Issue #130
Do’s and don’ts for GDPR compliance
This whole GDPR thing makes me go cross-eyed. 🙂 But, I”m wading through things to try to make it simple.
Today, let’s look at the big picture of getting into compliance. Let’s look at what bloggers need to be doing… and what bloggers need to NOT be doing.
What NOT to do:
#1: Do not have any auto opt-ins. Â
This is bad practice anyway, but if you have anything which auto opts-in a user for an email list or something other than what they expressly see, then you need to stop.
As example, if you were running any plug-in which automatically opts blog commenters into your email list, you need to get rid of it.
Simply put, the end user needs to be aware of everything they are optining in for and you cannot opt them into anything else behind the scenes.
#2: Don’t abuse opt-ins for your lead magnets.
If you are building your email list and people are opting in for various freebies (and this is pretty standard practice for us), then you need to NOT use that email address for anything other than what they expressly came in for.
Now, this doesn’t mean you can’t market to them. Email marketing remains. 🙂 However, you cannot then utilize their email address for another purpose. For instance, I could see a potential issue with uploading email lists to Facebook custom audiences for retargeting. It isn’t that you can’t do that anymore, but you need to tell people you’re doing it.
Even opting people into your main newsletter if they came in for a free lead magnet could be an issue here. Just tell them what’s going to happen and what they’ll get and be up front about it.
#3: Don’t share data with any third-parties without express consent.
If a user’s data is going to any third party, it must be expressly stated at the time when opt in. Again, this would apply to things like custom audiences on ad networks like Facebook.
There are some other practices that this would apply to. For instance, if you participated in a giveaway of some kind with the understanding that you’d get the email list of the entrants, this has to be expressly stated. This would also stop the rather annoying practice of automatically adding people to an email list if that email was gotten via another means.
For instance, how many times have you given an email address to a person in writing or even verbally at a conference… only to then be added to an email list and essentially spammed. I know it’s happened to me many times. People will get a business card and then add them to an email list. I’ve even had people exchange an individual email with me, then later I find myself on their damn email list.
If you do that, stop being a chump (and an idiot).
#4: Stop collecting/storing data where it isn’t necessary.
Just don’t ask for unnecessary information. For instance, it seems to me that asking for one’s first name for a standard opt-in might be unnecessary, right?
But, where this will apply the most will be on contact forms, blog comments, etc.
For instance, if you’re using a contact form plug-in that STORES the messages in your database, then you either need to tell the user that, or you need to stop storing the data. I use Gravity Forms and it does store the data. Ideally, just have your contact form send the data onto the email address and don’t store it on your server.
If you use Gravity Forms as I do, then know that you cannot stop it from storing entries. The best you can do is create a little bit of custom code that automatically deletes the entry after it is submitted. Note, though, that it isn’t required that you do that as long as you just put the little notice on the contact form where they agree to the collection of this data. For more on Gravity Forms and GDPR, click here.
Another piece of unnecessary data would be the user IP address. When people submit, for instance, a blog comment, Wordpress automatically logs their IP address. But, this is pretty unnecessary. The easiest solution, again, is simply to add a checkbox to your blog comments that gets consent. You could also take the extra step of making it so that Wordpress doesn’t log their IP address.
What To Do:
OK, now onto what you DO need to do…
#1: Include a privacy notice in every place where an end user would submit any data.
It doesn’t have to be a long-winded deal. Something like “I consent to my submitted data being collected and stored.” coupled with a checkbox would likely suffice. It would need to be a required field, and it would be best to link it to your actual privacy policy.
#2: Revisit your privacy policy.
I’m looking more into this and will let you know what I find. But, I think this would be time to re-visit your privacy policy with an eye toward expressly stating each way that your site collects data and what is being done with that data.
From what I have seen, I think you need to also state who is responsible for the data security. You also need to provide instructions on how to change their user data, how to request to download it, and how to request having it erased.
We’ll talk more about this later in more detail.
#3: Ensure you’re storing the actual approval event.
We know we need to get express permission from the end user to store/collect this data for specifically stated purposes. But, you need to be able to prove it.
So, it would be important that your software is set up to show that it was approved, WHEN it was approved, and what they agreed to.
Now for something simple like a contact form or a blog comment, this would be taken care of because you’d see the date on the record right there. For more involved situations (like checkout forms, email subscriptions), you’d also have the date there. But, you’ll need to also ensure that the consent field is stored, not just checked. In the event of third-party companies (like your email list provider), they will be making changes to ensure this is done (if they haven’t already).
#4: Have data security in place.
If you’re going to store data in a database, you have to ensure that it is being stored in a secured manner. Don’t be sloppy.
Use SSL to secure data to/from your site. This is a good idea for SEO anyway and something that should be becoming standard practice.
For any real sensitive data (like credit cards), I highly recommend you use a legitimate third-party service to handle that security for you and do NOT store that information locally. For instance, credit card payments on Blog Marketing Academy are handled by Stripe and I don’t store any of that stuff. I trust Stripe to handle that security more than my web host.
#5: Update plug-in’s for GDPR and track updates for compliance.
We’ll get more into this a bit later, but in some cases, the developers of your various plug-ins will need to make changes to the code to ensure GDPR compliance.
For one thing, one of the GDPR requirements is that a user needs to be able to download their data and/or request erasure. In some cases, if you’re using a plug-in for some of this stuff, that plug-in will need to be updated so as to allow you to comply.
Short story… you need to take inventory of any plug-in you’re using that collects user data and you need to look into what those developers are doing for GDPR compliance. And as updates are issued, you install it.
..
OK, we’ll continue tomorrow. 🙂
– David