If you haven’t heard yet, GDPR goes into effect on May 25th 2018. You’re probably asking, what the heck is this?!? We’ll help you get to gdpr compliance in no time!

No need to worry! We’ve been studying up on GDPR, talking to our lawyer and becoming sort of an expert on this thing since we first learned about it ourselves. Below, we’ve curated a list of 5 things you’ll need to be GDPR compliant. We really want to make this as easy as possible for users to do themselves, and we’ll post some really awesome resources to get you there.

**We are not lawyers and don’t solicit legal advise in this article.

Below, we’ll outline the most important things you’ll need to get started with being GDPR compliant.

What is the GDPR? (General Data Protection Regulation)

In short, the GDPR protects a person(s) living in the E.U privacy from websites that person submits their data to. The new law gives you rights on what you can do with the data a website collects about you. It also allows you to have options to remove that data.

If you live outside the E.U then this still affects you. If you serve clients, advertise, sell to or otherwise do any kind of communication to someone living in the E.U. for your business then you’re liable under GDPR law.

Failure to comply with these new laws can result in heavy fines, being sued, or losing your ability to visit or use certain sites if you choose to not opt-in to their policies.

GDPR CHECKLIST

1. Privacy Policy
2. Cookies Policy
3. Form consent
4. Right to be forgotten
5. Security

There are some extra things you can add to your privacy policy if you you want to cover even more (we do.)

• COPPA Policy (Children’s Online Protection Act) The GDPR bundle includes this for you in the privacy policy and is a state specific United States law. Likewise, E.U. has their own version of this.
• Terms of Agreement – This isn’t required by the GDPR but it’s another method to cover yourself in any circumstance.

 I. PRIVACY POLICY

We’re not lawyers, and we can’t give you legal advice, but we can sure guide you to a solution! As much as I thought the resources out there helped, nothing was as good as the training we received and the information that comes with the GDPR course we took.

While we already knew a great deal about GDPR before we took the course, we received a lot of information that we didn’t have by taking the class and using the documents provided to make our own.

The GDPR Ready Course comes complete with a privacy policy, cookies policy, and terms of agreement, which you can amend to your own needs. It has everything you need to be completely GDPR compliant for 2019 and beyond.

The information and documentation was crucial to getting us compliant, especially since you can’t just go anywhere and copy someone else’s policy to paste into your website (That would be illegal).

Privacy Policy Checklist – A basic checklist of what should be included in a privacy policy.

• Who you are
• What personal data you collect and why
• How you share that data
• Who you share that data with
• How long you retain that data
• Comments & Media (WordPress specific)
• How you store and use cookies
• Analytics
• How you use third party processors (Paypal, Dubsado, Honeybook, Acuity, etc)
• Right to be forgotten
• How you protect that data
• Contact information

In WordPress, there are some additions you need to make since certain plugins you may use collects data or uses cookies. To see what those are, in your WordPress dashboard, click settings > privacy, then click the “check out our guide” link at the top in the description.

There, you can see what WordPress recommends you add to your policy, followed by what your plugins tell you to add.

II. COOKIES POLICY

What is a cookie?

I’m sure you’ve been to some sort of website and gotten that annoying popup or banner that asks you to agree to cookies. This is going to be the new normal on the internet, and under GDPR and the EU Cookies Policy you’ll need one of these to be compliant.

If you’re just running a small business in the United States like a photography website, you don’t necessarily NEED a cookies policy popup (you’ll just need the policy). However, the United States and most other countries are currently drawing up similar laws as the EU for privacy. If you want to do everything now and not have to worry about it for the future, then the best option would be to just do it now. If you’re in the EU then you have to have a cookies opt-in upon viewing your website.

We recommend the GDPR Cookie Consent Plugin by Webtoffee. This premium plugin offers location detection built in, a robust and easy to use customizer for the cookie consent, and is a lightweight, reliable plugin. This plugin also let’s your users reject your cookies if you’d like. It’s one of the few we’ve seen where this has worked well.

Cookies Policy Checklist

• Explain what a cookie is
• How your site uses cookies
• How someone can manage cookies
• Cookies opt-in popup for your website

III. FORM OPT-INS

You will need to have opt ins for your website contact form (or any form) on your website. This is one of the “must haves”on this list.

Basically what the GDPR requires is that you have a privacy policy or terms of agreement available that can be linked on your contact form or form page, and the user has to be able to opt-in either plainly “yes or no” by agreeing to the privacy policy before submitting anything to your website.

The two options must not be automatically selected with a choice under the law. So when the form loads, the radio button or checkbox can’t already be set to “yes or no” by default. The user must select it themselves, or it’s considered not to be user consent since you would be making the choice for them.

If you use plugins like Contact Form 7, NinjaForms, MachForms, etc, those platforms may or may not already have the capability to add these things, and some are releasing specific features just for GDPR compliance. Any email service like Mailchimp, etc also have new built in opt-in controls for newsletters, those will be required to have after the 25th of May. You’ll need to activate and use those features if any of your readers are from the E.U.

Forms Checklist

• Any forms on your website need to have a opt-in option with a simple yes or no option to accept your linked privacy policy.
• The opt in options must not already be pre checked or chosen.

IV. SECURITY

Lastly, the GDPR requires that you do your absolute best to provide security and safety of your website and your users. You can do that by adding a SSL certificate to your domain/website.

