If you click on a link and make a purchase, I may receive cash compensation. I only recommend products or services I use personally and believe will be good for my readers.
15 Steps to a
GDPR Compliant Blog
The announcement of the GDPR in early 2018 was enough to make even the most experienced bloggers tremble in their boots. It sent a lot of bloggers into a whirlwind and very few people had a grasp of what it was- myself included.
What we did know was that it would mean more rules to follow and more work or face hefty fines. Ugh…
Good news is it’s been awhile since the announcement of the GDPR and the deadline to be compliant has come and gone. Tons of bloggers and companies have done a lot of research to make sure they are GDPR compliant.
Why is this good for you? You get to benefit from a simplified list of “Things To Do” in order to become GDPR compliant.
What is the GDPR?
Before we dive into compliance, let’s discover what the heck the GDPR is.
GDPR stands for General Data Protection Regulation and according to EWGDPR.org, the GDPR is meant to protect all EU (European Union) citizens from privacy and data breaches.
The biggest change of the GDPR is that it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. In translation, if there is a chance someone from the EU will visit your page you have to comply.
How to be GDPR Compliant
Before we get started I have to say this is in no way legal advice for the GDPR.
There are steps I have taken on my blog to ensure my policies are up to date and compliant with the GDPR. Every business is different, and this list is a guide to using the best free resources to help you become GDPR compliant.
1. If you have more than one blog, ensure they’re all connected with your main WordPress.com account
If you’re just starting to blog you won’t have to worry about this but if you choose to start another site (or several) make sure they’re all connected to one primary WordPress.com account.
This way when you upload a required plugin, it uploads “once” rather than uploading and activating for each site-huge time-saver!
2. Download the Following Plugins
Go to each of the pages below and download the plugins.
Cookie Notice – Displays a cookie notice when the page loads.
WP GDPR Compliance– This allows process data requests from WordPress that’s secure for the user. This means they can only process by clicking a link in their email, from the same device and IP. It also allows you to easily add a checkbox to forms on your website currently supporting Contact Form 7, Gravity Forms, WooCommerce, and WordPress Comments.
This fulfills the Data Request Requirement & the Extra Checkbox Recommended For Sensitive Forms.
Contact Form 7 – An easy to setup, free, and flexible WordPress Contact Form.
This makes it easy for readers to reach you if they have a Data Removal Request.
Flamingo – Stores all Contact Form 7 Entries in WordPress and serves as a backup in case email fails.
3. Upload plugins to WordPress.com for all sites or to the WordPress Dashboard for your blog
If you’re not using WordPress.com, go to your WordPress Dashboard of your blog and hover over ‘Plugins’.
Click ‘Add New’ and upload one plugin at a time then click activate to finish.
4. Integrate Google Recaptcha For Contact Form 7
Go to Google reCAPTCHA and select the gmail account you use for your website.
You will then see a page like the one shown below. You want to add your domain name and then you want to choose reCATCHA V2.
A box will pop up and you will have to enter your full domain address.
Once you select ‘Register’ you will get a Site Key and a Secret Key.
Return to WordPress Dashboard and hover over ‘Contact’ then select ‘Integration’ and you will be able to enter your Site Key and Secret Key here.
5. Create a Privacy Policy page (or update your current one)
The resource I used to create my Privacy Policy is SEQ Legal. Their Privacy Policy includes a lot of optional text plus parts you are REQUIRED to edit so go through the policy to ensure it meets your needs and to make sure your privacy policy set up the right way.
Fair warning, these policies were created in the EU so you may have to edit the text a bit but since they’re policy is currently the strictest I feel confident I am compliant with other laws as well. I encourage you to do your own research or talk to a lawyer if you have any questions.
To create your privacy page your WordPress has to be up-to-date because only versions 4.9.6 has a built in “Privacy” link located under ‘Settings’ on the WordPress Dashboard.
A new page will be created and you will be able to copy and paste your new privacy policy here.
6. Edit Your Privacy Policy Page With Links To 3rd Party Services You Use
Create a list of all the companies that handle data on behalf of your business. The list should include Google, Facebook, your hosting company, autoresponder, and tracking services.
Include this list in your privacy policy with a link to each services privacy policy.
