How to Ensure Your Website is GDPR Compliant
The post was originally published on LinkedIn on May 23, 2018. I decided to publish it here too to ensure that when you decide to set up your website, you take this into consideration.
I am not a lawyer and I don’t work in any legal capacity. This post does not offer or represent legal advice. You should work with your own legal counsel for any GDPR related policies and actions you take.
If you are an online business that collects data of any sorts, this affects you and at this point, you have ONE day to ensure you’re GDPR compliant.
With that in mind, I thought it would be helpful to break down exactly what GDPR is, how it will impact you and the key steps you need to take in order to ensure you are compliant before it’s too late.
What is GDPR?
The General Data Protection Regulation is a privacy law from the European Union (EU) that applies to the processing of personal data.
Whom does GDPR affect?
The GDPR will apply to any relationship or transaction (including free) where one or more parties are in the European Union. This includes the United Kingdom who have agreed to maintain GDPR legislation beyond Brexit.
This means that if you are on online business collecting data, this will impact how your business currently operates. It affects everyone.
The degree to which GDPR impacts your business is dependant on where your business is located.
If you are based in the EU (and UK), you must comply with GDPR legislation across your entire business and databases. However, if you are based outwith the EU, you only need to comply with GDPR for the EU segments of your audience databases.
What does ‘the processing of personal data’ actually mean?
Let’s break it down. There are 3 parties involved in the collection and processing of personal data.
The Data Subject i.e. the person whose personal data is being collected.
The Controller i.e. the person collecting this information (you)
The Processor i.e. the tool you use to collect information
Personal data includes any information that can identify the person that data was sourced from. This could be their name, email address, phone number and even their IP addresses. Often, the tools we are using collect a lot more information automatically without us even realizing. We now have to be aware of this.
Processing includes “...any operation or set of operations which is performed on personal data or on sets of personal data… such as l recording, organization, structuring, storage, adaption or alteration, retrieval...erasure or destruction.”
To put this in context for the typical online business, this would include all the information obtained in your email marketing platforms, CRM systems and through your website using certain plugins or analytics.
What does this mean for your business?
GDPR means that if you are collecting personal data of any sorts as a person in the EU and/or from persons in the EU, you must be compliant with the regulations stated in the new privacy law.
You can still collect and process data from persons in EU but to so you must meet the criteria that sets out the lawful bases to do so. This includes:
You must have explicit consent in order to collect data from an EU person for a clearly defined, specific purpose. It must be freely given, specific, informed and unambiguous. Permission also has to be provided by a person actively opting-in and granting permission, not through opting-out.
People can opt-in to your email list to receive promotional emails because they are giving you consent to sending promotional emails. However, you can no longer offer a lead magnet to gain someone’s email and then use that as consent to send promotional emails.
In this instance, they gave you consent to sending them a lead magnet, not to receiving promotional emails. In order to send them promotional emails, you would require additional consent to do so.
2. Contract Fulfilment
You must only collect the minimum amount of information to fulfil or prepare to fulfil a contract. A contract is an agreement where a person agrees to exchange the necessary data in order to receive something else.
You can request an EU person’s first name and email address in order to send them a lead magnet, a calendar booking, free course or a business catalog etc. This is because you require an email address in order to send it. However, you cannot also ask for their home address or their phone number because you don’t require that information to fulfil that contract - unless you are sending via snail mail or SMS.
3. Legitimate Interest
You must not continue to use an EU person’s data to send additional promotional material once the contract is fulfilled.
You cannot continue to send further promotions to an email subscriber long beyond the completion of a free course or after sending a lead magnet.
In order to send further promotions, you would require additional consent in order to do that. Keep in mind, this has to be explicit consent through opting in rather than through opting out.
6 GDPR Principles
There are 6 key principles that you should follow to ensure you meet the GDPR compliance criteria.
Purpose Limitation. Ensure you are only collecting personal data for a specific, necessary purpose.
Data Minimisation. Ensure you only collect the minimum data required to fulfill a specific purpose.
Accuracy. Ensure all information is accurate and up to date.
Storage Limitations. Ensure you delete personal data when it’s no longer necessary. You are allowed to anonymous the data.
Integrity and Confidentiality. Ensure you have taken all reasonable steps to secure data.
Action Steps You Need To Take
01 | Clean Up
Ensure your email list is GDPR compliant by ensuring you get fresh consent from persons in the EU before May 25th. Without this consent, you should remove this portion of your audience as you no longer have permission to market to them - even if they opted in before May 25th.
02 | Update Essential Policies
Add an SSL certificate to your website for security.
You must explain the exact data you collect, who will gain access to this data, your legal base for collecting this data and how the data will be used. You are also required to add visitor rights as outlined under the new GDPR law.
