GDPR Checklist for US Small Businesses

Disclaimer: First of all, I’m not a lawyer and this post does not contain legal advice. Make sure to work with your legal counsel to determine what are the right actions to take for your business.

But…we are a small business who deals with these types of things and we’ve done a bunch of research on this. So this is a list of the things that we are doing.

There is also a bunch of other stuff regarding data processing audits, specifying a Data Protection Officer, etc. but we are just going to focus on the mechanical, technical items that are involved (specifically with a WordPress website and Infusionsoft though the same concepts apply to other platforms).

The Quick Tips – What Do You Actually Need to Do?

  1. Create a Privacy Policy if you don’t have one
    1. Template Options
    2. Updating Your Privacy Policy
  2. Link your Privacy Policy in your footer
  3. Create a Cookie Policy
  4. Utilize WordPress Tools
  5. Implement WordPress GDPR Plugins
  6. Renew Existing Lists Consent (too late)
  7. Handle Your Opt-In Forms
    1. Add a Checkbox?
    2. Reframe Your Offers?
    3. Add Your Privacy Policy
  8. Anonymize IP addresses in your Google Analytics
  9. Contact Form Where People Can Request Their Info
  10. Contact Form Where People Can Request Their Data Be Deleted
  11. GDPR Your Infusionsoft
    1. Install GDPR Helper Campaign
    2. Link Personal Info Request web form in Privacy Policy
    3. Add GDPR Tags
    4. Set up Purchase Action to Add Tag of Performance of a Contract on Successful Purchase Action
    5. Link Privacy Policy at All Data Entry Points
    6. Enable GDPR Privacy Controls (if desired)

A Bit of GDPR Context (ignore & just get to the goods)

What Is It?

First of all, GDPR stands for General Data Protection Regulation. They are the EU’s (European Union) new set of laws protecting the privacy and personal data of individuals residing in the EU.

There are a zillion posts out there on this so if you want to learn a lot more about the regulation, it’ll be easy to find (Google).

I’m mainly interested in how this impacts small businesses in the USA and what we actually have to do. In this article, we’ll talk about what you actually need to do on your site and in your marketing.

One thing to realize is that as a small business, we are not the GDPR’s main “target”. GDPR is primarily about regulating businesses that do a lot of data processing and often make money from selling or using the data they collect about people.

The big targets are companies like Facebook and Google.

Most small businesses and website owners don’t really do much data harvesting or processing. So you don’t need to panic just because you have a couple opt-in forms on your site.

Also, nobody is ready.

Platform vendors like WordPress, many marketing automation companies, plugin developers, etc. aren’t really ready. Many are shipping some minimal features to give some measure of compliance but most aren’t there yet.

From what I understand, regulators aren’t ready either and they’re not going to be enforcing things right away.

And also, there is a process. Violations won’t start with fines. There will be a process of request to the business, escalation to a compliant, notifications, cure period, etc. before fines kick in.

So if you’re a little late, don’t panic.

GDPR Philosophy

Another thing to think about is do you do all the things they say you need to (all these policies, notifications, pop-up forms, etc.) or can you change  your operations a bit.

Maybe you stop collecting the data that is in question, especially if you don’t need it.

Explicit consent is required for certain types of special data, racial, ethnic origin, political, religious, philosophical info, biometric, health info, sexual info but if you don’t need that, don’t collect it!

And reframe your language around your offers & newsletters. Explicit consent doesn’t have to require a ton of checkboxes.

As an example, one of the vendors we like a lot, Thrive Themes, has changed many of their plugins so they don’t collect personal information so YOU don’t have to do crazy pop-ups and all that. They changed the way that they manage cookies – eliminating and encrypting all personally identifiable information (this includes Thrive Comments, Thrive Quiz Builder, Thrive Ultimatum, etc.). Thrive Quiz Builder also has an option for anonymized data now. More specifics on that down below.

Your GDPR Rights

While GDPR isn’t mainly about email marketing, there are some rights that apply.

