How To Make Your WordPress Website GDPR Compliant

So you’ve heard about the GDPR (or General Data Protection Regulation), right? The GDPR is a set of new laws intended to strengthen and unify data protection for all individuals within the European Union (EU). It’s new legislation relating to personal data and how it’s stored.

Yes – it is European legislation, but – it will affect website owners outside of Europe. If your website is visited by people in Europe (or your code is used by websites that do), the GDPR covers you. If a user from somewhere in the EU accesses your website from their home turf, you are required by law to comply with the GDPR. If your website visitor leaves the EU, flies to the Cayman Islands and they visit your site, the EU has no authority. It’s all down to where they access your site from.

The GDPR came into effect on May 25th 2018. If you’re not in compliance with the regulations, there are harsh penalties – up to 4% of global annual turnover or €20 Million (whichever is greater). If you run a small business that collects data for sales and/or a mailing list, that’s a LOT of dolla!

But don’t panic!!

Very few websites are actually compliant:

“It’s clear that the majority of organizations are not currently prepared to meet GDPR requirements,” said John Ottman, Executive Chairman of Solix Technologies” – quote from ZDNet article on GDPR compliance as of Feb 2018

How the GDPR Affects Website Owners

There are six main ways in which this will affect you as a website owner:

1. How you collect data via forms (contact forms, newsletter signups etc.)
2. How you collect analytics data
3. What you do with that data
4. Where the data is stored
5. How you communicate with your customers and contacts
6. The code you use – plugins and themes.

The key here is transparency, so when collecting data via any form on your site, you must also provide details of how you will use the data. This means a pop-up, redirection to another page on your site, or an email with the information.

How Does WordPress Collect User Data?

So you’re running a WordPress site, how are you collecting user data? Ultimately each site is different so you’ll need to review what plugins and forms your website is using. As a site owner, it is still your responsibility to make sure that every plugin can export, provide and erase user data that it collects.

Some ways in which WordPress can collect user data;

• Contact Forms
• Google Analytics
• User Registrations
• Comments
• Plugins

If your contact form entries are stored in your WordPress database then simply adding a consent checkbox with validation and with a clear explanation should be good enough for you to make your WordPress forms GDPR compliant.

What’s The Minimum For GDPR Compliance?

Sounds like a lot to do, right? It can be and it differs from business to business. At a bare minimum, make sure that you:

• Have an updated Privacy Policy in place that covers your plugins and the way your website collects user data.
• Notify visitors immediately that tracking cookies are in place on your website.
• Postpone turning cookie tracking on until your visitors provide, you guessed it, consent!
• If they rejected cookies, keep all tracking off for the entire time they are visiting your site and be able to record that they either accepted or rejected consent.

Your overall GDPR Compliance strategy should include the following;

1. Document all the ways you collect personal data on your site and any 3rd party vendors you share it with.
2. Determine your legal basis for the right to process that personal data with regard to the Lawful Grounds rules section of the GDPR.
3. Create policy documents based on the data collection and processing rights determined in the previous step. These could include your Privacy Policy, Terms of Service, and more. They will vary by site.
4. Determine the best places to post your new policies on your site.
5. Determine the best ways to gather consent from visitors and supply requested info on how you track them, as well as a way to anonymize that data on request. This will likely involve plugins.
6. Develop a system to safeguard all data you collect.

What Should I Focus On First?

1. Start with your Privacy Policy

I wish I could say it’s going to be simple. It isn’t. But for now you need to get something up there. Don’t be a perfectionist about it. Make it a working document. Remember, there’s a large percentage of website owners out there right now who haven’t even started working through their compliance checklists. You can still get ahead of the game.

Start by listing all of the ways you track user data on your website. You can literally write this down or create a Google Doc. Explain what you do with all of the user data information you’re tracking. For example;

• If you are using Google Analytics then you are using those collected IP addresses to determine metrics on your site.
• If you have a newsletter optin then you are using that to collect personal information such as names and emails in order to send them updates about your business or direct them to sections on your website.

Get the idea? Keep in mind it’s about how and why you collect user data for commercial purposes.

WordPress 4.9.6 came out recently and it has some great new features to help you get GDPR compliant. If you’re using an awesome WordPress hosting provider such as CODE Websites then your site will already be up to date! If not – get updated and make sure you keep your site up to date.

The new WordPress release has a way to detect the ways you are tracking visitors based on your theme and plugins. It will also create a rough draft of a Privacy Policy page for you, with that info in it.

Check out this link for an example how to to create a best practice privacy policy in relation to the GDPR.

2. Cookies

If you use the internet you’ve seen those pop-ups and banners that ask you to accept cookies on a website. Well, it’s time you joined the cookie club! Your website uses cookies to track user data. Now more than ever it’s essential to obtain consent. Not only do you need consent, but you need to prevent cookie tracking until you gain consent and if your users reject your request to track their data with cookies, you must not track their data during their visit. You’ll also need to be able to record whether they accepted or rejected your request.

Long sigh!! Again, don’t panic. There are plugins that help you out here. Here’s a shortlist of some popular ones;

• EU Cookie Law
• Cookie Notice by dFactory
• Cookie Control V8
• Cookie Consent
• Cookie Law Info
• GDPR Cookie Compliance

Having a privacy policy in place and covering your bases in terms of cookies is the bare minimum in terms of GDPR compliance. If you’re a large organisation, you may need to consider additional systems and possibly even designate an inhouse Compliance Officer.

If You Are A WooCommerce Shop Owner…

If you’re running your own online store, you’re definitely collecting user data. If your store has an international reach, then there’s no doubt you will be attracting EU based shoppers.

Each WooCommerce site uses a different set of plugins, has a different workflow for shipping, etc., so there isn’t a one-size-fits-all approach. Follow the above steps to determine how you collect user data and how you use it.

What’s next?

This all might sound a bit overwhelming! If you need help, contact us. We can get you set up for the basic levels of compliance. We will perform a site audit for you, advise on the content for your Privacy Policy and install and configure Cookie acceptance banner.

Still looking for more help? Check our these resources:

• EUGDPR .org
• GDPR for American Organizations
• Forbes: Yes, The GDPR Will Affect Your U.S.-Based Business
• WordPress.org: GDPR
• IT Governance: When Do You Need To Seek Consent?
• Lexology: Lawful grounds for processing data

Disclaimer: I’m not a lawyer and CODE Websites is not a law firm. This post does not constitute legal advice and does not replace any advice you obtain from a lawyer or other legal expert. If you’re not sure, check with an expert on data law.