Changes due to GDPR on Barbaralicious

By now, almost everyone has heard of it: The General Data Protection Regulation (GDPR) came into force on the 25th of May of 2018 and has not only caused a lot of confusion but, above all, it has caused companies and website owners to try like crazy to implement the corresponding changes.

It’s been on my mind for more than two months. I collected the information on many pages and mainly followed the steps of a blogger friend of mine from Reisen Fotografie Blog.

A completely new development has even led to me being certified as a Data Protection Officer.

But now, let me show you what I changed on Barbaralicious to comply with GDPR.

Comments

On Barbaralicious you can leave comments under blog posts. Since May 25th, this requires an additional checkbox, which must be clicked. With this checkbox, you confirm that you agree that I will save your data (name, email address and – if you enter it – your website) after submitting the comment.

For the implementation, I first used the plugin WP GDPR Compliance. After a few weeks though, I inserted it via a code snippet to get rid of the plugin.

Up to now, the IP address was also saved when sending a comment. This is no longer allowed. Therefore, two changes were necessary:

• It is now necessary to prevent IP addresses from being stored
• All previously stored IP addresses must be deleted

I made these changes on the FTP server or in the database via MySQL.

 

Newsletter

I’ve been wondering for a long time whether I’d like to keep the newsletter or not. The effort of changing every single post (I had manually inserted a signup form under each blog post) and that I had to ask my subscribers for a new opt-in spoke in favor of deactivation. In the end, however, the latter turned out to be wrong. After I received emails from lawyers who said that a new opt-in was not necessary if the email addresses had been collected with a double opt-in, my decision was made: The newsletter remains.

I made the following changes:

• Adaptation of the signup text – now I point out tracking, storage and everything else that is interesting BELOW the signup form
• I changed the whole signup process – everything now runs on one (!) signup page. I’ll probably have fewer registrations, but I’m legally on the safe side
• I signed a Data Processing Agreement with my service provider Mailchimp

The Hoster

My hoster is from Germany and is called All-Inkl. They offer a Data Processing Agreement in their backend, which I simply had to accept – with one click. I am also Manager of Marketing & Sales at 2AIM GmbH. Unfortunately, the hoster of the GmbH is not All-Inkl, but HostEurope. It wasn’t that easy there, because you had to fill out the contract and indicate exactly what data was processed on the website. This contract had to be sent back to HostEurope by snail mail or e-mail.

Privacy Policy

The Privacy Policy has to be adapted. I used the generator of the German Society for Data Protection. However, I went through the Privacy Policy afterward and adapted it. It was not generated in exactly the same way as you see it now by the generator.

Social Media Sharing

In fact, I haven’t had any social sharing buttons so far, after reading a few years ago that most plugins have privacy issues. However, I now know that there is one plugin that has been compliant all the time and continues to be so even after GDPR came into force: The plugin is called Shariff. I installed and activated it on my blog. So from now on, you will find buttons under my blog posts with which you can share my posts in social media.

Contact form

I said goodbye to all my contact forms. Yeah, it’s been used every now and then. But I wanted to be on the safe side, so I completely redesigned the contact page and removed the contact form.

If you want to keep yours, you have to consider two points:

• You MUST run your site via https
• This point is somewhat controversial, but: You actually need a checkbox that says that you are saving the data. Well, some say you need it, others say it’s bullshit. If you decide to go for the checkbox, the plugin, which also adds the checkbox to the command fields, should do the trick. But since that didn’t work out for me, the decision to remove the contact form was very easy for me at the end.

Gravatar

Gravatar is the service that stores your pictures, which are then displayed next to your name when you comment. You’ve probably seen it many times on blogs. This service is activated by default in WordPress. But you can turn it off with one click. Just go to Settings -> Discussion -> Avatar. If you click the checkbox there, Gravatar is active.

You cannot delete your account at Gravatar. I wrote them but, unfortunately, the only thing we can do at the moment is deactivate it on our blogs.

Emojis

It was just as easy with the Emojis. Just go to Settings -> Write and uncheck the option „Convert emoticons to graphics“.

And if you are wondering what’s so bad about emoticons: When they are displayed as graphics, they are loaded from somewhere. They are NOT installed on your server but are located on external servers. Since data is transferred when loading something from another server, this is no longer permitted.

Fortunately, this change is quickly done.

Google products

Google is an American provider and therefore fundamentally difficult to reconcile with the new data protection laws.

Fonts

Fonts are not stored in WordPress and saved on your own server, but loaded by default by Google. I wonder, to be honest, who came up with this glorious idea. Moreover, I cannot imagine that WordPress will not provide its own solution for this in the long term. At the beginning, I had solved this via the plugin Divi DSGVO (DSGVO is the German abbreviation for GDPR), which prevents loading the fonts from Google and let’s you then choose the fonts you want to store them on your server. Theoretically, this should also improve loading time. Since this didn’t happen and the plugin didn’t do anything else, I uninstalled it and applied a plugin-free solution.

YouTube videos

I’ve been dealing with YouTube videos for two weeks. The problem is that by embedding videos via YouTube, data is transferred between YouTube and the blog without the reader knowing about it. My first approach was to replace all videos with text links. That was a real challenge with over 200 videos on my blog. After three days I read that you can add „nocookie“ to the embed link. The best way to do this is to go back to the sharing option in Youtube itself and tick the box „extended privacy setting“. This is then automatically added to the link. I thought I’d be on the safe side if I just replaced the links. Wrong!