Visitor Rights includes:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
03 | Review and Renew Systems
Create a data map that outlines all the places you are automatically collecting data and how that data is being used. This includes in your email marketing programs, CRM systems, Google analytics and various Wordpress plugins. Also look at the third party sites involved where there is the transfer or personal date. Ensure that all of these are GDPR compliant.
Update your Google Analytics settings by reviewing your data retention period and ensuring that the data collected is GDPR compliant. If you haven’t already revised your user and event data retention period in Google Analytics, you will be prompted to do when you log in. You can also do it by visiting your Data Retention settings under
Admin > Property > Tracking Info > Data Retention
When regard to personal data, standard Google analytics collects IP addresses. You can use IP anonymization to eliminate IP analytics from Google Analytics to ensure you are compliant.
It is also recommended that you get your own GDPR representative to ensure your business is operating in compliance with this new EU legislation.
It's all good!
This is just a basic checklist that you can follow through on today. Not too painful, right? :)
It’s a big deal in the sense of you are legally responsible for implementing any necessary changes. It’s not in the sense that it's not some doomsday that will your whole marketing strategy to a halt - at least, it shouldn’t if you are operating ethically.
GDPR is a good thing. No one enjoys being spammed with promotional emails he or she didn’t consent to receive.
If you are doing your job right, people will want to sign up to your email list and will want to give consent. In reality, the quality of your audience and the connection you have with them is going to improve as a result.
...and ultimately, isn’t that the whole point of building your email list in the first place?
You might have some questions. I’ve tried to account for the main ones below. However, if there is a question you have still unanswered, include it in the comments below and I’ll do my very best to answer and update this post. If I can’t answer your question, I’ll do my best to direct you to someone who can.
How do I know who is EU based?
The biggest step that ALL online businesses collecting data must take is to segment their email lists. If you are EU based, this applies to your entire list, therefore, you require explicit consent from EVERYONE who is currently on your list and anyone who goes on to join it.
If you are outwith the EU, segment those who are in the EU and get fresh consent before May 25th. If you are unsure where a person is located, it is recommended you act with caution and assume they are based in the EU.
Many email marketing platforms are no introducing new tools to help you with ensuring GDPR compliance such as GDPR friendly forms. These are likely to be improved on in the near future. Check with your own email marketing provider. Here are a few resources from the big players.
How does this impact other platforms I use?
GDPR does not impact your use of other platforms or your ability to use their various features and advertising capabilities. This includes the Facebook Pixel. In these instances, the platform the Data Controller, not you, therefore, they are responsible for GDPR compliance.
EXCEPTION: The only exception to this is when you are creating custom audiences to target through advertising. This is an audience you upload based on the data you collected, therefore, you are the controller of this data and you are responsible for ensuring it’s GDPR compliant.
How do I grow my email list now?
GDPR doesn’t prevent you from growing your email list. It also doesn’t prevent you from marketing or promoting to your email list. It simply requires you to get permission from subscribers in order to do so.
You have to be clear and set the expectation that someone is joining your list to receive a specific type of information. The contract has to be transparent.
People need to know exactly what they are signing up for. You can no longer assume because someone grants access to his or her email in order to receive a free pdf download that they are automatically giving you permission to send them emails every week - that’s not what they signed up for.
To grow your email list, you just have to look for and optimize all opportunities to gain permission. Here are a few suggestions on how you can do that.
Adding an additional checkbox that allows people to sign up to your main list. Just ensure the box is unchecked so that in order to grant permission, they have to actively check the box granting explicit consent.
Include opportunities for people to sign up to your main list when giving away a lead magnet. This could be on the thank you page, in the delivery email or on the lead magnet itself. Cross promote and make it easy for people to provide this additional consent.
Re-evaluate your current sales funnels. Instead of giving away lead magnets, considering simply promoting your email list sign up and share some of the content you intend to share through email such as promotions, discounts, exclusive content, pdf printables, free courses etc.
Can I still use affiliate links?
Yes, you can still use affiliate links. You are not the one collecting the data. In this instance, data is collected by the affiliate company with your code tagged/attached. As long as you tell people there is affiliate links in accordance with the rules outlined by the Federal Trade Commission, you’re okay to include them.
Do you need cookie consent to be GDPR compliant?
In the EU, the cookie directive requires consent from visitors to your site. It is my understanding that cookies are not subject to the GDPR unless they are extensive enough to identify a person. There may be some cases in which this is true especially if third parties are involved but for this most part, they are not subject to GDPR.
I hope this post has been valuable to you and clears up any confusion or worry you might have had in the lead up to this new legislation being enforced. Let me know.