So you’ve heard about the GDPR (or General Data Protection Regulation), right? The GDPR is a set of new laws intended to strengthen and unify data protection for all individuals within the European Union (EU). It’s new legislation relating to personal data and how it’s stored.
Yes - it is European legislation, but - it will affect website owners outside of Europe. If your website is visited by people in Europe (or your code is used by websites that do), the GDPR covers you. If a user from somewhere in the EU accesses your website from their home turf, you are required by law to comply with the GDPR. If your website visitor leaves the EU, flies to the Cayman Islands and they visit your site, the EU has no authority. It’s all down to where they access your site from.
The GDPR came into effect on May 25th 2018. If you’re not in compliance with the regulations, there are harsh penalties – up to 4% of global annual turnover or €20 Million (whichever is greater). If you run a small business that collects data for sales and/or a mailing list, that’s a LOT of dolla!
But don’t panic!!
Very few websites are actually compliant:
“It’s clear that the majority of organizations are not currently prepared to meet GDPR requirements,” said John Ottman, Executive Chairman of Solix Technologies" - quote from ZDNet article on GDPR compliance as of Feb 2018
How the GDPR Affects Website Owners
There are six main ways in which this will affect you as a website owner:
- How you collect data via forms (contact forms, newsletter signups etc.)
- How you collect analytics data
- What you do with that data
- Where the data is stored
- How you communicate with your customers and contacts
- The code you use – plugins and themes.
The key here is transparency, so when collecting data via any form on your site, you must also provide details of how you will use the data. This means a pop-up, redirection to another page on your site, or an email with the information.
How Does WordPress Collect User Data?
So you’re running a WordPress site, how are you collecting user data? Ultimately each site is different so you’ll need to review what plugins and forms your website is using. As a site owner, it is still your responsibility to make sure that every plugin can export, provide and erase user data that it collects.
Some ways in which WordPress can collect user data;
- Contact Forms
- Google Analytics
- User Registrations
If your contact form entries are stored in your WordPress database then simply adding a consent checkbox with validation and with a clear explanation should be good enough for you to make your WordPress forms GDPR compliant.
What’s The Minimum For GDPR Compliance?
Sounds like a lot to do, right? It can be and it differs from business to business. At a bare minimum, make sure that you:
- Notify visitors immediately that tracking cookies are in place on your website.
- Postpone turning cookie tracking on until your visitors provide, you guessed it, consent!
- If they rejected cookies, keep all tracking off for the entire time they are visiting your site and be able to record that they either accepted or rejected consent.
Your overall GDPR Compliance strategy should include the following;
- Document all the ways you collect personal data on your site and any 3rd party vendors you share it with.
- Determine your legal basis for the right to process that personal data with regard to the Lawful Grounds rules section of the GDPR.
- Determine the best places to post your new policies on your site.
- Determine the best ways to gather consent from visitors and supply requested info on how you track them, as well as a way to anonymize that data on request. This will likely involve plugins.
- Develop a system to safeguard all data you collect.
What Should I Focus On First?
I wish I could say it’s going to be simple. It isn’t. But for now you need to get something up there. Don’t be a perfectionist about it. Make it a working document. Remember, there’s a large percentage of website owners out there right now who haven’t even started working through their compliance checklists. You can still get ahead of the game.
Start by listing all of the ways you track user data on your website. You can literally write this down or create a Google Doc. Explain what you do with all of the user data information you’re tracking. For example;
- If you are using Google Analytics then you are using those collected IP addresses to determine metrics on your site.
- If you have a newsletter optin then you are using that to collect personal information such as names and emails in order to send them updates about your business or direct them to sections on your website.
Get the idea? Keep in mind it’s about how and why you collect user data for commercial purposes.
WordPress 4.9.6 came out recently and it has some great new features to help you get GDPR compliant. If you’re using an awesome WordPress hosting provider such as CODE Websites then your site will already be up to date! If not - get updated and make sure you keep your site up to date.
Long sigh!! Again, don’t panic. There are plugins that help you out here. Here’s a shortlist of some popular ones;
- EU Cookie Law
- Cookie Notice by dFactory
- Cookie Control V8
- Cookie Consent
- Cookie Law Info
- GDPR Cookie Compliance
If You Are A WooCommerce Shop Owner...
If you’re running your own online store, you’re definitely collecting user data. If your store has an international reach, then there’s no doubt you will be attracting EU based shoppers.
Each WooCommerce site uses a different set of plugins, has a different workflow for shipping, etc., so there isn’t a one-size-fits-all approach. Follow the above steps to determine how you collect user data and how you use it.
Still looking for more help? Check our these resources:
- EUGDPR .org
- GDPR for American Organizations
- Forbes: Yes, The GDPR Will Affect Your U.S.-Based Business
- WordPress.org: GDPR
- IT Governance: When Do You Need To Seek Consent?
- Lexology: Lawful grounds for processing data
Disclaimer: I’m not a lawyer and CODE Websites is not a law firm. This post does not constitute legal advice and does not replace any advice you obtain from a lawyer or other legal expert. If you’re not sure, check with an expert on data law.