At a high level, the main rights GDPR gives to EU citizens are:

  1. Tell them what’s going to happen – person has a right to be told what will happen with their personal data before they submit it and that data can only be used if explicit consent is given.
  2. Give them a recap of the data they’ve submitted – person has a right to know what data has been collected about them and how it’s being used.
  3. Let them change their data – person has a right to update or modify that data.
  4. Let them delete their data – person has a right to have their data completely removed.

When talking about email marketing, this translates as:

  1. Let them know what you’re going to do with their email before they submit it.
  2. Give them a view of their data when they request.
  3. Give them a way to modify their data (and unsubscribe).
  4. Delete all their data when they request it.

Depending on what systems you use, many are doing things to make this easy.

WordPress is building out the ability to export and erase personal data. Many plugin vendors will be hooking into this functionality.

WordPress is also building out functionality to help people implement privacy pages.

Checkbox Craziness Required?

So right now, many marketers are defaulting to checkboxes to gain explicit consent. And some of them, many checkboxes!

And pop-up forms!

From what I understand, explicit consent is required for special types of certain data like racial or ethnic origin, political or religious affiliation, biometric info, health or sexual related data.

So you may not even need anything specific here.

If you want to be safe though, one thing to do is to reframe your offer.

1. Create a Privacy Policy if You Don’t Have One

WordPress Core Template

WordPress can generates a template for you although it is incomplete. It is the start of a template though and gives you some indication of what to fill out. If you are updated to at least version 4.9.6, you will see a pop-up pointing to the Settings > Privacy area. There you can create a new page with the template or set your existing Privacy Policy.

The GDPR Framework Template

The GDPR Framework by Codelight is also a nice plugin that can help you create a template. This template is more complete than the default WordPress. It walks you through a number of steps and gives you some direction on GDPR requirements. WordPress Plugin URL

Purchasing a Template

The other way you can go is to purchase a template or a template service. This is what we did.

Suzanne Dibble

We purchased the GDPR Compliance Pack that Suzanne Dibble has put out. It’s £164.17 (about $220 USD). She is an acknowledged expert on GDPR. We also saw a ton of references to her from people that we respect (DigitalMarketer, Jason Swenk, OptimizePress, etc.)

That is where we got our Privacy Policy and Cookie Policy templates. Once you look at enough sites out there (especially of people in the marketing and info space), you’ll notice that this is pretty heavily used.

In addition to the templates, Suzanne gives you the reference materials through a membership site. It has a ton of stuff on there including videos around all of this material.

We are not affiliates or anything but here is some of what is included in her GDPR Pack:

*Email for refreshing consent
*GDPR compliant privacy policy
*GDPR checklist inc processing checklist
*Data processing inventory
*Legitimate Interests Assessment form
*Data transfer checklist
*Marketing checklist
*Records retention policy
*DPO checklist
*Employer checklist
*Employee privacy statement
*Employee subject access request form
*Response to employee subject access request
*Processor agreement
*Subject access record
*Data breach record
*Data breach checklist
*DPIA form

She also has a Facebook group:
https://www.facebook.com/groups/GDPRforonlineentrepreneurs/

Writers’ HQ

Another template that I actually really like is the Privacy Policy done by Writers’ HQ. It is very tongue and cheek and has gotten posted about a bit on social but they actually have it so you can license it.

https://writershq.co.uk/privacy-policy/

You can basically just swipe it for £200 (around $267 USD) OR you can use it for free but you have to link back to their site at the top of your privacy policy with these specific words:

You can whack ’em on your site TOTALLY FREE OF CHARGE but you must include a link back to www.writershq.co.uk at the top of the privacy policy where people might actually see it, and use the following words: “With thanks to Writers’ HQ, our supreme writing commanders, glorious leaders and excellent but tiny overlords, who have verily granted us permission to use their splendid and sweary Privacy Policy.”

It’s funny but it’s actually pretty clear and well done.

Updating the Privacy Policy with Your Info

Once you have your template, create a WordPress page and paste it in (or do this after you’ve finalized it).

So now that you have the template, the real pain is updating it with your information.

