GDPR checklist for bloggers and online entrepreneurs

The EU General Data Protection Regulation is a challenge for many entrepreneurs in all industries. What is to be done? What to think about? The requirements depend on whether you are the head of a large corporation or a sole proprietorship owner.

For bloggers and online entrepreneurs, it is challenging to select the essentials from the jungle of requirements.

1. Website checklist

Your website is, of course, your heart that has to withstand the GDPR. You should therefore consider the following points:

1. Website checklist

Does your website have an SSL certificate?
Have you taken measures to protect your blog or website against hackers or unauthorized third parties (secure file rights, secure passwords, regular installation of security updates, etc.)?
Have you signed a data processing contract with your hosting provider?

1.2 Analysis tools

Do you use an analysis tool?
If so, which one (e.g., Google Analytics, Piwik, or WordPress.com-Stats)?
Are the IP addresses anonymized?
Is the data on your server or with a third party?
If a third party provider, is the data adequately protected? Have you signed a contract for order data processing (ADV contract) with the third party provider?
Have you ensured that users can object to the collection with one click (the link to this should be in the privacy policy)?

1.3 Forms

Have you integrated forms on your website that transfer personal data?
If so, did you indicate below, above, or next to the form (in short form) what happens to the data when sent? Did you refer to your privacy policy, in which you describe the whole thing in detail?
Important: no form without HTTPS!

1.4 Newsletter

Do you use a newsletter service or plug-in?
Does the entry only occur after a double opt-in procedure (i.e., entry of the email address in the registration form and subsequent confirmation by address via email link)?
Did you indicate on your registration form what the prospect will receive from you when they register? Are you transparent and have written openly when you send offers in addition to information and articles?
Have you signed an ADV contract with your newsletter service provider?
Be careful with service providers outside the EU: In this case, a simple ADV contract is not sufficient. In the case of non-European providers, you have to obtain evidence of additional information from the data importer regarding data protection (ideally by contract). For US service providers such as Mailchimp, it is also necessary that the company is certified according to the EU-US Privacy Shield (although it is still not clear whether this is sufficient).

1.5 Online shop

Your website is, of course, your heart that has to withstand the GDPR. You should therefore consider the following points:

Do you use external service providers (such as PayPal) to process payments? If so, did you write about it in detail in the data protection declaration and pointed out which data is transferred and where it is stored?
Like the shipping service provider: Are email addresses or mobile phone numbers collected to notify the delivery?
Can or must the buyer register to be able to place the order? If so, have you marked it accordingly and offered an option to order without registration?
Do you value IT security in your online shop? If not, then you should! You have stored a lot of personal data in your system that needs to be protected, and access to this data must therefore be appropriately secured.
It starts with the password: Have you ensured that users must adhere to a certain password complexity and that trivial passwords like 1234 are not possible at all?
Another tip: Avoid storing data such as credit card information with you. If possible, I would always use an external security service to bypass this sensitive information’s storage.
An external security scan by professionals would be worth considering in an online shop!

1.6 Plugins, Widgets, etc.

Do you use plugins, widgets, iFrames, additional scripts, or interfaces on your website?
Will this personal store data on your website or with third-party providers? If so, for what purpose? The required data flow so that the service provider can do his job or is too much transferred?
Personal data are collected from membership, form plugins, social, or newsletter plugins.
The easiest way to determine whether a plugin, widget, etc. is GDPR-compliant is to read in the documentation or on the developer’s website. Unfortunately, not every developer is that transparent (or even aware of the requirements of the GDPR), so you often have to examine the service yourself.
If data is transferred, you need an ADV with the service provider. That should be easy when the partner is in the EU. However, if it is in a third country, which is often the case with plugins, it becomes more difficult. You need a contract and, in any case, the addition of how the data is protected during transmission service provider.

If you are not sure which plugins are sending data, you can use other tools. I use:

the website builtwith.com
and the browser plugin Ghostery
the Chrome Developer Tools (click the right mouse button, go to “Investigate” in the context menu and select the “Sources” tab).

