This may be true, but if you market on Facebook or Instagram and have a business that is viewed all over the world (and is not location specific), or your data is stored in the EU (and other countries such as UK, Norway & Switzerland who are going to roll out something very similar) then you will want to GDRP-proof your website.
So what I’ve done for you is create an easy to follow guide so you can choose to get your website GDPR compliant in some very easy steps.
Disclaimer: I am not a lawyer and if you have a large business collecting a lot of data, you might want to visit a lawyer to get everything “GDPR proofed”. But for the small business who has an online store, collects emails or has plugins on their WordPress website there are some simple steps to comply with GDPR.
My aim is to make it easier for you to do these steps yourself, but if you are still confused contact me here and I can do this on your WordPress site for you or guide you through it.
I have outlined below in drop down sections what you need to know and how to implement it (and so you’re not overwhelmed with a wall of words to look at!!)
What is GDPR and what happens if I don’t comply?
The General Data Protection Regulation (GDPR) is a European Union (EU) law that took effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organisations across the world.
The EU has put in some huge penalties for those who are not in compliance, so this is why you will have seen updated Privacy Policies, opt-ins that have clear wording and drop downs asking for your permission on a lot of sites lately.
After the May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual global revenue OR €20 million (whichever is greater).
What is required under GDPR?
The personal data includes: name, emails, physical address, IP address, health information, income, etc.
So how does that affect you? If you have an Opt-in, Ecommerce plugin or any plugin that collects any of the above information, then this applies.
Put in plain English:
- The end user needs to be able to give full consent to how their data is used and stored.
- The user also needs to be able to have the right to download their personal data, or have the right to be forgotten which means that they can erase their personal data or ask for their data to be deleted.
- If you are a large company you must appoint a Data Protection Officer who is in charge of the data collected by the company. If you are a small business, then you are most likely the Data Protection Officer.
The GDPR is actually a good thing.
You know how you have most probably signed up for a free-book and then been spammed every single day with emails selling you stuff? How annoying is that! This regulation makes sure that this kind of thing doesn’t happen. Businesses also can’t sell people’s data without their explicit consent and have to be able to access and/or delete the end user’s personal data when requested.
Is WordPress GDPR compliant?
There have been several enhancements that have made the WordPress core compliant. These are:
Due to GDPR’s consent requirements, WordPress has now added the comment consent checkbox. The user can leave a comment without checking this box, but all it will mean is that they would have to manually enter their details every time they leave a comment (because their data isn’t stored in a cookie).
Data Export and Erase Feature
WordPress offers site owners the ability to comply with GDPR’s data handling requirements and honor user’s request for exporting personal data as well as removal of user’s personal data. The data handling features can be found under the Tools menu inside WordPress admin.
These three things are enough to make a default WordPress blog GDPR compliant.
However it is very likely that your website has additional features and plugins that will also need to be in compliance. So just by doing the above three doesn’t make you 100% compliant.
Areas on Your Website that are Impacted by GDPR
Depending on which WordPress plugins you are using on your website, you would need to act accordingly to make sure that your website is GDPR compliant.
A lot of the best WordPress plugins have already gone ahead and added GDPR enhancement features. Here’s some of the common areas that you would need to address.
- Google Analytics or Jetpack
WooCommerce / Ecommerce
- Retargeting Ads
- Contact Forms
- Opt-In Forms (most of my clients use, Gravity, Bloom or the Divi opt-in)
Here’s an example: you have an online business, and maybe you use WooCommerce. When users get to your checkout page, you have a checkbox that reads “[x] Yes, I want to sign up for your amazing email list!” This is not allowed and users should have full right to opt-in – not opt-out.
Woocommerce has made the following steps to allow the users become compliant as follows:
- Better formatting for inline descriptions should someone which to include just in time privacy text next to fields, and some simple tools to toggle non-critical fields off to avoid unnecessary data collection.
- Custom terms and conditions text, and control over the checkbox + label itself.
As always, it is up to you to make sure you are complying. If you are confused it is always good to get a lawyer involved.
Opt-ins and Email Marketing
Your Opt-in should tell the user EXACTLY what they are giving their email to you for. For example on my website, my opt-in is my free e-book – Getting Online with Authenticity (and no overwhelm). That’s as far as I should be using their data – for that free e-book and no other reason. So on the opt-in, I added checkboxes asking the user to opt-in to receiving further emails from me for different reasons. I gave the user the right to choose.