7. Create a Form for the Specific Purpose of Users Contacting You About Their Data
Once you have your privacy policy created, GDPR also requires you to add the following:
- Data Rectification which allows users to adjust their information.
- Data Access which allows users to see what records you hold.
- The ‘Right To Be Forgotten’ which allows users to be removed from your records.
- A Data Breach Process which states what will happen in the case of a data breach or website hack.
In order to fulfill the requirements, take the following steps:
- Go to ‘Contact’ on the WordPress Dashboard and select ‘Contact Forms’ from the dropdown.
- When Contact Form 7 is uploaded, it automatically creates a standard form and shortcode. Copy the shortcode located in the box on the page.
- Create a new page titled ‘Data Access Request and include a short paragraph explaining users are allowed to access, modify, and request deletion of their data at any time.
- Create and link to a ‘Data Request Access’ Page allowing users to be automatically emailed their data or have their data removed (fulfilling requirement 2 and 3).
- Write a paragraph on what will happen if their data is breached such in the case of a website hacked or data stolen (fulfilling requirement 4). Example: If the event of any data breach from our servers or third party providers we will contact all concerned parties within 72 hours and follow up with any details if required.
8. Download Other Legal Files & Create Pages
Having the Privacy Policy page done is awesome and a step in the right direction but there are quite a few pages you need to be compliant with GDPR including:
If you’re anything like me I had most of these on my page before but they were all on one long page. Now GDPR requires they each have a separate page.
9. Edit Cookie Notice
Go to your WordPress Dashboard and hover over ‘Settings’ then select ‘Cookie Notice’.
Ensure “Enable Privacy Policy Link” is clicked and choose your Privacy Policy Page.
Click Synchronize with WordPress Privacy Policy page and click save.
10. Edit WP GDPR Compliance
Go to your WordPress Dashboard and hover over ‘Tools’ then select ‘WP GDPR Compliance’.
Under Integration checkbox and activate all the forms that you use on your site. On the next tab “Checklist” turn on everything that applies.
On the last tab “Settings” under Request User Data you’ll see Active Requests.
Checkbox “Active Page”, > click Save Changes. From here view and bookmark this page. Sometimes this page is set to private. Click Edit and change the Visibility to ‘Public’.
11. Create a New Email Address
Inside your cPanel (hosting account) create a new email. Use something like report/abuse/data requests@yourdomain.com.
If you need help with setting up a custom domain email, check out my article on Setting Up a Domain Email in Siteground.
12. Filter, Tag & Prioritize This Email
Once you set up your email, set it up to be forwarded to your primary gmail email so you never miss a message.
13. Add a footer to your blog
Go to your WordPress Dashboard and hover on ‘Appearance’ and then select ‘Menu’.
Click ‘Create a New Menu’.
Name the menu ‘footer’ and then select all of the disclaimers you previously made.
14. Update All Your Opt-In Headlines and Landing Pages
GDPR requires you to clearly describe what people will get after they sign up.
Here’s an example of a landing page headline which is NOT GDPR compliant.
FREE PLANNER: “Get Your FREE Planner!” Enter your name and email for instant access
To make it GPPR compliant you should write:
FREE PLANNER: “”Get Your FREE Planner and Subscribe to Our Weekly Newsletter”. This way you are clearly stating readers are subscribing to a newsletter.
15. Ensure your opt-in box has a clear link to the privacy policy
Add a clear privacy policy to all of your opt-ins and landing pages including popup boxes.
Before GDPR I used: ‘We value your privacy and never share your email address with anyone.’
Now I include a clear link to my Privacy Policy:
‘We value your privacy and never share your email address with anyone.’
GDPR Compliance
GDPR Compliance requires you to up your game when it comes to protecting your readers privacy. Admittedly, it requires more work but it’s ultimately a good thing to be able to provide our readers with the security that their information is safe.
Hopefully this list has made it a little clearer about what the GDPR is and easier for you to meet the requirements.
Want to keep this article for later? Click ‘Read Later’ below to have the post emailed to you below. Or sign up for access to my FREE Resource Library to download a Printable Checklist to help make your blog GDPR Compliant.
Leave a Reply