The 3 steps to GDPR compliance1. Check where and how your blog collects data from your visitors (e.g. through contact forms, member areas with login forms, newsletter subscriptions etc.). 2. Put all of that into a spreadsheet and check if it is really necessary to collect this data. If not, you can remove the things that you don’t need. 3. Otherwise go through the list and check how to make the remaining things compliant with the GDPR rules. Below you can find many examples of services that we use and how to encounter them.
GDPR Checklist for WordPress BlogsThis is our current checklist for GDPR on our WordPress sites and blogs. We will be updating it regulary as some things are not set yet and need further information, e.g. from WordPress.
SSL EncryptionIf there is a small green lock and a “https” in front of your blog’s url in the browser, then you are already using a SSL encrypted connection to and from your blog. If this is not the case you should take action and add the encryption, e.g. with a free Let’s Encrypt certificate. We have written a whole post about how to establish a secure SSL encryption for your WordPress website. The GDPR actually doesn’t force the encryption, but if you send all the data in plain, unencrypted mode the following points won’t make that much sense.
DPA with your hosting providerIf you are hosting your WordPress site on a shared or managed hosting, it’s likely that your hoster will log personal data of your users (mostly the IP address). Therefor you need to sign a data processing agreement (DPA) with them. If you are unsure where to find those, contact your provider directly and ask for their DPA.
Forms (Contact, Comments, Newsletter & Co.)Whether you’ve embedded a contact form on your blog or a comment box (which you most likely have as a blogger), you always have to ask for the consent of your users or at least add a disclaimer before processing and saving the data they entered. Hopefully, WordPress will come up with a solution by May 25, but until then you can use the GDPR Framework plugin which will allow you to add checkboxes to your comment form and all contact forms.
Newsletter (Mailchimp)If you send a newsletter with Mailchimp and collect email addresses and other data from your users, you not only have to put that into your privavy policy, but also with each newsletter subscription form. We have added this page where we tell our readers what they can expect from subscribing to our newsletter, how often it is sent and which data is collected from them. In addition to that you will aldo need to sign a DPA with Mailchimp.
Google FontsMost modern websites and WordPress blogs don’t come without webfonts and many not without Google fonts. The problem with them is that they have to be loaded from Google’s servers each time someone opens your blogs – and their IP is sent over during this process. The better solution is to host your fonts on your own webspace. You can use the plugin Use Any Font for doing this. If your theme implements Google fonts and there is no way to deactivate them, you should reach out to the theme support or try the plugin Remove Google Fonts References.
Gravatar & WP EmojisThe same goes for loading the small avatar images next to your reader’s comments and WP emojis. They have to be loaded from WordPress’ servers in the US each time and send IP from your users addresses over. If you want to disable them, you can do that for Gravatars at Settings > Discussion > don’t tick ‘Show Avatars’, and for WP Emojis as shown here.
Antispam PluginTo protect your blog from spam comments you should use a special antispam plugin. The very popular Akismet which comes with every WordPress installation, is not compliant with GDPR and shouldn’t be used. Thankfully there is another plugin called Antispam Bee, a very good alternative that we are using since many years. It filters spam comments very efficiently and offers a lot of options. Important: You have to make sure that “Use a public antispam database” and “Allow comments only in certain language” (in the plugin settings) are NOT ticked.
Your GDPR Action Plan:
- Check which data your blog collects and put them in a list
- Take care of a SSL Encryption for your blog
- Check your plugins (antispam, share etc.) and embeds (FB, Pinterest, Youtube etc.)
- Check if your theme uses Google Fonts or loads other external ressources
- Make your newsletter subscription and contact forms GDPR compliant
- Take action for a compliant use of Google Analytics
- Stay up to date for changes in WordPress & Co.
- Keep calm and don’t panic!
Pin this for later: