The General Data Protection Regulation is a challenge for many business owners. Of course, the requirements depend on whether you are the head of a large corporation or the owner of a sole proprietorship. For bloggers and online entrepreneurs in particular, it is difficult to select the essentials from the jungle of requirements. To make it simpler, let’s create a GDPR checklist for bloggers and online entrepreneurs.
First things first, I’m an external data protection officer for several mid-sized companies and I’ve been working hard on data protection for months. However, this article and checklist cannot replace individual legal advice.
Table of Contents
1. Website Checklist
Let’s go with some key points!
1.1 Data Hosting and Security
Does your website have an SSL certificate?
Have you taken steps to protect your blog or website from hackers or unauthorized third parties (secure file rights, strong passwords, regular installation of security updates, etc.)?
Have you signed a data processing contract with your hosting provider?
1.2 Analysis Tools
Do you use an analysis tool?
If so, which one? (e.g. Google Analytics, Piwik or WordPress.com-Stats)
Are IP addresses anonymized?
Is the data on your server or a third party?
If you are a third-party provider, is the data adequately protected? Have you signed a contract for the processing of order data (ADV contract) with the third-party provider?
Have you made sure that users can object to the collection with one click (the link should be in the privacy policy)?
1.3 Forms
Do you have forms integrated into your website that transfer personal data?
If so, did you indicate below, above, or next to the form (in shorthand) what happens to the data when it is submitted? And did you check your privacy policy, where it describes everything in detail?
Important: no forms without HTTPS!
1.4 Newsletters
Do you use a newsletter service or plugin?
Does the entry only take place after a double opt-in procedure (i.e. entry of the email address in the registration form and subsequent confirmation by address via the email link)?
On your registration form, do you indicate that they had the lead from you when they registered? Are you transparent and have you written openly when you send offers as well as information and articles?
Have you signed an ADV contract with your newsletter service provider?
Be careful with service providers outside the EU: in this case, a simple contract for the ADV is not enough. In the case of non-European providers, you must obtain evidence of additional information from the data importer regarding data protection (preferably by contract). For US service providers, such as Mailchimp, it is also necessary for the company to be certified under the EU-US Privacy Shield. (although it is still unclear whether this is actually enough.)
1.5 Online Store
Due to the complexity and individuality, I can only give you an overview here:
Do you use third-party service providers (such as PayPal) to process payments? If so, did you write it in detail in the data protection declaration and say what data is transferred and where it is stored?
Similar to shipping service provider: Are email addresses or mobile phone numbers collected for delivery notification purposes?
Can or must the buyer register to place the order? If so, have you marked it accordingly and offer an option to order without registration?
Do you value computer security in your online store? If not, you should! You have a large amount of personal data stored on your system that must be protected and, therefore, access to this data must be properly protected.
Start with the password: Have you made sure that users have to meet a certain password complexity and that trivial passwords like 1234 are not possible at all?
Another tip: Avoid storing data like credit card information with you. If possible, always use a third-party secure service to avoid storing this sensitive information. An external security scan performed by professionals at an online store would definitely be worth considering!
1.6 Plugins, Widgets, etc.
Do you use any plugins, widgets, iFrames, scripts or additional interfaces on your website?
Does this mean that personal data is stored on your website or with third-party providers? If so, for what purpose? And is only the necessary data flowing so that the service provider can do its job, or is too much transferred?
Personal data is collected from memberships, form plugins, social or newsletter plugins. The easiest way to find out if a plugin, widget, etc. can be used in accordance with GDPR is in the documentation or on the developer’s website.
Unfortunately, not all developers are so transparent (they don’t even know the GDPR requirements), so you often have to examine the service yourself.
If data is transferred, you need an ADV with the service provider. That should be easy when the partner is in the EU. However, if it is in a third country, which is more common in the case of supplements, it becomes more difficult. You need a contract and in any case the addition on how the data is protected during the transfer and at the service provider.
If you are not sure which plugins are sending data, you can use other tools such as:
• The builtwith.com website
• The Ghostery browser plugin
• Chrome Developer Tools (right-click, go to “Research” in context menu and select the “Sources” tab).
• And you can find a complete overview of WordPress plugins that collect personal data here on the blog: WordPress Plugins and GDPR: List of Problematic Plugins (+ Plugin Suggestions!)