You need to look at your company’s operations and see what you are collecting and where…

  • Where are you collecting data?
    • Web forms, landing pages, shopping carts, order forms, pop-up forms
  • How are you handing consent?
  • What cookies and web tracking are you using?
  • What third parties are involved with the data  you collect?
    • CRM systems, email marketing platforms, membership sites, E-Commerce functionality, payment processors, etc.
  • And more…

And then when you get done with all of that, you need to go to your Privacy Policy template and update it with your information and delete some of the sections that don’t pertain to you.

2. Link your Privacy Policy in your footer

So this one should be pretty easy. You’ve got a WordPress page with your Privacy Policy on it. Link to that in one of your Footer widgets if you have one.

Or put it below the footer if your site supports that.

3. Create a Cookie Policy

For this one, you’re probably on your own if you went with the WordPress core template or one of the plugin based ones. I didn’t see many Cookie Policy templates. That said, they’re pretty simple & you might be able to get a good idea from other sites out there with Cookie Policies.

One came with the Suzanne Dibble GDPR Pack so we went with that.

4. Utilize WordPress Tools

WordPress with version 4.9.6 has implemented some functionality into core to help with things like GDPR.

WordPress now has functionality to help you create and set a page for your Privacy Policy. You can find this under Settings > Privacy. It will even help you with a basic privacy policy template that you can put your own details into.

WordPress also now has some core functionality to provide users back with their information upon request and to anonymize it as well.

You will see those features under:

  • Tools > Export Personal Data
  • Tools > Erase Personal Data

What those will do is allow a WordPress administrator to search by email and then to trigger an email to that email address with the associated user data for review. And upon the erase request, it will also allow the redaction (anonymization) of the user data.

More detail here: https://wordpress.org/news/2018/05/wordpress-4-9-6-privacy-and-maintenance-release/

With this functionality, we will also see plugins developed that will hook into it and further enhance these features.

5. Implement WordPress GDPR Plugins

There are a bunch of WordPress GDPR plugins out there.

There are a couple of flavors too. There are GDPR specific plugins to help you with some of the requirements of the law. Things like Privacy Policy, addition of checkboxes to forms, retrieval and anonymization of data. Then there are cookie notice plugins too.

We like a few of the general GDPR plugins:

We ended up implementing WP GDPR Compliance. This allows for:

  • Easy addition of checkbox to Gravity Forms forms (integration)
  • Ability to set the Privacy Policy page
  • Ability to automate the requesting of user data
  • Checklist of GDPR suggestions

There are also some good cookie plugins. We did not choose to implement any of them at this time for ourselves. From what we have read and with our lack of presence in the EU, it didn’t appear to be warranted at this time.

Some of our customers have chosen to implement though.

As far as cookie plugins, some of the highly rated ones are:

6. Consider Renewing Existing Lists Consent (Too Late)

Too late!!!!

So this one is kind of tough. And to be honest, if you’re reading this, you probably already missed the 5/25/18 deadline.

It’s kind of a grey area anyway. While I’ve seen a ton of marketers sending this type of email, I’ve also seen a bunch who didn’t.

Since it’s too late, I wouldn’t worry too much about it.

But if you really are interested, here’s what I got from it.

You can decide to send emails based on “consent” or “legitimate interest”.

It can actually depend on the original consent you got when contacts joined your list. If they joined in a method that is compliant, you probably don’t need to get fresh consent but should send them your updated privacy policy and terms and remind them of their ability to unsubscribe at any time.

You can take a look at the ICO consent checklist to dig into this.

You can also make a case to use “legitimate interest” instead of consent. Legitimate interest is basically the idea that you have a reasonable reason to process the data which someone would reasonably expect, and that is ethical and legal.

More on this on the ICO website (including the three-part test to evaluate legitimate interest reasoning).

If you’re using legitimate interest, you may not need to obtain fresh (or any) consent from:

  • Limited companies or LLCs
  • Existing customers
  • Prospects with whom you have had negotiations about similar goods or services.

As a small US company who really doesn’t do anything overseas, we didn’t feel the need to go for fresh consent.

If businesses decide that they can send marketing emails on the grounds of legitimate interests, then they needed to send an email with our updated privacy policy and informing those relevant email subscribers of their right to object to the processing (or unsubscribe).

That’s still a good idea and something you can do.

7. Handle Your Opt-In Forms

Add a Checkbox?