Shortly afterward I read in a forum on Facebook that a friend of mine, a lawyer specializing in online law, advised using an additional opt-in. That’s a box that appears, which readers need to check to see the video so he knows that a connection to YouTube is being established. I started using the plugin Borlabs for that.

However, this plugin also bothered me, so in the end, I decided to take down all videos and replace them with simple text links. No videos, no problems…

Maps

Similar to the YouTube videos, it’s the same with maps. Because each map establishes a connection to a server since this data is never stored on the blog owner’s server. I checked my own plugin and found a Google Maps API. Annoying! I used Borlabs for this too. Because I wanted to keep the map on my homepage. I deleted all the others though.

But after I deleted the YouTube videos, I also decided on taking down that last map. Too bad, but better safe than sorry. And I also experienced slower page speed due to Borlabs.

Analytics

Analytics was also a never-ending story. That’s why I’ve been saving it for last.

First, I decided to use Borlabs with the Optin function. But after I had almost no possibility to track my visitor numbers and the box on my blog simply annoyed me (and my readers), I decided that it was time for something new: Piwik or Matomo is the solution you can install on your own server, so no data is forwarded to third parties. I am currently very satisfied with this and hope that it will remain so.

Emails

A year and a half ago, I made a big mistake. I followed a wrong advice and started sending my emails via Gmail, although they are actually from my hoster All-Inkl. It was easier to manage than Outlook, which I had used until then, said a friend. Well, actually, GDPR existed already. But nobody cared back then. Otherwise, I would never have solved it this way. Because Gmail is NOT GDPR compliant! Google’s alternative is G Suite. This business account costs 8 Euro per month and is ok from a data protection point of view. At least if you disregard the fact that Google is an American company and that it is not really perfect.

So I moved to G Suite with all my email addresses. However, I couldn’t import all addresses, so I didn’t have old emails of my main address in my mailbox. I couldn’t search for them or automatically write emails to contacts before importing. The important thing for me was that I can write and receive emails on all my addresses from G Suite.

I had to find another solution. In the end, I rolled back everything that had been done in the past one and a half years and now receive all my mailboxes via Apple’s mail client and no longer use a third-party provider.

Cloud storage

The same applies to the cloud storage. I use Google Drive and so far I simply had an account with 1 GB additional storage. This simple account is also not GDPR compliant. Therefore, I use my G Suite account for backups in the cloud or exchanging data with clients. That sounds like little effort at first, but unfortunately, there were problems here too. It took me about a working day to solve them and I finally connected all my websites to the new Drive account.

By the way: If you use third-party providers like WeTransfer to send large amounts of data, you theoretically need a Data Processing Agreement. To be honest, I have hardly ever used WeTransfer. I usually do this by uploading photos, videos or documents in my Google Drive Cloud and then sharing the folders. Then you don’t need an additional agreement!

Records of processing activities

I also kept the record of processing activities until the end. In this list, you have to mention all activities in which you store data. These include, for example, comments on the blog, emails or the newsletter. The processing list must be presented on request.

Privacy policy (and legal notice) on the login page

Now it is also mandatory to have a privacy policy on the admin login page. Since the last WordPress update, you can easily set this in your backend and it will be displayed automatically. However, for us Germans, the legal notice has to be added, too. Unfortunately, you still have to change this in the code.

HTTPS via All-Inkl

If you have a security certificate via your own hoster, you don’t have to do anything. However, I had it through CloudFlare, an American provider. This offers even more advantages than just the security certificate, but I wanted to get rid of as many third-party providers as possible and didn’t want to sign too many Data Processing Agreements. Especially when the service providers are based in the USA, which is the case for CloudFlare. I had to reset all nameservers at All-Inkl (just send an email – the support team will take care of it) and could then activate the free security certificate Let’s Encrypt. The only disadvantage: From now on my page will only be loaded from Germany. From German servers. From a data protection point of view, this is awesome. However, for my loading time it is a disaster, because CloudFlare has servers all over the world and they make sure to use the closest server. So if you access Barbaralicious from Australia, the blog was previously loaded from Australian servers, while now everything comes directly from Germany.

Photos

Another insanity, in my eyes, is that photos are no longer allowed to show people EXCEPT you have them signed a GDPR compliant model release. However, GDPR also says that this consent can be withdrawn at any time. A model release does not necessarily mean that you can use the photo forever. The reason for the regulation is that from now on you can generally withdraw your consent to the processing of your data at any time. And that includes photos.

I’m very happy now that often waited a long time to take pictures without people. Even in busy squares in Berlin, for example, you can find the place deserted at sunrise. Many bloggers laughed at me or said that this does not reflect the true mood in the place. I’m glad I didn’t care.

A few more comments:

Photos taken before May 25, 2018 do NOT need to be removed from your blog or social media channels. At least, that’s not what it looks like right now.

If you’re happy now that you’re good at using photoshop, I have to disappoint you. In theory, it is no longer even allowed to take photos with people on it. So it’s not just about publishing the material. The only alternative would be analog photos that do not store any data (e.g. geotags).

Final Thoughts

I’ve been complaining a lot since I started making changes for GDPR. Not only because something new came out almost every day  and changes made preveriously were invalid again. Or because everyone says something different and you often don’t know what is right and what is wrong. I complained a lot because I really wanted to understand the technical background. That meant that I’d been sitting around on little details for days. And that was at the expense of my „productivity“. No blog post, no new e-book has come out in the last few weeks. Hopefully, this will now change and return to normal.

But a positive side effect is that I know my blog better than ever before. I still have a lot to learn, but it’s a process and I’m still in it.