Last Updated 2 years by Emily Standley-Allard
I’m sure you’ve all heard of GDPR but as a new online business owner or blogger how important is this for you really? It may sound pretty complex and scary but it was basically designed to keep us all safer online. Let’s go over this important regulation to make sure your website and blog is compliant and following all the rules.
This post contains affiliate links. If you make a purchase we will earn a small commission which helps keep our blog running at no additional cost to you and we thank you. For more information please read our disclosure.
What is GDPR?
In 2016, the European Commission approved a new General Data Protection Regulation (GDPR). In short, GDPR states that if a website collects or stores data related to an EU citizen, you must comply with the following:
- Tell the user who you are, why you collect the data, and how long it will be stored.
- Get clear consent before collecting any data
- Let users access/delete their data
- Let users know if data breaches occur
When does GDPR start?
GDPR went into effect across the European Union on 25th May 2018
And yes, even if you’re located in the US it still applies.
Why is GDPR important?
GDPR adds some new requirements regarding how websites (and therefore blogs) should protect individuals’ data. It also raises the stakes for compliance by imposing greater fines for a breach. The maximum fine for non-compliance is 20 million Euro or 4% of revenue earned.
Even though the likelihood of a blogger being fined is extremely low (in our opinion this was put into place for major players like Facebook and major eCommerce sites etc), the principles behind GDPR should be followed to make the internet better for everyone.
According to the European Commission, the process for non-compliance can be very serious. Consumers have a reasonable expectation that businesses take care of the personal information they collect and that the information is processed only for the purposes it was collected for.
The law now better reflects this expectation and businesses risk severe penalties if they fail to comply.
For less egregious breaches, you can be fined up to the greater of:
- 10 million Euros; or
- 2% of the firm’s global turnover.
More serious offences can incur fines up to the greater of:
- 20 million Euros; or
- 4% of the firm’s global turnover.
The important thing to note here is that even if your blog is not fully compliant with GDPR, the first stage of the process is a “warning”.
What is the definition of “personal data”?
Under GDPR, personal data is any information relating to an “identifiable person”. Identifiable information includes such things as a name, ID number, location, ethnicity or political standing. Data doesn’t have to be confidential or sensitive to qualify as “personal”.
When looking at most normal blogs, personal data will include:
- Blog post comments data (name, email, IP address)
- Traffic stats plugins/tools such as Google Analytics
- 3rd party hosted services such as Jetpack, Bloglovin’ and Disqus
- Email signup forms such as Convertkit or Constant Contact
- WP Contact forms or others
- Issues relating to the location of your web host. E.g. data is transferred to servers outside the EU
What should I do to make my blog GDPR compliant?
The good news here is that WordPress now has updates to help make your site GDPR compliant behind the scenes (example here). Google is also working on similar updates for Blogger/Blogspot too. This will go a long way in making the core of your site compliant with GDPR.
With that in mind, the main features you should look at are:
- Create a Privacy Policy (consider using legal templates). Link the Privacy Policy in your main menu or footer menu. Do not copy and paste a Privacy Policy from another site. Iubenda is another site that offers a free plan that tailors to your particular usage.
- Check 3rd party services for information about their compliance (e.g. Disqus, Jetpack, and your affilate programs). You will need to list any information about 3rd party services in your Privacy Policy. We can confirm that this Genesis theme is fully GDPR compliant. Services offered by Amira’s Legal Templates make this very easy by automatically adding 3rd party services to your Privacy Policy.
- If you gather email addresses as part of a newsletter or subscription service, you must provide the ability for people to opt-out or unsubscribe. You should also ensure that any signup forms inform users of what data you gather and how it is stored/used. If you’re using a third party email service such as Convertkit, you won’t need to worry about these features since they will provide the required options/settings for you. You can read more about Convertkit in this post.
- Ensure that your site is installed on https rather than http. The S stands for ‘secure’. Contact your host for help with this if you are unsure (SiteGround provides a free SSL certificate with any of their hosting plans).
- Ensure WordPress is updated to the latest version.
- Ensure that all themes and plugins are updated to the latest version. Enable automatic updates if possible (e.g. SiteGround provides automatic updates will all hosting plans).
- If you use Google Analytics, we recommend using this plugin. MonsterInsights is what I use to get detailed data directly from my WordPress dashboard.
- Check if any plugins on your site are no longer maintained by the author.
- Share this post! The more bloggers that make their sites GDPR compliant, the safer our online community will become. If we all work together we can make the internet a safer place for everyone
This post will be updated with any new advice/information as GDPR evolves.
Frequently Asked Questions
I don’t care about the details, what’s the main thing I need to do??
If you only have time to do one thing to help with GDPR compliance, create a Privacy Policy, it takes 5 minutes and goes a long way in helping your readers see how data is controlled and handled on your site.
I’m not located within the EU, does GDPR still affect me?
Your site should be GDPR compliant if anyone inside of the EU can access it. Any being that people can access you on a global means it is highly recommended. Unless your site is completely blocked for all EU citizens, GDPR will impact how data is managed on your site.
What about Brexit?
Despite Brexit, the UK is committed to stay compliant with the GDPR.
Do I need to email my subscribers and ask them to re-subscribe?
No, not if they provided consent for you to email them when they initially subscribed. See this article from Convertkit for more information.
Cookies identify an individual via their device, so it is considered personal data. Each time you visit a website it collects a small piece of information (dubbed a cookie) and stores it on their server. This means if you’re using Google Analytics or similar services, you need to comply with GDPR. Regarding Google Analytics, you can make a big step towards compliance by setting a “Data Retention” to 14 months. See the “Set the options” section of this guide.
When you upload a GDPR plugin you automatically get a popup that will ask every user to ‘accept cookies’ on your website.
What if I don’t actually store any data on my site?
Even though the data might be stored externally via a 3rd party (e.g. Convertkit), the data still runs through your site’s widgets/features, so you would still need to comply with GDPR. Even though you might not think your site stores the data, it probably works with it behind the scenes.
It is common practice for a company, agency or other business to request traffic stats for a sponsored blog post. GDPR does not impact this if no personal information is included (for example email addresses or IP information). If you are sharing aggregate traffic stats, e.g. total number of views for a post, then you do not need to worry.
Is my website theme GDPR compliant?
Most modern website themes built after the GDPR regulation came into effect are now compliant with GDPR. So that’s one less thing you need to worry about.
A lot of the WordPress themes sort through data to ensure security and protect data that passes through the theme’s code (you can read more about the 11 most GDPR compliant sites here.) If you are using a theme from another provider, you can always reach out to them to check.
Ensuring GDPR compliance is important to make sure it’s on your website check list.
Conclusion
We hope you have found this GDPR guide useful. Please remember this guide is for informational purposes only. We are not legal experts nor do we claim to be. GDPR is a big issue for the internet as a whole, but as long as you’ve taken steps to make your blog more compliant, then you needn’t worry about legal action.
If you only have time to do one thing to help with GDPR compliance, get the Legal Template Bundle, it takes only a few minutes to set up and gives you the peace of mind you need!
Finally, share this post! The more bloggers that make their sites GDPR compliant, the safer our online community will become. If we all work together we can make the internet a safer place for our data.
Be sure to sign up for more ways to drive traffic to your blog and start a successful online business!