Before we dive into this post, we want to share a big disclaimer: we are NOT lawyers!

This is not legal advice, and we definitely recommend reading up on GDPR on your own, consulting an attorney, and making sure you know all of the ways that this law affects your business.

Also, we do use affiliate links. This means we may make a small commission if you purchase a product. We only recommend products we trust and love.

What is GDPR?

You may have seen a flood of emails coming in lately with everyone updating their Privacy Policy. We updated ours too + you can read all the fun legalese here!

You may also have seen a looooot of small businesses and entrepreneurs freaking out online about making sure they are compliant by the deadline, March 25th.

So first things first, we want to say: take a deep breath.

This is a big deal, but odds are if you’re a creative entrepreneur there are some simple provisions you can put in place to make sure you’re abiding by the law and protecting your visitors/clients/yourself.

GDPR stands for General Data Protection Regulation, which is a law within the European Union that goes into effect today, March 25th. The overall purpose of this law is to provide better protection of personal information for EU citizens and give those citizens control over how their data is collected and what it is used for.

WP Beginner does a great job at explaining GDPR in non-legalese (aka plain English):

“To put it in plain English, GDPR makes sure that businesses can’t go around spamming people by sending emails they didn’t ask for. Businesses can’t sell people’s data without their explicit consent (good luck getting this consent). Businesses have to delete user’s account and unsubscribe them from email lists if the user ask you to do that. Businesses have to report data breaches and overall be better about data protection.”

There is way more involved if you want to read the full 99 articles here, but this is a very oversimplified explanation to help you get started. There’s also a really helpful breakdown in more “simple terms” on the European Commission’s website.

*Want to learn everything there is to know about GDPR/what it actually means in legal terms? The Contract Company has got you covered!*

Does GDPR Affect Your Business?

Most likely, yes.

This doesn’t just affect businesses within the EU. Even if you do not have customers in the EU, if you have any website traffic that comes from the EU, or if your website is available for someone to view within the EU, then this law applies to you.

If you haven’t already taken action, we definitely recommend taking the steps below, as well as speaking with an attorney if you have any questions on your compliance.

Not complying with GDPR could mean HUGE fines – aka up to €20 million or 4% of your company’s annual global revenue, whichever is greater.

Needless to say, it’s getting a LOT of attention – and rightly so.

The Importance of GDPR

Before we share the tips, we want to say this: GDPR is actually a good thing.

And it’s not going away.

Let’s address the second part first – this law is here to stay.

Most people believe that GDPR is setting a new global standard and expect other countries to soon follow suit. This means, ignoring the EU law isn’t the best option for your business, especially as more and more countries start adopting similar policies.

Now onto the first point – GDPR is about providing better protection of personal data and information.

In a world with fraud scams and mishandling of private information, this is a good thing. GDPR is aiming to ensure that EU citizens have control over how their data is collected and also gives them the ability to change, opt out, delete, or request their data.

So all in all, this really is meant to help protect personal data – which as entrepreneurs and business owners, we should be all on board for, right?

Great! So let’s get you compliant.

5 Steps to Make Your Website GDPR Compliant

**Again: this is NOT legal advice. This doesn’t cover every aspect of every business. This is simply 3 ways you can get started making sure you’re GDPR compliant**

1. Update or Add a Privacy Policy

This is probably pretty clear from all of the emails you’re getting right now – but if you don’t already have a privacy policy, you need one.

If you have one, take a look and make sure it is GDPR compliant.

Some things you should cover include:

• List of the data you collect, why you collect it, how you’ll use it, and how long you keep it, and whether you require that it be provided
• How the visitor can request their data, review and request corrections to their data, or ask that you erase their data
• Your cookie policy and how you track data
• The effective date of the privacy policy
• Whom to contact with questions about the privacy policy

This is a super high-level overview, but there a lot of great templates out there if you want to make sure you’re all covered and GDPR compliant.

We recommend checking out the Contract Shop’s GDPR Privacy Policy and Terms and Conditions here!

via: The Contract Shop

This shop also has an entire bundle on GDPR compliance products!

Pro tip: Updating Your Privacy Policy in WordPress

In response to the GDPR regulations, WordPress has updated and added some new features to its platform.

If your website has a WordPress blog, you should have seen a notice like this:

If you go to your WordPress Settings, you’ll see a new Privacy menu. Click on the Privacy menu to add your new (or updated) Privacy Policy:

2. Add a Cookie Pop Up to Your Website

If you’re using cookies to track any data, you should disclose that to your visitors.

We installed the Cookie Consent plugin by Catapult Themes. There are a ton out there, so just search for a EU/GDPR compliant Cookie plugin on your WordPress site!

3. Get Your Email List GDPR Compliant

In addition to those privacy policy emails you’ve been getting, you may also have had bloggers and businesses asking you to essentially resubscribe to their list.

This is NOT a requirement – but the reason behind those emails is that 1) a lot of people don’t know it’s not necessary and 2) it’s to double confirm that people are giving their consent to be on your email list.

If you already asked for consent when the person first subscribed, you do not need to ask them to acknowledge their consent again to stay on your list.

This has already been best practice, even if you weren’t using double opt in confirmation emails.

Although, spring cleaning is never a bad idea – so if you haven’t cleaned up your list in a while, now would be a good time to send a reengagement email to anyone who hasn’t opened your last few emails!

On another note, most email service providers (ESP) have implemented changes to make your list GDPR compliant. We use Drip – and all we had to do was navigate to our settings to find a “EU Compliance” section:

This new feature allows you to create EU Compliant check boxes to any opt ins as well as double opt in email confirmations for EU citizens.

Most ESPs have taken similar steps, so we recommend checking out the options within your own provider and checking off all of the necessary options!

4. Update Your Google Analytics

If you use Google Analytics (and you totally should!), you will want to log in to your account and review the new changes.

When you log in, you will see a notification that requires your attention:

You can also navigate to your Data Retention settings under Admin > Property > Tracking Info.

This is the information you’ll need to review and save.

5. Update Your Opt in Forms and Comments

If you collect any personal information from your visitors – whether that’s on an opt in form, a contact form, or in your comment forms, you now need to ask for explicit consent.

In the simplest terms, this means asking your visitor to acknowledge their consent for you collecting their data and adding them to your list (if applicable). The easiest way to do this is to add a check box that is UNCHECKED to begin.

Many WordPress plugin forms, contact forms, and client management forms have made this change easy for you to implement. Check in on any opt in forms you have and make sure you’re asking for specific consent (especially if you’ll be sending any marketing emails or adding them to your email list!).

What if You Miss the GDPR Deadline?

If you’re reading this after March 25th, you technically missed the deadline. Again, don’t freak out – let’s just get started.

It’s not expected that the Commission will be going after creative entrepreneurs and small business owners on day 1, but again – it’s important for you to be compliant. According to the European Commission’s website, the first offense won’t go right to a crazy high fine. It appears that a warning will come first:

So the likelihood that you’ll be fined right away is low, but again – we recommend that you get compliant as quickly as possible.

The EU Commission isn’t on a mission to hurt small businesses (or any businesses for that matter). Rather, it’s out to protect its citizens’ data and build trust online.

If you care about your visitors, customers, and their privacy, then it’s time to embrace the good that GDPR will do and start taking action in these small steps today.

We hope this article helped clear the fog of what GDPR is and how you may be affected. We aim to keep this information updated as new information and tools are released! Again, this is not legal advice, we’re just trying to help 🙂