GDPR Compliance. Our Official Take.

Last Update: May 23, 2018

As many of you are very much aware of, there is a GDPR regulation being instituted by the EU (European Union) on May 25th, 2018. After this, their new privacy and personal data regulations become enforceable under the EU laws.

Today I want to open a discussion on the entire GDPR, what it is, what it means to you and your business, and discuss some of the major benefits and flaws that I interpret from these new regulations. I also want to offer you some solutions that you can implement on your website.

What is GDPR?

First off, let’s discuss exactly what the GDPR changes means to you or someone who runs a website. The General Data Protection Regulation (GDPR) is a law created within the EU, for people within the EU to help folks protect their data and privacy.

Here is a quote from Wikipedia, outlining the GDPR regulations.

"It addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU."

Then it goes on to state:

"Personal data may not be processed unless it is done under a lawful basis specified by the regulation, or the data controller or processor has received explicit, opt-in consent from the data's owner—which may be withdrawn at any time."

And then is summed up.

"A processor of personal data must disclose what data is being collected and how, why it is being processed, how long it is being retained, and if it is being shared with any other parties. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances."

So companies will now be obligated to provide you with a mechanism to delete personal data from within their platforms.

This is something that has conventionally been VERY difficult to do within larger social media platforms like Facebook, which has almost to a certain degree held us hostage with our personal data and has led to major issues like the Cambridge Analytica abuses.

You can learn more about the new regulations from the official GDPR website.

https://gdpr-info.eu/

It blankets all the topics relevant to it, but there is a lot of remaining ambiguity and confusion which has led to widespread discussions online between webmasters, people sharing their private information, large corporations, and legal entities across the world.

I want to cover a few of these, again though, I don't want to undermine the importance of any regulation or update. They are all very important for you to understand, and if required, implement within your website/operations.

How Does the GDPR Impact You?

This is not global legislation, but it impacts companies around the world. The US and other sovereign companies are starting to rely on the EU in many respects to lead Internet regulations to protect consumers as well as personal and private information.

Although you may be located somewhere else, there is the potential that someone on your website will be visiting it from the EU, so it automatically becomes relevant. So you could either block all EU users from your website, handle visitors from the EU differently, or you could adopt the new GDPR regulations.

I personally think that adopting these regulations for the entirety of your website is the most efficient and natural approach and we fully support it. As a website owner it is important that you care about personal information and how it is managed, the same way you care about your how other companies use your personal data.

That is the approach all major corporations and social media platforms are following.

The Key Issues With GDPR?

There are many positives that come with the GDPR, particularly I have outlined 5 core issues I can see resulting from the new regulations implemented by the EU.

  • Billions of resources spent. According to Wikipedia (and a few other sources online), it is estimated that the average company will end up spending $100,000 getting their Privacy Policy, along with their operations in line with the GDPR. Not to mention people hours, that are often times not tallied, but there have been probably millions of hours spent on conversations by WA members alone. Although privacy is very important and it is always good to move the conversation in the right direction, that is not time well invested in my opinion.

  • Smaller companies don't have the resources to properly implement. Although it would be a nice idea for every company and independent blogger to have a legal team that can help you bring your entire operations in line with GDPR, most people simply don't have access to the money or time required to implement such a stringent process. Because of this, there is going to be such a diverse set of GDPR approaches in the online world that this I believe is going to create actual confusion for the EU authorities that are hoping to implement and enact it.

  • Could Hurt Customers. Much of the personal data collected and used is for the good. Companies are using this data to make your experience much better, succinct and enjoyable within their platforms. When "fear of use" comes into play, which it does with stark warnings on websites, people refrain from sharing this information that is important to companies. As a result, user experience suffers.

  • An alternate country's regulation could create conflict. An example of this would be the FTC (United States Fair Trade Commission) creating conflicting regulation that could either mitigate, override, or even challenge some EU laws. As a company owner, blogger, affiliate...who's regulations do you follow? New Zealand has a new privacy bill that is currently working it's way through government so it will be interesting to see what sort of impact this has.

  • Ambiguity. There isn't a concise response from the EU on many issues, some of them surround the IP issues and whether that constitutes as personal data and under what circumstances. But with a bill this size and companies operating across a breadth of different industries and using many layers of technology, data, and 3rd party application interfaces, the wording of the GDPR is getting conflated very quickly (and understandably).

With change, comes frustration. This is certainly going to be the case with GDPR and this will continue into the foreseeable future as companies try to figure out the specifics of this, and in many cases, the specifics of the data within their companies, and how to laymanize the internal processes that are sometimes complex.

What About Google Analytics (and other plugins)?

