5 Things You’ll Need To Be GDPR Compliant

If you haven’t heard yet, GDPR went into effect on May 25th, 2018. You’re probably asking, what the heck is this?!? We’ll help you get to GDPR compliance in no time!

No need to worry! We’ve been studying GDPR, talking to our lawyer, and becoming familiar with everything since we first learned about it. Below, we’ve curated a list of 5 things you’ll need to be GDPR compliant. We want to make this as easy as possible for users to do themselves, and we’ll post some awesome resources to get you there!

**We are not lawyers and don’t solicit legal advice in this article.

Man looking stressed from not being GDPR compliant.

What is the GDPR? (General Data Protection Regulation)

In short, the GDPR protects the privacy of a person(s) living in the E.U. from websites to which that person submits their data. The new law gives you rights on what you can do with the data a website collects about you. It also allows you to have options to remove that data.

If you live outside the E.U., then this still affects you. If you serve clients, advertise, sell to, or otherwise do any communicate to someone living in the E.U. for your business, then you’re liable under GDPR law.

Failure to comply with these new laws can result in heavy fines, being sued, or losing your ability to visit or use certain sites if you choose not to opt-in to their policies.

YOUR GDPR CHECKLIST

  • Privacy Policy
  • Cookies Policy
  • Form consent
  • Right to be forgotten
  • Security

You can add some extra things to your privacy policy if you want to cover even more (we do.)

  • CALOPPA (California Online Privacy Protection Act) The GDPR bundle includes this in the privacy policy and is a state-specific United States law.
  • CCPA (California Consumer Privacy Act) Yes these are very similar but different enough to warrant covering both.
  • Terms of Agreement – This isn’t required by the GDPR, but it’s another method to cover yourself in any circumstance.

1. PRIVACY POLICY

As much as I thought the free resources online helped, nothing was as good as the training we received and the information with The Contract Shop: Get Legal Fast Bundle. The most valuable resource was all the documents pre-made for you, but the course was worth every penny.

The course comes with everything you need to be compliant, including a privacy policy, terms of agreement, GDPR compliance checklist, bonus disclaimers, and other helpful contracts, all in one place. Great for starting a business from scratch!

The information and documentation were crucial to getting us compliant, especially since you can’t just go anywhere and copy someone else’s policy to paste into your website (That would be illegal).

Privacy Policy Checklist – A basic checklist of what should be included in a privacy policy.

  • Who you are.
  • What personal data do you collect, and why?
  • How do you share that data?
  • Who do you share that data with?
  • How long will you retain that data?
  • Comments & Media (WordPress specific.)
  • How do you store and use cookies?
  • What Analytics do you collect?
  • How do you use third-party processors (Paypal, Stripe, Dubsado, Honeybook, Acuity, etc.)?
  • Right-to-be-forgotten options.
  • How do you protect that data?
  • Contact information

In WordPress, there are some additions you need to make since you may use certain plugins to collect data or use cookies. To see what those are, in your WordPress dashboard, click settings > privacy, then you can easily set your privacy page and view the auto-generated policies it generates for you by clicking “policy guide”

There, you can see what WordPress recommends you add to your policy, followed by what your plugins tell you to add.

2. COOKIES POLICY

What is a cookie?

I’m sure you’ve been to some website and gotten that annoying popup or banner that asks you to agree to cookies. This will be the new normal on the internet. As of January 2024, Google and Firefox browsers will automatically disable third-party cookies in the Chrome browser if you use it. Google is committed to eliminating cookie use in the future of the web. See their first initiative here.

This doesn’t mean cookies are gone for good, but the first steps to make that happen start in 2024. Until then, to remain compliant with the GDPR, you’ll still need to add opt-in options for cookies.

We recommend the CookieYES by WebToffee for a great customizable cookie notice popup. This premium plugin offers built-in location detection, a robust and easy-to-use customizer for cookie consent, and is a lightweight, reliable plugin.

3. FORM OPT-INS

You will need to have opt-ins for your website contact form (or any form) on your website. This is one of the “must haves” on the list. Most third-party apps and services, like HoneyBook and Dubsado, have built-in options to enable opt-in.

The GDPR requires that you have a privacy policy or terms of agreement available that can be linked on your contact form or form page. The user has to be able to opt in either plainly “yes or no” by agreeing to the privacy policy before submitting anything to your website or by having a choice of submitting or not submitting at all.

