GDPR in Simple Terms: What All Bloggers and Website Owners Need To Do

GDPR in Simple Terms: What All Bloggers and Website Owners Need To Do

“GDPR? What the heck am I supposed to do!?”

So you’ve probably heard all about the GDPR (General Data Protection Regulations) that come into effect on May 25th of this year. Like many, I was overwhelmed with all of the seemingly lengthy requirements and legal mumbo-jumbo I was faced with when trying to figure out what the heck I was supposed to do as website owner.  I’m not going to go over all of the terms and what they mean because there are plenty of Google worthy blog posts on exactly that.

Instead, I wanted to make this post to outline a few important steps that we all need to take to help our sites become compliant with the regulations. It seems really scary, but once you break it down (as I have done for you, yay!) it’s really not that bad.

Please keep in mind that I am in no way a legal expert and am just as confused just as you might be about some things.  The following are basic requirements that I’ve been easily able to implement and are a good place to start.  If you require more information about the GDPR, please do your research!!

Does this apply to you?

Yes. If you own a website or blog that processes personal information (blog comments, form signups, analytics, logging tools/plugins), the GDPR apply to you, no matter where you live. So read on…


Email lists

Let’s start with mailing lists. If you are collecting emails and manage an email list, you’ll need to make sure you comply. Here’s how:

Make sure that your subscribers confirm that they want to be added to a list. For example, include a check box on your subscription form that lets them know that by checking the box they will be agreeing to receive your newsletter. Alternatively, use a double opt-in feature, which sends the user an email with a link to confirm that they want to be added to your list before sending them any newsletters. Your mailing list provider should have either of these options in your form settings!

Previously subscribed members that did not consent in these ways should be given the opportunity to re-confirm their subscription.  Sending out a message to all of your email subscribers asking them to re-confirm their subscription would be a good idea in this case (clicking a link on the email to re-confirm their subscription could add the person to a new List of approved emails. Check with your mailing list provider on how to set up a new list).

Don’t collect any information that is not relevant to the subscription. For example, Name and Email address should be enough as most newsletters shouldn’t require a user’s full contact information, address, age, etc.

Obviously, subscribers should be given the opportunity to opt out of your mailing list at any time. Make sure your Unsubscribe link is visible and working.


Your website or blog

Now you might be wondering what to do with your website or blog to comply with the GDPR. I’ve tried to make this as simple as possible, so follow these steps to get on the right track:

If you haven’t already made the switch to a secure site (https://), you should do that now. If you have a Blogger blog, there is an option to use https:// in your settings.  If your site is hosted through a direct hosting company, find out how to get set up with a SSL Certificate to make your site secure. Contacting your host or viewing their product options on their website should help you get started. There might be a small fee for a SSL certificate depending on your host.

Not sure if your site is already secure? Type in your site address/domain name in your browser with “https://” before the URL instead of the standard “http://”. If it works, you’re good.

You also need to have a Privacy Policy in place. A privacy policy outlines exactly what you do with digital information you receive from visitors and policies for using your website.  You can create one easily by Googling “Privacy Policy Template” or something along those lines. There are also Privacy Policy generators like iubenda.com that make it really easy to customize your own.  Make sure your policy includes all of the third party services you use as well. For example, if you use Google Analytics, there needs to be a section that explains this. If you use Facebook logins/widgets, that needs to be there as well. Review your website for all of your third party addons and scripts and make sure to include them in your Privacy Policy.

Your Privacy Policy should clearly outline what you do with data you receive, why you need it, who controls it, the name of your organization, and that the user can withdraw at any time.

Create your Privacy Policy as a new “page” on your website or blog and place a link to it in your website’s footer. All websites should have a privacy policy.

Next, your site should display a cookie notice that lets users know that by using your website, they agree to the use of cookies.  You’ve probably seen these header/footer bar notices on many other websites before (they automatically appear on all Europe based Blogger blogs).  There is one on this website that you have probably seen in the footer as well. A cookie notice is a simple statement that says something like “We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.” By clicking OK or AGREE, the user has given their consent to continue using your website with cookies enabled.

If you’re a WordPress user, download the plugin called “Cookie Notice” to set this up in seconds. You can also choose to include a link to your Privacy Policy within the notice bar.


Registering with the ICO

There is a new requirement that website owners should register with the ICO if they fall into a certain category.

I’ve noticed many people saying that they are going to stop blogging because they only do it as a hobby and paying a fee every year to be registered with the ICO is not in their budget. The thing is, many bloggers will not have to register at all.  The ICO site has a little quiz you can take that will tell you if you need to register or not. Most bloggers fall under the “not-for-profit exemption”.

The details and requirements of registering are still a bit fuzzy, so use your best judgement here and take the quiz to see if you qualify.


Consent, consent, consent!

If you haven’t noticed already, the GDPR is all about CONSENT!  Whenever you collect and store information on your website, you need to be sure that you have the consent from the individual to do so. That means:

  • No emailing your subscribers something they didn’t consent to receive (for example: they subscribed to your email list for one thing but you’re sending them something else as well)
  • No using other people’s email lists or contacts that didn’t agree to be contacted by you
  • No storing of information that the user did not consent to
  • No pre-ticked boxes for forms/signups
  • No hiding or disregarding opt-out options (you need to tell people about their right to opt-out or withdraw)

As long as you follow this main rule, everything else should come easily.


Removal of information

You need to be able to secure and remove all user’s information easily if necessary.  Your site MUST be secure and you need to think about how you store your user’s information. What would happen to it if you were hacked?  Always make sure that proper technical measures are used, or simply don’t store personal information on your server/site.

I hope this helped a little bit, and I will update this post should any new information come to light. If you have any tips, questions, or requirements I might have missed, leave a comment below to help the community here!

Last Updated on

By Dana L.

Entrepreneur and founder of the Wonder Forest blog, products and bestselling author of the Watercolor With Me 3-part book series.

8 comments

  1. This seems like such a hassle and pain in the butt @_@ I’m no good with these stuff…
    But thank you for this useful blog post! I’ll have to keep referring back to it! 🙂

    1. If you use wordpress, the latest update has some type of auto-generated privacy policy that you can basically fill in the blanks. Made it pretty easy. I’m such a small-time blogger that I’m hoping what I have should suffice. good luck!

      http://cityambition.com

  2. Really useful post, thanks! I think ive sorted it out, I don’t have a subscribing list and have a pop up for Cookies already installed. The only thing I am unsure about is the post comments part, do I just add a section to my privacy policy that they voluntarily input information when posting a comment?

    1. I’ve been reading several other articles about compliance, and believe that should be added. Mine says something like “Please note that if you post comments on this site, any personally identifiable information you provide in those comments or articles may be read, viewed or used by anyone viewing them.

  3. Should the Privacy Policy say anything about how comments are being kept? I am also using Disqus and I am not sure how to incorporate it into my policy?

Leave a comment

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.