Also Read: How to optimize your XML Sitemap to improve your SEO
1.7 Marketing and Promotion
Personally, I find this point the most difficult, as it is quite complex. Many of my clients don’t even know what marketing services are running on their website anymore. Therefore, tools like Ghostery and the builtwith.com service of course come in handy again.
Do you use services like Facebook Pixel, DoubleClick, Google AdSense or similar?
Then you have to write about it in detail in the privacy policy! The use of advertising trackers is not entirely indisputable. Therefore, be sure to offer users an opt-out option if you perform an “extended comparison of their data.” Especially with retargeting (also called remarketing) it would be even better if the user had to opt-in to consent to tracking.
1.8 Social networks
Do you use plugins or widgets from social networks such as Facebook, Twitter, Pinterest and Co.?
If so, be sure to ensure that no personal data is transferred before users can object. This applies e.g. B. for standard share buttons or Facebook page plugin.
Alternatively, you can check out your social platforms with simple links and use the Shariff plugin for sharing buttons (if you use WordPress).
Can social networks and their handling of personal data be found in their privacy policy? Also add in the data protection declaration whether and how you use Facebook data for your company!
Have you given an impression and privacy policy on your social media pages or linked from there to the corresponding pages on your website?
Do you mention in your privacy policy that it also applies to Facebook, Instagram and company?
1.9 Privacy Policy
Make sure there is a passage in the data protection declaration for all of the above-mentioned ways in which personal data is processed! There are good privacy policy generators, such as:
eRecht24 Data Protection Generator (some features are subject to charge) But make sure they are GDPR compliant, e.g. Ex.
Sometimes additional information is required that was not previously included in the data protection declaration.
Don’t accept everything you haven’t read and add or change content to fit your app!
2. Procedure directory
There are so many questions and uncertainties about the procedure directory that I have to say right away: DON’T PANIC! Try to keep it simple. Nobody asks for a doctoral thesis at this time. Write the procedures in general, not specific for each client. From experience, I would expect around 20 procedures for a purely online entrepreneur. If you’re a blogger, probably even less.
Also Read: What is the URL and how does it influence SEO?
3. Duty to provide information
The issue of the obligation to provide information is new with the GDPR and did not exist in this form before. Before starting processing, you must inform the data subject what you will do with their data, provided that you collect it directly from them. If you do not receive the data directly from the data subject as part of a process, you must inform the data subject within about four weeks.
As an online entrepreneur, you generally do this through your privacy policy. If you process data outside of your online presence, you must also report this. This information must also follow certain guidelines. I have described what these look like in more detail in my blog post about reporting obligations on my website.
It is therefore important in the data protection declaration that you, if you use generators, only use those that also reflect the full content of the information obligation (Articles 13 and 14 GDPR). Everything that is not already included in the privacy policy, you must write yourself. Here it is recommended that you have worked well with the procedure directory. Now you can use the information again and all you need to do is put it in the correct form.
4. Order data processing
It’s not a new term for you now, is it?
Do you have service providers on board or use an IT service from a provider that processes personal data for you? In this case, you need a contract for order data processing or order processing (actually, that is the current term). Make a list of all the service providers and make sure you have an ADV contract with all of them!
Many large companies have standard templates for this, which are usually offered for download. All you have to do is fill it out with your details and sign it. You can find out which providers already have an ADV contract.
What about processors that are based in a non-EU country, i.e. in a third country? In that case, the ADV contract is twice as long, because extensive information about the data importer and exporter must be provided.
By the way, there is a special regulation for platforms where providers and users must register, e.g. Ex. B. with an online learning platform. As a user, you confirm the terms and conditions during registration. I do the same, for example, when I offer training. Therefore, I do not need an ADV with the online platform. If in doubt, consult the platform provider.
Also Read: Complete list of Google Search Operators
5. More pending tasks
Of course, it doesn’t end there for larger companies. The law or laws are extensive. Perhaps one or the other reader is also affected because they have procedures that are subject to a data protection impact assessment?
Maybe you also need a data protection officer? What about the employees? And much more. Of course, this checklist does not cover these specific requirements. But it is a good start and a very good guide to prepare yourself.
