GDPR checklist for bloggers and online entrepreneurs
For bloggers and online entrepreneurs, it is challenging to select the essentials from the jungle of requirements.
1. Website checklist
1. Website checklist
- Does your website have an SSL certificate?
- Have you taken measures to protect your blog or website against hackers or unauthorized third parties (secure file rights, secure passwords, regular installation of security updates, etc.)?
- Have you signed a data processing contract with your hosting provider?
1.2 Analysis tools
- Do you use an analysis tool?
- If so, which one (e.g., Google Analytics, Piwik, or WordPress.com-Stats)?
- Are the IP addresses anonymized?
- Is the data on your server or with a third party?
- If a third party provider, is the data adequately protected? Have you signed a contract for order data processing (ADV contract) with the third party provider?
- Have you integrated forms on your website that transfer personal data?
- Important: no form without HTTPS!
- Do you use a newsletter service or plug-in?
- Does the entry only occur after a double opt-in procedure (i.e., entry of the email address in the registration form and subsequent confirmation by address via email link)?
- Did you indicate on your registration form what the prospect will receive from you when they register? Are you transparent and have written openly when you send offers in addition to information and articles?
- Have you signed an ADV contract with your newsletter service provider?
- Be careful with service providers outside the EU: In this case, a simple ADV contract is not sufficient. In the case of non-European providers, you have to obtain evidence of additional information from the data importer regarding data protection (ideally by contract). For US service providers such as Mailchimp, it is also necessary that the company is certified according to the EU-US Privacy Shield (although it is still not clear whether this is sufficient).
1.5 Online shop
Your website is, of course, your heart that has to withstand the GDPR. You should therefore consider the following points:
- Do you use external service providers (such as PayPal) to process payments? If so, did you write about it in detail in the data protection declaration and pointed out which data is transferred and where it is stored?
- Like the shipping service provider: Are email addresses or mobile phone numbers collected to notify the delivery?
- Can or must the buyer register to be able to place the order? If so, have you marked it accordingly and offered an option to order without registration?
- Do you value IT security in your online shop? If not, then you should! You have stored a lot of personal data in your system that needs to be protected, and access to this data must therefore be appropriately secured.
- It starts with the password: Have you ensured that users must adhere to a certain password complexity and that trivial passwords like 1234 are not possible at all?
- Another tip: Avoid storing data such as credit card information with you. If possible, I would always use an external security service to bypass this sensitive information’s storage.
- An external security scan by professionals would be worth considering in an online shop!
1.6 Plugins, Widgets, etc.
- Do you use plugins, widgets, iFrames, additional scripts, or interfaces on your website?
- Will this personal store data on your website or with third-party providers? If so, for what purpose? The required data flow so that the service provider can do his job or is too much transferred?
- Personal data are collected from membership, form plugins, social, or newsletter plugins.
- The easiest way to determine whether a plugin, widget, etc. is GDPR-compliant is to read in the documentation or on the developer’s website. Unfortunately, not every developer is that transparent (or even aware of the requirements of the GDPR), so you often have to examine the service yourself.
- If data is transferred, you need an ADV with the service provider. That should be easy when the partner is in the EU. However, if it is in a third country, which is often the case with plugins, it becomes more difficult. You need a contract and, in any case, the addition of how the data is protected during transmission service provider.
- the website builtwith.com
- and the browser plugin Ghostery
- the Chrome Developer Tools (click the right mouse button, go to “Investigate” in the context menu and select the “Sources” tab).
1.7 Marketing & Promotion
I find this point the most difficult because it is quite complicated.
Many of my customers no longer even know what marketing services are running on your website. Therefore, tools like Ghostery and the builtwith.com service are, of course, helpful again.
- The use of advertising trackers is not entirely undisputed. Therefore, make sure that you give users an opt-out option if you make an “extended comparison of their data”.
- Especially with retargeting (also called remarketing), it would be even better if the user had to opt-in to consent to the tracking.
1.8 Social Media
- Do you use plugins or widgets from social networks such as Facebook, Twitter, Pinterest, and Co.?
- If so, make sure you’ve made sure that they don’t transfer personal data before users can object! This applies, e.g., to the standard sharing buttons or the Facebook page plugin.
- Alternatively, you can refer to your social platforms with simple links and use the Shariff plugin for the sharing buttons (if you use WordPress).
- Data protection generator from eRecht24 (some functions subject to a charge)
Don’t just accept everything unread and add or change the content so that it fits your application!
2. Directory of procedures
Write the procedures in general, not specific to each client. From experience, I would expect around 20 procedures for a pure online entrepreneur if you’re a blogger, probably even less.
You can find more about the detailed structure and content of a procedure directory in my article with a procedure directory template.
3. Duty to provide information
This information must also follow certain guidelines. I have described what these look like in more detail in my blog post on my website’s information obligation.Therefore, it is important in the data protection declaration that you use generators only to use those that also reflect the complete content of the information obligation.
Everything that is not yet included in the data protection declaration, you have to write together yourself. Here it is recommended that you have worked well with the directory of procedures. You can now use the information again and all you need to do is get it into the right form.
4. Order data processing
Many large companies have standard templates for this, which they usually offer you for download. All you have to do is fill it in with your details and sign it. You can find out which providers already have an ADV contract and which you have to be patient with here:
AV contracts for bloggers & online entrepreneurs: List of hosters, newsletter tools, etc.
What about processors who are based in non-EU countries, i.e., in a third country? In that case, the ADV contract is twice as long because extensive information about the data importer and exporter must be provided.
By the way, there is a special regulation for platforms where providers and users have to register, e.g., with an online learning platform. As a user, you confirm the terms and conditions during registration. I do the same thing, for example, when I offer training. Therefore I do not need an ADV with the online platform. If in doubt, ask the platform provider.