GDPR: How to make your art website compliant
Disclaimer: This is just what I have discovered as I've dived into research on how to make this website GDPR compliant. I am not a lawyer, and this info is intended for general information purposes only.
There has been a lot of talk lately about GDPR and what bloggers and artists with websites need to do to make sure they are compliant. In fact, I've spent a lot of time the last couple of weeks trying and figure out what the law means and how I need to update my website.
I imagine a lot of you are in the same boat, so I thought I'd share some of the info I've gathered. I hope this is helpful, and can act as a starting point for you to jump into the wonderful world of GDPR (note: dripping sarcasm). There is no certainty since GDPR was just passed, so for the most part we are all just doing our best to interpret this law. Time will tell how courts handle it.
General Notes
However, based on my research, here are some of my big takeaways:
Even if you are located outside of the EU, this law applies to you if you have users or subscribers from the EU.
Users must have complete control over the data you collect. This means they have to be able to download it, delete it, etc.
Users have to be able to withdraw consent for you to have their personal data at any time and they have to be asked for consent every time they enter their personal information on your site.
You have to have a good reason for collecting any user data at all. Do you need folks to enter their contact info to comment? Do you need just their first name, or any name at all for your newsletter?
You have to be really thoughtful about any plugins or special features you use on your site and need to evaluate how they collect your user data or track user activities.
The law is retroactive so it applies to all customer data, no matter when it was collected.
Making Updates
So, after learning all of this and reading a lot of articles, the general recommendation seems to be:
If your site has a a lot of customization you may need to hire a developer to help you, and if you are running an e-commerce site or are running a membership type of website, you may need to talk to a lawyer.
If your site is pretty basic without a lot of customization you can probably make it GDPR compliant on your own with the help of widgets and articles that outline the steps to take.
Steps
If you are just starting to look into GDPR compliance I would suggest taking these steps:
First see what your website platform has to say about it. I use Wordpress, so I've read a lot about how they are handling GDPR;
Find out if there are any GDPR plugins that work with your platform and read-up on the best ones. (I recommend a few for Wordpress below);
Start looking at the data you collect on your site and which plugins you use to collect that data;
Work on updating (or creating) a privacy policy;
Make sure that users are asked for consent before entering personal information anywhere on your site. (A GDPR plugin can help with this).
Wordpress Plugins:
GDPR - This seems to be the one most often recommended. It's a good resource for folks who are pretty tech savvy and have a lot of features on their site.GDPR Framework - This is the one I'm using with my Wordpress site. So far I've been pretty happy with it.Pros:
It has a very simple installer wizard which shows you where you need to make edits to your site, and when possible will make them for you.
It is compatible with a lot of the Wordpress plugins I use (for commenting, and email subscription, etc). Because of this all I had to do was click a check-box and the plugin made those features compliant for me.
The guide that comes along with the plugin offers a lot of really good information on the law. After reading it I felt like I had a much better grasp on what compliance means.
Cons:
It doesn't have a feature to add a cookie banner to your site (which is something a lot of folks might need), but if you use Jetpack you can easily add one of their widgets to your site.
You will still need to go in and edit a lot of the privacy policy documentation it generates for you, but hey - you're much further along then you were when you started.
Links:
Wordpress Site users guide to GDPR
Is your website GDPR compliant? How to get ready for the General Data Protection Regulations