Ok, so there is a lot of debate on this one. Some people think you need a checkbox everywhere but there is disagreement on how explicit the content has to be or whether a checkbox is actually needed.

You definitely cannot pre-check checkboxes.

But are they absolutely needed?

The main place it comes into question is with lead magnets and automatically adding people to your newsletter.

Basically you’re not supposed to do that.

Don’t Sell the Lead Magnet…and add them to your list…

That’s not good practice anyway.

What most GDPR folks will say is that you have to give your lead magnet away for free and have an unchecked checkbox to allow people to opt-in to your newsletter.

I don’t agree with that either.

Reframe Your Offers?

I like the take that Thrive Themes has were they suggest reframing your offer.

Change your form or pop-up offer text to focus on the newsletter. Tell them ahead of time what they are getting. If they opt-in, they know that and they’ve provided explicit consent.

Doing that, you avoid checkbox hell and minimize the hit to your conversion.

Basically go from…

“Free PDF: Get the Awesome Guide – Tell us where to send the PDF with our great tips.” (and then add them to your newsletter anyway)

to

“Subscribe to Get the Awesome Guide – Get our newsletter & get instant access to the free PDF”. (still being up front but they have a choice on whether to get the newsletter as it’s stated)

I actually would soften it a bit more & take out the quid pro quo.

“Subscribe to Get Our Newsletter and the free PDF”

(This is still in debate and I’ve seen lawyers back it and argue against it. There is some talk against bundling in GDPR but I think this will all come out in the wash. I think you can make an argument that it’s 1 offer. Not 2 separate things.)

Or something like…

“Sign up to receive weekly tips on how to XXX and we’ll also send you a cool cheatsheet with X things you can do right now to BENEFIT.”

More on this at the post: https://thrivethemes.com/gdpr-for-email-marketing/

Note: We are not going to go the checkbox way until it’s proven that it’s actually required. We will be following and suggesting this reframing method.

Add Your Privacy Policy

For GDPR compliance, it is pretty universal that your opt-in forms need to have the privacy policy linked in them now though.

That also applies to any order forms or shopping cart as well.

8 . Anonymize IP addresses in your Google Analytics

So there are a variety of ways to do this. Some detail from Google here: https://developers.google.com/analytics/devguides/collection/gtagjs/ip-anonymization

We’ve embedded Google Analytics in a variety of ways in the past.

If you’re using Google Tag Manager, you can update the tracking code there.

If you are looking for a simple and easy way, plugins like MonsterInsights have a simple setting to anonymize IP addresses. If you go to the Tracking tab > Demographics, you’ll see a checkbox to Anonymize IP addresses. Select that and Save.

Absent Google Tag Manager, we prefer plugins to implement Google Analytics as we’ve seen too many site owners that lose their GA when switching themes.

9. Contact Form Where People Can Request Their Info

WordPress

WordPress Core Feature

So with the update to WordPress 4.9.6, this functionality exists.

The simple, manual way to handle this is to implement a contact form on the website for users to request their info. That submission should go to a WordPress administrator.

Upon that request, the administrator can go to Tools > Export Personal Data, enter the email address or username and click Send Request.

This will send an email to the user verifying that they have made the request with a link to confirm the request. Upon confirmation, that notification will be sent to the administrator who can now send that user’s data with a click of a button.

The user will now get an email with a .zip file containing their data.

WordPress Plugins

Some WordPress plugins, like WP GDPR Compliance, implement functionality to make this much easier.

Instead of having to create a form for a user to submit, the plugin enables you to create a Data Access Request page quickly and easily. That allows the user to enter their email address and request their data.

That sends an email with a time limited (24 hour) link with their personal data. That allows the user to see their data and also request the anonymization of it right from there.

Infusionsoft

And then you need to do pretty much the same thing with regard to requesting of data and sending it back to users in Infusionsoft as well.

Infusionsoft has a campaign and some features that aid this. We will get into that right below!

10. Contact Form Where People Can Request Their Data Be Deleted

WordPress Core Feature

So with the update to WordPress 4.9.6, this functionality exists.

The simple, manual way to handle this is to implement a contact form on the website for users to delete their info. That submission should go to a WordPress administrator.

