What needs to happen on your US website to comply with GDPR?
It looks like a lot of moving pieces, but if you take them one at a time it won’t be so overwhelming. Remember GDPR wants to see that you’re moving into compliance.
Also, I am not a Lawyer nor do I play one on TV. I’m not offering legal advice about GDPR.
Make a list
The very first thing to do is make a list of every way you collect personal data. Here’s the short list that almost every site uses. Your site may or may not use these and more.
By IP address
- Email service providers like MailChimp
- Google Analytics
- Jetpack Stats
- Facebook Pixels
- Hosting provider
By email address
- Comment forms
- Gravatar – to add images to the comment area
- Email service provider like MailChimp
- Facebook Ads
- Webinar registrations – like Zoom and GoToWebinar
- Payment gateways – like Stripe and Paypal
- eCommerce stores – if you have WooCommerce
- Google Drive & Dropbox
- Your CRM – like Salesforce, Insightly, Capsule etc.
- Financial software – like Quickbooks, Freshbooks or your eCommerce store
- Your email software – this could be your hosting company or Gmail or Outlook
Once you have this list, look it over and make sure there is a reason to collect the data and that you use the data collected. If you’re not using it, don’t collect it.
Start making changes
Change Your Forms
Change your email subscription forms. All subscription forms that promote a free opt-in offer must clearly state at the beginning of the form, subscribe and get the free opt-in offer.
Change your contact forms and add a checkbox to let people give consent to data being collected and stored. Make the checkbox required.
Add a Cookie Notice
Add the analytic services you use ie. Google Analytics, WordPress (Jetpack)
Add to the “How we protect your data” section how you protect data. If you’re one of our hosting clients you can add: Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible. Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology. We take appropriate and reasonable technical and organizational measures to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the Personal Information.
Each website is unique. If you’re one of our hosting clients you can add to the “How long we retain your data” section: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
Here’s the default wording: If you have an account on this site or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
You’ll need to list your 3 party providers here also.
Visitor comments may be checked through an automated spam detection service. When you sign up to be on our email list, for marketing purposes, your data is stored in MailChimp. MailChimp does not use the data. When you schedule a meeting your contact data is stored in Book Like a Boss. Book Like a Boss does not store your financial data. When you purchase from us through Book Like a Boss your payment is processed by Stripe. No financial information is stored on this site.
Data breach procedures
What data breach procedures we have in place
This is the default … and I’m actively looking for stronger wording.
If there would be a breach of data, we would correct the breach and personally email the recipients within 48 hours of identifying the beach.
Additional legal information