You can find a comprehensive overview of WordPress plugins that collect personal data here on the blog: WordPress plugins & GDPR: List of problematic plugins (+ plugin tips!)

1.7 Marketing & Promotion

I find this point the most difficult because it is quite complicated.

Many of my customers no longer even know what marketing services are running on your website. Therefore, tools like Ghostery and the builtwith.com service are, of course, helpful again.

Do you use services like Facebook Pixel, DoubleClick, Google AdSense, or the like? Then you have to write about it in detail in the privacy policy!
The use of advertising trackers is not entirely undisputed. Therefore, make sure that you give users an opt-out option if you make an “extended comparison of their data”.
Especially with retargeting (also called remarketing), it would be even better if the user had to opt-in to consent to the tracking.

1.8 Social Media

Do you use plugins or widgets from social networks such as Facebook, Twitter, Pinterest, and Co.?
If so, make sure you’ve made sure that they don’t transfer personal data before users can object! This applies, e.g., to the standard sharing buttons or the Facebook page plugin.
Alternatively, you can refer to your social platforms with simple links and use the Shariff plugin for the sharing buttons (if you use WordPress).
Can the social networks and their handling of personal data be found in your privacy policy? Also, add in the privacy policy whether and how you use data from Facebook for your company!
Have you given an imprint and privacy policy on your social media pages, or have you linked from there to the corresponding pages on your website?
Did you mention in your privacy policy that it also applies to Facebook, Instagram, and Co.?

1.9 Privacy Policy

Ensure that there is a passage in the data protection declaration for all of the above-mentioned ways in which the personal data is processed!

There are good privacy policy generators out there, such as:

Data protection generator from eRecht24 (some functions subject to a charge)

But make sure that they are GDPR-compliant, e.g., Sometimes additional information is required that was not previously included in the data protection declaration.

Don’t just accept everything unread and add or change the content so that it fits your application!

2. Directory of procedures

There are so many questions and uncertainties about the directory of procedures that I have to say right away: DON’T PANIC! Try to keep it simple. Nobody asks for a doctoral thesis at this point.

Write the procedures in general, not specific to each client. From experience, I would expect around 20 procedures for a pure online entrepreneur if you’re a blogger, probably even less.

You can find more about the detailed structure and content of a procedure directory in my article with a procedure directory template.

3. Duty to provide information

The subject of information obligations is new with the GDPR and did not exist in this form before. Before starting processing, you must inform the data subject what you will do with their data, provided that you collect the data directly from them. If you do not receive the data directly from the person concerned as part of a process, you must inform the person concerned about four weeks.

As an online entrepreneur, you usually do this through your privacy policy. If you still process data outside of your online presence, you must also inform about this.

This information must also follow certain guidelines. I have described what these look like in more detail in my blog post on my website’s information obligation.Therefore, it is important in the data protection declaration that you use generators only to use those that also reflect the complete content of the information obligation.

Everything that is not yet included in the data protection declaration, you have to write together yourself. Here it is recommended that you have worked well with the directory of procedures. You can now use the information again and all you need to do is get it into the right form.

4. Order data processing

It’s not a new term for you now, is it? Do you have service providers on board, or do you use an IT service from a provider that processes personal data for you? In this case, you need a contract for order data processing or order processing (that’s the current term). Make a list of all service providers and make sure that you have an ADV contract with all of them!

Many large companies have standard templates for this, which they usually offer you for download. All you have to do is fill it in with your details and sign it. You can find out which providers already have an ADV contract and which you have to be patient with here:

AV contracts for bloggers & online entrepreneurs: List of hosters, newsletter tools, etc.

What about processors who are based in non-EU countries, i.e., in a third country? In that case, the ADV contract is twice as long because extensive information about the data importer and exporter must be provided.

By the way, there is a special regulation for platforms where providers and users have to register, e.g., with an online learning platform. As a user, you confirm the terms and conditions during registration. I do the same thing, for example, when I offer training. Therefore I do not need an ADV with the online platform. If in doubt, ask the platform provider.

Keep Learning

Save this Post for Later

Received your newslatter to stay on top of the latest blog