There is much dilemma about plugins such as the ones provided to you by Google Analytics, Autoresponder companies, and any other company that ends up storing what could be deemed as personal data. Let's look at a few and open the idea of WHO is actually collecting the personal data, and whether it is actually personal data.

Google Analytics. Are you storing data if you have Google Analytics in place which is tracking your traffic and activity. This is where it can get a bit confusing. Since you are in essence providing Google access to your customer information, you probably want to acknowledge that in your privacy policy, but is this really personal data?

IP address surely is not a personal identifier. Nor is a referring source of traffic. An IP identifies some information about you, but there is no way to determine personal data about someone without the data from an Internet Service Provider (ISP). In other words, the ISP would need to have a data breach in order for them to be able to somehow cross-reference an IP to a person. Something that is not your responsibility.

However, it’s important to know that IP addresses are accessed by many people.

Consider a family of 4 all accessing the Internet while at home, or 1000’s of people accessing the internet at Starbucks everyday through one IP address. It’s next to impossible to identify who is behind a device to personally identify them. It’s still important to disclose that an IP address is collected whether it’s personally identifying or not.

You may be logged into your own Google Account, and this information is then personal data that Google can connect to a particular user. They can match details from Google Analytics, to those of a Gmail account, or YouTube activity or absolutely any entity or search behaviors on Google's incredibly far-reaching network. This information could then be bundled for a much more granular and demographically targeted advertising experience.

But YOU, the website owner are not storing data, certainly not personal data. And this one example is why this GDPR roll out is presenting lots of confusion.

And this leads me to...

It Won't Hurt to Mention Stuff, But Could it to Exclude?

You have a few choices, and ultimately 99.9% of the blogger world is going to be safe from this. At the end of the day, you are ALLOWED to store personal data, the EU just wants you to disclose it. And what you do with that data is also important.

I want to emphasize that companies storing people's information online is not bad, it is normal and it is required for the Internet to work, and any established company, blog, social network, to be able to operate and offer you a decent experience. It is nothing to be embarrassed about if you do store data and it surely is better to lean towards the "disclose everything even close" approach.

If you are storing someone’s email or name on your website (and in your database), disclose that you are, and where this takes place, and what you are doing with that data.

If you are using a service like Aweber to collect and store emails, disclose that to your visitors as well within your Privacy Policy, even though it is not you storing this data. Either way, in this case you would be fine, but you are better off leaning towards the "mention it if you think it might be" approach.

You likely do not have a legal counsel and if you do, they are likely going to be just as baffled as you by this.

Where Your Site May Collect Data (or have it in proximity).

There are some common ways in which you may be collecting data or performing activities on your website that result in the collection of personal data. These can/should be considerations when you go to construct your privacy policy and disclosures on your website.

Some of thee common locations where personal data may be collected are:

  • Lead/Squeeze Pages

  • Comments

  • Surveys

  • Widgets/Plugins

  • Analytical Tools

  • Local Marketing Campaigns

There are others of course. As you build out your website you should make an ongoing effort to keep your website privacy policies up to date with your activities. In many cases, this won't happen very often, if at all. For other more technical and complex websites where storing personal data is required and used, you may have more frequent changes.

Removal and Export of Personal Data from your Website

WordPress has new privacy settings which allow the website owner to erase (delete) personal data related to any user. If a visitor to your website who has left a comment, or created an account with your site, wants to have their information deleted, then you have a facility to do that. Likewise, under GDPR regulation website visitors can request to have their data exported and given to them, there is also a facility to do that. We will be creating some training on this, but you can find these settings in the latest version of WordPress by clicking on:

Tools >> erase personal data Tools >> export personal data

There is an email verification process that is required so that the user verifies they are in-fact who they say they are. Once verified there will be an option to EXPORT or DELETE the personal data. With the latest version of WordPress you have the data export and removal tools required to make sure you can remain GDPR complaint in a situation where a user who’s provided you with personal data wants to retrieve and/or delete their data.

Explicit Consent

A privacy policy is a great first step towards transparency for anyone visiting your site interested in how you handle data. However, for those who are providing potentially identifiable data in the form of entering an email address, name or comment etc, need to provide you with explicit consent.

What this means is that they need to check a box before leaving you a comment for example. This box cannot be already checked by default, they have to perform an action to check a box which will explicitly opt them into accepting your privacy policy. If they do not with to do this, then they do not need to participate in your site.

There are many plugins out there that will add these little check boxes to your comment areas and/or contact forms, but one we found quite functional is called “WP GDPR Compliance” and it can be installed from your WP Admin area by clicking on “Appearance >> Plugins >> Add Plugins”. Do a search for “WP GDPR Compliance”, install and activate it.