The two options must not be automatically selected with a choice under the law, so some forms have a “yes or no” option, but this kind is less used. Our form uses the submit or don’t submit option. It shows the links to the policies, and you’re agreeing to them by submitting the form. The opt-out is by simply not using the form at all.

Forms Checklist

  • Any forms on your website need to have links to both terms and policy agreements with an option to opt-out in some way.
  • The opt-in options must not already be pre-checked or chosen.

4. SECURITY

Lastly, the GDPR requires that you do your absolute best to provide security and safety for your website and your users. You can do that by adding an SSL certificate to your domain/website.

If your site isn’t already secure, it needs to be secured by getting an SSL certificate and installing it on your domain. This allows your domain to go from http: to https: in the browser window. Your host has several options for getting your site set up for SSL.

Security Checklist

5. RIGHT TO BE FORGOTTEN

Your website platform, plugin, or software will need to have the ability to delete or anonymize any data you collect. It’s called the “right to be forgotten”. It gives your users or clients the right to contact you and remove all of their data from your website or apps you use to store their data.

WordPress already has some built-in options for this. Go to WordPress> Tools and see the new export options.

RTBF Checklist

  • Make sure your apps/website or software you use for your business has features to either remove, delete, or anonymize your user data (WordPress now has this built in) It will be up to the responsibility of the individual plugin to build in any data the plugin collects into WordPress’ exported data or provide their tools.

EXAMPLES FOR PHOTOGRAPHERS

In our line of work (Photographers, designers, etc.). Specifically, you’ll need to think about data in the sense of what you collect when you ask for details regarding weddings or shoots, what you do with that data, and how you use it. You’ll also need to provide an option to anonymize or delete that data completely, within reason.

Below are a few examples I’ve given for a photographer or other creative artist.

Think about what software you use to collect and store your user data. We use Honeybook for our CRM and Mailchimp for newsletters. We also use Google Analytics and G Suite for mail, which we use to serve our clients, as well as Paypal and Stripe to take payments. You may use something else, like Acuity or WooCommerce, for booking clients. Those all have their privacy policies and tools to delete customer data, but you have to document that you use those services and that they hold your client data in your privacy policy.

You still need information like payment records to comply with tax laws, so deleting personalized data will depend upon the tools you use and what the user requests to be deleted.

If you have a contract, pdf, or form on your website where you collect user data to sign someone’s rights away, you can’t have your privacy policy grouped in with another form of contract. They have to be separated. The user has to be able to say yes or no to agree before signing anything. This means your brides must sign and date a privacy policy and contract separately. If they opt out, you have the right to say, “We can’t do business with you until you say yes because they’re not agreeing to your policies.”

REVIEWING YOUR DATA

If you’re running a business, it’s always a good idea to make sure that the apps you’re using and the information you’re collecting are safe and secure. Take some time to review what data you’re collecting and if you’re not using it, it’s totally okay to delete your account or remove that data until you need it again.

If you store any old client data (emails, client records, etc) somewhere that can be stolen and you’re not using it, remove or secure it. Regarding contracts, they are for your legal purposes and should probably always be kept in a safe, secure place.

If you’re using services like Mailchimp, ActiveCampaign, etc, those now all have their built-in GDPR options.  If you haven’t already, you’ll need to activate and use those new features and send out a double opt-in notice to get permission to continue emailing them. Most companies have probably been sending you these and may have seen some already.

BEING GDPR COMPLIANT

If your business has an EU address, talks to, advertises, does business with, or sells anything to a person or persons living in the EU, then you must abide by this new law.  The law travels WITH those people as well. So if they go on a trip to New York, come to your website and fill out a form or inquire about your services, or you serve them in any way and see you’re not compliant. They can file a complaint and then sue. You’re 100% liable for that under EU law because they reside in the EU.

You might say…well that’ll NEVER happen to me. Well, I hope you’re as lucky as you want to believe you are! You may never get contacted by anyone regarding their privacy on your website, and someone might not ever complain or turn you in. It only takes one to get a heavy fine, which could impact your business significantly. Being compliant isn’t only about doing what’s right by law, it’s doing what’s right about your customers and having the respect and courtesy they deserve by providing them with a safe and secure environment to interact with you. You must be transparent, protect your customers, and responsibly manage your business.

*This post includes links to websites that pay us as affiliates.

SHARE