A few exceptions to the requirements have to to with fraudulent activity, backing up your site in case of a breach or malfunction, and search analytics.
My best advice: get compliant even if you don’t think you need to. There will be significant monetary penalties for not complying if it’s found that the GDPR does apply to you. Whether or not you have paid products and services or not does not matter.
GDPR-Compliant steps to take right now
Some easy tweaks to your website you can make now include:
An SSL certificate — you should already have this in place on your site. If you don’t yet, get it done right away. Some webhosts include SSLs automatically in their hosting plans. How do you know if your site is secure? Your URL prefix is https.
Privacy policy that includes specific GDPR requirements about cookies, what data you collect, how you secure it and and how you process it. Also, people need to be able to read your privacy policy BEFORE you ask them to consent to join your list.
Notifications about how your site uses cookies
Security software that includes a firewall (Wordfence, Securi)
Opt-in forms that are GDPR-compliant, meaning that they are specific in what people are consenting to and provide for the ability to opt-out in the future.
If you have been offering a freebie in exchange for someone’s email address and want to include that practice, you’ll need to add specific consent information and checkboxes to your sign-up forms stating that they’re consenting to be added to your mailing list. You can make no assumptions here.
Using a double opt-in where people must confirm they’re giving consent, are also a good idea.
If you’re using WordPress, be sure to harden your site with basic security precautions such as long-string passwords, complex user names, eliminating any generic user accounts such as admin, and installing security scanning plugins.
In the Google Search Console, it might be a good idea to anonymize tracking for your sites.
Another thing to consider is who you link to. While you may be taking steps toward compliance, sites you’ve linked to may not. You should seriously consider whether to continue an affiliation with sites you have an alliance with but that are not compliant. To cover this, I’ve included a clause in my privacy policy stating that remote sites I’ve linked to may not be GDPR-compliant and that I have no jurisdiction over them.
Other things to consider are the security of your laptops and portable devices from where you may access your customer data, not using public wifi to access any data, and hosting your site on a secure web host. Your hosting service acts as a data processor on your behalf.
Remember that it’s good branding to take care with information provided to you. Being responsible is a sign of professionalism and part of having integrity. What you do about GDPR shows whether or not you care about your current and potential clients.
DISCLAIMER: This information is not intended as legal advice or opinion. I do not make any warranty about the completeness, reliability, or accuracy of this information. Any action you take based upon this information is strictly at your own risk. I am not liable for losses and damages in connection with the use of this information. You should seek legal and other professional advice.
ADDITIONAL READING:
7 Steps to GDPR for US Companies Informationweek
GDPR Compliance Tools in WordPress WordPress