WP GDPR Compliance

There are a few simple settings in this plugin that you can tweak.

The settings are found under “Tools >> WP GDPR Compliance” from your main menu in the admin area of your site. Y

ou can change the wording of your message and update the page that it points to, pretty simple stuff here to get your website requiring consent to your data storage and privacy policy before a user can provide you with any potentially identifying information or data.

Now let's talk Privacy Policy.

Your Updated Privacy Policy

I have some good news for you. First, this GDPR stuff isn't bad. It may be a little confusing, but that is simply because like all bloated legislation like this there are many moving parts, and there is a lot of ambiguity in certain areas of it.

Second, I have created an updated Privacy Policy that you can use as a framework for your privacy policy on your website. We obviously cannot create a “catch all” privacy policy for millions of websites, but this is a good start. It is based on the criteria that the EU is after in terms of explaining how personal data is collected, how it is used on your website, and why it is used on your website.

Additionally, this is written in a way that a layperson can understand. No longer is the Privacy Policy supposed to be a technical document, it is a document written for the average person.

So please head over to the SiteContent => Templates section. You will see a template called Privacy Policy, which is the updated GDPR version.

SiteContent TemplatesThen you will want to modify this, make it your own based on the personal data you are collecting (if any), how you are using this personal data, and publish to your website to replace your existing privacy policy.

And as always, if you have any questions about the new GDPR updates, how it will impact you, opinions, suggestions, or insights, please leave them below.

Welcome to the new world of Internet Privacy.

Join the Discussion
Write something…
Recent messages
suzieq Premium
This is awesome Kyle, thanks so much for making it easy to understand! This was all so confusing but I chose to wait to hear from you. Right now I am only using SEO techniques for organic traffic. Should I add the plug-in now or wait until I have an auto responder?
Cheers eh,
Suzanne
Reply
FDemont Premium
Great question Suzanne. I wonder the same and will wait with you for Kyle to respond. It is still a bit confusing, and Kyle did a great job here explaining.
Reply
Carson Premium
Hey Suzanne,

Adding the WP GDPR Compliance plugin is something that you should do regardless whether or not you have an autoresponder. If you accept comments on your website or have a contact form, you should have this installed :)

Carson
Reply
skmorrow Premium
I used the EU Cookie Law plugin that Loes demonstrated in her blog post here at WA. Do we need this WP GDPR Compliance plugin in addition?
Reply
Pernilla Premium
Great question, Steve!
I wonder about this too!
:-)
Reply
suzieq Premium
Thanks so much for responding Carson! I’ll get on that right away.
Cheers
Suzanne
Reply
gartnerf Premium
Thank you for providing some clarification around this GDPR compliance issue. The waters do get very muddy when trying to factor in the policies of the various affiliate program providers, subscription services and analytical tool providers and how they inter-relate to your website operations.

It will probably take a while before all this is sorted out and I believe if we are making a good faith effort to disclose what we know, what we store and who we are doing business with it will go a long way in protecting our business. Government and legal entities will be trying to figure this out for a while so with an updated privacy policy we should we good to go for now.

Appreciate your work and template on this legal action!
Reply
herinnelson Premium
Thanks, once again, Kyle, for coming to the rescue and clarifying all these stipulations, provisions and regulations in regard to Internet Privacy. There was a lot of speculation surrounding this issue and I'm relieved to have all the questions answered in your insightful post! Many thanks for always keeping us in tune with the times!

Erin :)!
Reply
Bryan8 Premium
Thanks Kyle, Carson, and team, but this looks like yet another example of a law that will be unenforceable for some time. Even if they COULD enforce it would it be worth going against an individual with minimum resources?

I suggest that they might make a few test cases against larger companies, but I don't believe that a small concern or an individual would be a target.

There will most likely be numerous court cases against this policy as well. Can you imagine if EVERY country or continent had their own policies? What a nightmare that would be. I think that in the long run some international organization will be formed to form a universal policy. The EU does not exist in a vacuum.
Reply
SowAndReap Premium
Thank you Kyle, I also agree about the IP address, it really doesn't have anyone's name on it. I personally love that EU is making changes, it may be confusion, but we will get through it and I feel it is a step forward in the right direction. Thanks for the info, much appreciate it.
Reply
Kyle Premium
It doesn't have any application, without other actual personal data. However, even an ISP could not look up who is operating on an IP, they could determine who is paying the bill, but that is about the extent of it.

So IP in my opinion could never be considered "personal data" by itself, it could be complimentary data that could work along side actual personal identifying data.
Reply
Top