Also, always give the user the right to a double opt-in as well. This can be easily done on most plugins.
The goal is to as explicit consent and take NOTHING by default and accept the bare amount of information needed for your intended purposes and make your intended purposes crystal clear to the individual.
If you are using a contact form in WordPress, then you may have to add extra transparency measures especially if you’re storing the form entries or using the data for marketing purposes.
Below are the things you might want to consider for making your WordPress forms GDPR compliant:
- Get explicit consent from users to store their information.
- Get explicit consent from users if you are planning to use their data for marketing purposes (i.e adding them to your email list).
- Disable cookies, user-agent, and IP tracking for forms.
- Comply with data-deletion requests.
- Disable storing all form entries (a bit extreme and not required by GDPR). You probably shouldn’t do this unless you know exactly what you’re doing.
The good part is that if you’re using popular WordPress plugins like WPForms, Gravity Forms, Ninja Forms, Contact Form 7, etc, then you don’t need a Data Processing Agreement because these plugins DO NOT store your form entries on their site. Your form entries are stored in your WordPress database.
Simply adding a required consent checkbox with clear explanation should be good enough for you to make your WordPress forms GDPR compliant.
Terms and Conditions
Words Taken from TermsFeed..
“Because a Terms and Conditions agreement is the agreement where you inform the users of your website about the rules, terms and guidelines that they need to follow in order to use and access your website, a Terms and Conditions agreement has become extremely important.
While it’s not required by any laws currently (but third-parties such as Facebook may require it), through a Terms and Conditions you can maintain your rights to exclude certain users that may abuse your website or do not follow the rules you set.
For an ecommerce store, a Terms and Conditions could legally protect it. It is in this type of legal agreement where you set the rules that your customers would follow during a purchase and limit your liability in the event that your products fail.”
Some WordPress Plugins & Resources to help with GDPR Compliance
There are several WordPress plugins that can help automate some aspects of GDPR compliance for you. However, no plugin can offer 100% compliance due to the dynamic nature of websites and the different plugins that you may be using.
Beware of any WordPress plugin that claims to offer 100% GDPR compliance. They likely don’t know what they’re talking about, and it’s best for you to avoid them completely.
Delete Me – free plugin that allow users to automatically delete their profile on your site. Download it here.
Cookie Bot – A Cookie Consent plugin (free for under 100 pages). Download it here.
GDPR Cookie Consent – A free and pro customisable cookie consent plugin. Download it here.
Website Terms & Conditions Template – a free template that you can use for your website. SEQ Legal or TermsFeed (you may need to pay a small fee for extra clauses).
Onsite Law – For larger businesses I would advise getting legal advice. Look no further than Aaron Griffiths from OnSite Law. To contact him email him at Aaron@onsitelaw.com.au or to their website at www.onsitelaw.com.au.
Depending on what plugins you are using, you might need to look further into how each of these plugins collect data and make necessary changes where needed.
Basically to become GDPR compliant you must:
- Tell the user who you are, why you collect the data, for how long, and who receives it.
- Get a clear consent [when required] before collecting any data.
- Let users access their data, and take it with them.
- Let users delete their data.
- Let users know if data breaches occur.
So you will need to:
- Look at how you collect your emails for opt-ins and marketing to comply to GDPR guidelines.
- Look at your contact forms (or any forms for that matter) to comply to GDPR guidelines.
- Make sure your WordPress site is updated to the current version so you are able to access data in case a user requests access or the right to be forgotten.
- Install a plugin that asks the user to consent to using their data for cookies.
- Install the Delete Me plugin so users can control their own data.
Each of these points is subject to many exceptions, and degrees of how much you need to do, but they do serve as a good starting point. Again – if you are a bigger business, it will always be better for a lawyer to look over your website and how to collect information, however if you are a small blog, store or business owner then following these points will keep you compliant.
From a design & branding perspective – you can have some real fun with this. Make your opt-ins conversational, create a website, sales page or thank you page that is so irresistibly you, that your user will of course want to stay in contact with you. Inform and invite them in your authentic voice and great design & layout – I mean what we are really wanting to do is create a relationship with our end user and being open and honest with what you intend to do and how you store their info is the first step to trust.
I hope this has explained it better and now you know what you need to do to be GDPR compliant.
As always – I’m here to help you in any way possible. Contact me if you need anything or comment below.