If your site isn’t already, your site needs to be secure by getting an SSL certificate and installing it to your domain. This allows your domain to go from http: to https: in the browser window. Your host has several options for getting your site setup for SSL. Usually they have a free certificate you can get, but some hosts charge you for an SSL certification. It’s required that renew every year. Some hosts do it for you automatically or charge for yearly renewal.

With this step, the best thing you can do is get in touch with your host to see your SSL options. They usually do a pretty good job of getting this setup, but sometimes only install the certificate and don’t finish the WordPress end of setting up the certificate. We offer SSL setup for any website at a great rate if you get stuck or need help with this part. Check out our services!

Security Checklist

• SSL Certificate for your domain
• Delete any old plugins or themes you may not be using (see our article here on the ProPhoto website)
• Update your passwords to something more secure

V. RIGHT TO BE FORGOTTEN

Your website platform, plugin or software will need to have the ability to delete or anonymize any data your collect. It’s called the “right to be forgotten”. It gives your users or clients the right to contact you and have all of their data be completely removed from your website or apps that you use to store their data.

Each company is responsible for offering these services in their software to be compliant with GDPR. By now, most of your apps or services you use by third parties offer GDPR features or offer to delete data stored on their servers by request. In the latest WordPress update, you have tools to do that on your website, at least in regards to WordPress.

You can read all about the update right here. To see the new data tools in your dashboard click WordPress > Tools and see the new export options. If you’re using another platform like Squarespace, they should also have their own GDPR compliant features available. Some websites will have tools specifically and some won’t.

RTBF Checklist

• Make sure your apps/website or software you use for your business has features to either remove, delete or anonymize your user data (WordPress now has this built in) It will be up to the individual plugins responsibility to build in any data the plugin collects into WordPress’ exported data or provide their own tools.
• Other apps you use you’ll need to check to see if they have tools for this sort of data collection.

EXAMPLES FOR PHOTOGRAPHERS

In our line of work (Photographers, designers, etc). Specifically, you’ll need to think about data in the sense of what you collect when you ask for details regarding weddings or shoots, what you do with that data and how you use it. You’ll also need to provide an option for being able to anonymize that data or delete it completely, within reason.

Below are a few examples I’ve given in the case of a photographer or other creative artist.

Think about what software you use to collect and store your user data. We use Honeybook for our CRM, and Mailchimp for newsletters. We also use Google Analytics, and G Suite for mail which we use to serve our clients as well as Paypal and Stripe to take payments. You may use something else, like Acuity for booking clients, or WooCommerce. Those all have their own privacy policies and tools to delete customer data, but you have to document that you use those services and that they hold your client data in your privacy policy.

You still need information like payment records to be compliant with tax laws so deleting personalized data will depend upon the tools you use and what the user requests to be deleted.

If you have a contract, pdf or form on your website where you collect user data for the purpose of signing someone’s rights away, you can’t have your privacy policy grouped in with another form of contract. They have to now be separated. The user has to be able to say yes or no that they agree before signing anything. Which means your brides need to be signing and dating a privacy policy and a contract separately. If they opt-out, then you have the right to say, “we can’t do business with you until you say yes, because essentially they’re not agreeing to your policies.”

REVIEWING YOUR DATA

Now would be an excellent time to go through all the apps you use for your business, and review what information you’re collecting, if that data is secure, and if you can remove or delete that data. If you’re not using it, or don’t plan on using it in the near future it’s ok to delete your account or remove the data until you’re ready to use it.

If you store any old client data (emails, client records, etc) somewhere that can be stolen and you’re not using it, then remove it or secure it. In regards to contracts they are for your legal purposes and should probably always be kept in a safe secure place.

If you’re using services like Mailchimp, ActiveCampaign, etc those now all have their own built in GDPR options.  If you haven’t already, you’ll need to activate and use those new features and send out a double opt-in notice to get permission to continue emailing them. Most companies have probably already been sending you these and may have seen some already.

BEING GDPR COMPLIANT

While I said earlier I was an expert on the subject, I mean that by saying I know a lot about it, I’m not truly an expert! I don’t think anyone is when it comes to these crazy laws that only lawyers can read into.  The thing is, people like you and me. We’re not lawyers, and while I’ve read the gobblity goop that is made up of the new law, a lot of it can still be interpreted in different ways. Many people you talk to will have their own interpretation of how you should do things with the GDPR. Here’s the facts that I know that shouldn’t change no matter what you read about the GDPR.

If your business has an EU address, talks to, advertises, does business with, or sells anything to a person or persons living in the E.U then you have to abide by this new law.  The law travels WITH those people as well. So if they go on a trip to New York, come to your website and fill out a form or inquire about your services or you serve them in anyway, and see you’re not compliant. They can file a complaint, and then sue. You’re 100% liable for that under EU law because they reside in the EU.

You might say…well that’ll NEVER happen to me. Well, then I hope you’re as lucky as you want to believe you are! You may never ever get contacted by anyone regarding their privacy on your website, and someone might not ever complain or turn you in. It only takes just the one to get a heavy fine, which could impact your business significantly. Being compliant isn’t only about doing what’s right by law, it’s doing what’s right about your customers and having the respect and courtesy that they deserve by providing them with a safe and secure environment to interact with you. It’s your duty to be transparent, and protect your customers and manage your business in a responsible way.

*5.9.19 – Revised some links and added some updated information for 2019.

*This site includes articles with links back to websites that pay us as an affiliate.