If you are a blogger based in the EU you have probably heard about General Data Protection Regulation (GDPR), which becomes effective in about one month, on 25 May 2018. It aims to better protect the data of website users in the EU and thus is a very important thing to notice for you as a blogger and website admin.
You may also have heard that the rules are strict and the fines and penalties are high – but the first and most important things to remember is: Don’t panic! You have another month to read through it carefully and think about how your blog saves the data of your visitors and make it GDPR compliant.
In this post I want to show you which actions we have taken, where the problems lie and what the GDPR means for bloggers on WordPress. The checklist below shows you everything we have done so far or plan to do and hopefully helps you to figure out GDPR for yourself.
Important notice: We are no lawyers or data protection specialists and therefor cannot be made liable for anything. This post is no legal advice.
The 3 steps to GDPR compliance
1. Check where and how your blog collects data from your visitors (e.g. through contact forms, member areas with login forms, newsletter subscriptions etc.).
2. Put all of that into a spreadsheet and check if it is really necessary to collect this data. If not, you can remove the things that you don’t need.
3. Otherwise go through the list and check how to make the remaining things compliant with the GDPR rules. Below you can find many examples of services that we use and how to encounter them.
GDPR Checklist for WordPress Blogs
This is our current checklist for GDPR on our WordPress sites and blogs. We will be updating it regulary as some things are not set yet and need further information, e.g. from WordPress.
If there is a small green lock and a “https” in front of your blog’s url in the browser, then you are already using a SSL encrypted connection to and from your blog. If this is not the case you should take action and add the encryption, e.g. with a free Let’s Encrypt certificate (you can do that in your hosting dashboard). The GDPR actually doesn’t force the encryption, but if you send all the data in plain, unencrypted mode the following points won’t make that much sense.
DPA with your hosting provider
If you are hosting your WordPress site on a shared or managed hosting, it’s likely that your hoster will log personal data of your users (mostly the IP address). Therefor you need to sign a data processing agreement (DPA) with them. If you are unsure where to find those, contact your provider directly and ask for their DPA.
Forms (Contact, Comments, Newsletter & Co.)
Whether you’ve embedded a contact form on your blog or a comment box (which you most likely have as a blogger), you always have to ask for the consent of your users or at least add a disclaimer before processing and saving the data they entered. Hopefully, WordPress will come up with a solution by May 25, but until then you can use the GDPR Framework plugin which will allow you to add checkboxes to your comment form and all contact forms.
If you send a newsletter with Mailchimp and collect email addresses and other data from your users, you not only have to put that into your privavy policy, but also with each newsletter subscription form. We have added this page where we tell our readers what they can expect from subscribing to our newsletter, how often it is sent and which data is collected from them.
In addition to that you will aldo need to sign a DPA with Mailchimp.
Google Analytics and user tracking in general ist important for many bloggers to get information about their traffic and user behaviour. The good news: Google Analytics can be used in compliance with GDPR, there are just a few steps you will have to take.
Furthermore you have to anonymize the tarcked IP addresses. If you use a plugin for embedding the GA code (e.g. Monster Insights), you can find that iption in their settings. If you chose to manually add the code to your blog, Google shows you how to anonymize IPs.
Most modern websites and WordPress blogs don’t come without webfonts and many not without Google fonts. The problem with them is that they have to be loaded from Google’s servers each time someone opens your blogs – and their IP is sent over during this process.
The better solution is to host your fonts on your own webspace. You can use the plugin Use Any Font for doing this. If your theme implements Google fonts and there is no way to deactivate them, you should reach out to the theme support or try the plugin Remove Google Fonts References.
Gravatar & WP Emojis
The same goes for loading the small avatar images next to your reader’s comments and WP emojis. They have to be loaded from WordPress’ servers in the US each time and send IP from your users addresses over. If you want to disable them, you can do that for Gravatars at Settings > Discussion > don’t tick ‘Show Avatars’, and for WP Emojis as shown here.
To protect your blog from spam comments you should use a special antispam plugin. The very popular Akismet which comes with every WordPress installation, is not compliant with GDPR and shouldn’t be used. Thankfully there is another plugin called Antispam Bee, a very good alternative that we are using since many years. It filters spam comments very efficiently and offers a lot of options.
Important: You have to make sure that “Use a public antispam database” and “Allow comments only in certain language” (in the plugin settings) are NOT ticked.
Your GDPR Action Plan:
- Check which data your blog collects and put them in a list
- Take care of a SSL Encryption for your blog
- Check your plugins (antispam, share etc.) and embeds (FB, Pinterest, Youtube etc.)
- Check if your theme uses Google Fonts or loads other external ressources
- Make your newsletter subscription and contact forms GDPR compliant
- Take action for a compliant use of Google Analytics
- Stay up to date for changes in WordPress & Co.
- Keep calm and don’t panic!
Pin this for later:
WordPress Plugins for GDPR Compliance
There are already some plugins that will help you to make your WordPress blog compliant with GDPR. Some of them are already mentioned above, others may be an interesting addition to other actions that you have already taken.
Remove IP: WordPress saves the IP address of the commenter with each comment – that’s the reasons why you practically can’t write anonymous comments. If you should remove these IPs is debatable (in terms of law enforcement). But if you want to do it, you can use this plugin to prevent WordPress from saving the IP addresses to your database.
Shariff Wrapper: This is a great alternative to normal textlinks as share buttons. The plugin offers a big selection of different services and the possibility to still show the number of shares in a GDPR compliant way.
The GDPR Framework: If you don’t want to wait for WordPress to come up with a GDPR solution, you can use this plugin to take first action steps towards compliance of your blog. It gives your users the opportunity to see and delete the data that is saved about them (the so-called “right to be forgotten”) and works with disclaimers for contact form plugins like Gravity Forms and Contact Form 7.
And what about WordPress themes?
We are currently working on making our own themes compliant with GDPR by 25 May, e.g. by removing Google Fonts and external scripts. If you have purchased one of our newer themes (Madrid, Paris) you will get an automatic update into your dashboard once it is available. For older themes (Front Row, Pink) please send us an email and we will send you the updated version of the theme which you can upload to WordPress.
If you use another theme, you should contact the developers and ask directly for GDPR compliance.