Upon that request, the administrator can go to Tools > Erase Personal Data, enter the email address or username and click Send Request.

This will send an email to the user verifying that they have made the request with a link to confirm the request. Upon confirmation, that notification will be sent to the administrator who can now anonymize that user’s data with a click of a button.

The user will now get an email confirming the anonymization of their data.

WordPress Plugins

As mentioned above, some WordPress plugins, like WP GDPR Compliance, implement functionality to make this much easier. And this functionality is rolled into the requesting of user data as mentioned.

Instead of having to create a form for a user to submit, the plugin enables you to create a Data Access Request page quickly and easily. That allows the user to enter their email address and request their data.

That sends an email with a time limited (24 hour) link with their personal data. That allows the user to see their data and also request the anonymization of it right from there.

11. GDPR Your Infusionsoft

Infusionsoft has some really good information on GDPR and is also working on implementing functionality to help users stay compliant.

Some really good Infusionsoft info here:
https://www.infusionsoft.com/legal/gdpr-readiness-guide

Install GDPR Helper Campaign

Infusionsoft has released a campaign to help people with GDPR compliance.

It has a few different features.

  1. It provided a mechanism to help refresh consent for people already on a person’s list. As said, the deadline for this is past. Too late.
  2. It provides a mechanism for people to request their personal info, change their personal info or delete their personal info. This is a web form that can be linked to from the Privacy Policy or other locations.
  3. Upon the request, it will create the appropriate task for the appropriate Infusionsoft user to follow up on the specific request.

These will all still need to be manually fulfilled but the functionality is there.

You can find the campaign at:
https://marketplace.infusionsoft.com/listing/infusionsoft-prepare-for-gdpr-compliance

Link Personal Info Request Web Form in Privacy Policy, Contact Us, Etc.

One of the things created by the GDPR Helper Campaign is the Personal Information Request web form.

We think the easiest thing there is to use the hosted version of that form and embed the URL to that in your Privacy Policy.

It’s also a good idea to have readily available in other places. We like having it on your Contact Us page.

Add GDPR Tags

When installed, the GDPR Helper Campaign also creates a number of tags.

It creates tags for the helper campaign itself under the tag category of GDPR Helper Tags:

  • Consent request for GDPR
  • Requested to View Personal Data
  • Requested to Change Personal Data
  •  Requested to be Removed

It also creates one of the GDPR Lawful Basis tags:

  • Informed Consent

It is also recommended to manually create 2 additional GDPR Lawful Basis tags:

  • Performance of a Contract
  • Legitimate Interest

These tags can be set to be applied at the correct point and can also be manually applied.

Set up Purchase Action to Add Tag of Performance of a Contract on Successful Purchase Action

As a purchase indicates a contract for the purposes of GDPR, go to E-Commerce Setup > Actions > Purchase Actions.

Click the Actions button next to Successful Purchase Action.

Choose Add/Remove Tag and add the tag GDPR Lawful Basis > Performance of a Contract.

Link Privacy Policy at All Data Entry Points

Add a link to your privacy policy on all web forms, landing pages, order forms and shopping cart (i.e. wherever you collect personal data).

This can easily be done on the web form builder, the landing page builder, order form themes, shopping cart theme and order forms themselves.

Enable GDPR Privacy Controls (if desired)

While the above Infusionsoft functionality can all be leveraged, there are some additional GDPR features that can be enabled.

To enable GDPR Privacy Controls, go to Admin > Settings > Privacy & Compliance.

If you enable the GDPR feature, you will have to specify a Data Protection Officer (DPO), your Representative in the EU and accept the Infusionsoft Data Processing Addendum.

When you do that, your unsubscribe link will have an additional option: “Revoke permission to use any of my personal data. All personal data not legally necessary will be erased.”

That will initiate a confirmation email to their email address. Upon clicking of their link, all Infusionsoft administrators will get an email notification of the request.

The enabling of this feature also gives users a Redact button on the contact records. This is what the administrator will use when they get the email notification.

More Info

There is a TON of info out there on GDPR.

Really good references:

Some of the Services/Platforms We Use and Info on Them:

 

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *