GDPR is a set of rules for businesses and government entities that requires more security & care be taken when handling the personal data of clients and customers.
First – it is important to note that at the time of this writing, the GDPR is ONLY for EU. If you are a US based business – it will only apply if you have EU based clients, customers, readers.
You should not be terrified or overwhelmed with the process. The EU will not stop the world on May 28, 2018 (the date this law was passed) and hand out fines world wide – but you do want to address the issues as soon as you can.
This is NOT a thoroughly detailed all-inclusive article as there are many variables that come into play as every website is different in the data they obtain, plugins that are used and 3rd party applications that come into play. We have tried to give you enough info to bring your website up to par without overwhelming you!
This guide should be enough for most small business owners, non-profit organizations and bloggers as we are are covering the most common data scenarios.
Please note that this is NOT legal advice but a guide to help you improve your GDPR compliance. For more in-depth legal advice please consult with an attorney specializing in international business law.
What Is GDPR In A Nutshell?
The GDPR was created to give the citizens of the EU control over their personal data and also amend how organizations use that data.
As an example, users must confirm that their personal data can be collected and a clear privacy policy must be made available that shows what personal data is going to be stored and how that data will be used. Also required is the ability to provide the user at their request, the ability to withdraw the authorization they may have given previously and have that information deleted.
Basically – you need to make it CLEAR to users of your website about the data you are collecting and WHY you are collecting and what you plan on doing with it.
Who Is Affected By GDPR?
Basically ANY website that gets visitors from the EU are affected and should be in compliance with the laws. Whether you are a blogger or an e-commerce website, the GDPR is important to take into consideration.
To better understand the regulation, take a look at the publication of the regulations in the Official Journal of the European Union, which defines all terms related to the law. There are two main aspects of the GDPR: “personal data” and “processing of personal data.” Here’s how it relates to running a WordPress site:
- personal data pertains to “any information relating to an identified or identifiable natural person” – like name, email, address or even an IP address; it is better to think that any piece of data can be considered personal data,
- whereas processing of personal data refers to “any operation or set of operations which is performed on personal data”. Therefore, a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user.
What If I Am Found In Violation Of GDPR?
If you are found to not be following the guidelines set for you can have a fine placed on your business which can be up to 4% of your annual income or EUR 20 million, whichever is more.
What User Information Is Actually Considered “Personal”?
Any item that can identify a user – this can include, but is not limited to:
- Full Name
- Birthdate
- Street Address
- IP Address
- Email Address
- Telephone Number
- Credit Card Information
GDPR Compliance Checklist For US Companies
You should really understand all of the aspects of your website and how you are taking in user data as well as understand the areas of the world your visitors are coming from. You can use Google Analytics to find your visitor location.
Every plugin, theme and code that has been written should be evaluated to ensure you are abiding by the laws of the GDPR.
Before you move on to each of the aspects below and how to comply with them, a security audit on your WordPress site should, in general, reveal how data is being processed and stored on your servers, and steps that are required to comply with the GDPR.
How does a typical WordPress website collect user data?
- Comments
- Contact Forms
- Website Registration
- Analytics & Data Tracking Tools
- Security/Tracking Plugins
Once you understand who and why people are visiting your site you can then take the following steps to ensure you are compliant.
- Be transparent about the data you are collecting! Let users know what data you are collecting, why you are collecting it, how you store it, who can see it and how can it be removed. All of this data should be included in your privacy policy.
- Secure the data by making sure you have it easily documented in the event a customer wants to delete their data and make sure it is encrypted.
- Make sure there is one person who can be contacted about your GDPR policies in the event a customer or governmental entity has questions and to ensure they have control and systems to keep your GDPR processes updated.
How Can I Understand This Law Easily?
Let’s break this down in the most easy way possible!
- Users must give you their CONSENT to store their personal data
- Users must give you their CONSENT as to how you may use that data
- Users must be able to request that your DELETE their personal data at any time
- You must be easily reached if a user wants to see the data you have collected on them.
What Do I Need To Do With My Website To Make It Compliant?
We are going to tackle each area of your website that reflect the most common ways of taking in user data……
General EU Blocking (Not recommended)
One option if you are located OUTSIDE the EU, is to just block all EU visitors. This is the easiest option – but we do not recommend it. Look at your analytics data before deciding if this is a good option for your business.
Our own website gets 17% of our traffic from EU so we would not consider this option – but others may get a minimal amount of traffic so it may be easier! There are plugins available that allow you to block by country, or you can hire someone to add some code to block it as well.
Securing Comments (Must address if commenting is enabled)
What do the default WP comments typically store?
- Name
- IP
If you are using cloud services such as Akismet or Cleantalk – then you are breaking the GDPR rules because you are sending that data to these 3rd party applications and your commenters probably have no idea.
Here are some options for your comment area to make it compliant.
Stop Saving IP Addresses (Highly Recommended)
You can either stop saving IPs or let your users know you are storing them. We opted to just stop saving them!
Here are 2 options to stop saving comment IP addresses entirely.
- You can install a plugin like Remove Comment IPs
- You can enter this simple line of code in the bottom of your functions file:
[code]function wpb_remove_commentsip( $comment_author_ip ) {
return '';
}
add_filter( 'pre_comment_user_ip', 'wpb_remove_commentsip' );
[/code]
Make Name & Email Optional (Optional)
- Go to SETTINGS > DISCUSSION
- Uncheck Comment Author Must Fill Out Name and Email
This will now allow comments to come through without identifiable user names or emails.
Unchecking this will NOT tell users that they can leave them empty so you may want to add a note to your page letting them know it is optional.
Add Checkbox To Comment Form (Recommended)
We believe the next version of WordPress will have this included in their comment box automatically as they prepare for GDPR, but for now you can just use a plugin.
We recommend the WP GDPR Compliance plugin.
This plugin adds a checkbox field to your comment box to allow you to note what data you are saving and allow users to choose to accept or deny your policy. If they do not check the box the comment is not saved.
So now our comment box looks like this:
Contact Forms
Because a contact form typically asks for things like name, email, web address etc. this is one of the first things you should address on your website.
While there are a lot of conflicting thoughts on how GDPR law affects contact forms – we are going the safe route with this one to keep our butts covered. A simple checkbox form will make your life much easier.
Do you have your form emails sent directly to you?
If so, then you may see conflicting theories on this one as well. Some websites say you do not need to do anything since the data is not “being stored” – but in our eyes, the fact that the email is coming to our server and the email is in our inbox, we view that as storing information.
We would rather be safe then sorry and will treat these the same as if we are in fact storing the data on our website.
If you store your emails in your database!
Then you absolutely need to take actions to comply with GDPR. For example, if you store form submissions and then can view them in your WordPress admin – that means you are storing them in a database and this needs to be addressed.
Just like with the comments – you can add some text and a checkbox to your form to get authorization from the user to store their data.
Example text:
This contact form collects your name and email so that we can correspond with you. Please review our privacy policy for more information.
…then add a check box to make sure the are giving you authorization.
Here are some links to some common Contact plugins that offer their info on GDPR.
Email Opt-In
Very similar to the contact forms you should CLEARLY outline what your intentions are on the email opt-in form. Users must be given the option to give their clear consent to receive your newsletters.
Example text: This form collects your name and email so that we can send you great newsletters filled with great WordPress tips! Take a peak at our privacy policy and see how we protect and manage your information.
…then add a checkbox so they can check it confirming their consent to be added!
MAILCHIMP: If you are using Mailchimp then they have already made it easy for you to implement GDPR in your forms. Here is how you can implement it:
1. Go to your LISTS page
2. Click the drop-down menu to the right of the list name and choose SETTINGS
3. Choose the LIST NAME & DEFAULTS option
4. You should see a box that says ENABLE GDPR fields
5. Save your list!
6. Now you can go back to your lists and in that right dropdown choose SIGNUP FORMS
7. Choose FORM BUILDER ( that is the only form that has the GDPR fields) and edit the text as you see fit.
Google Analytics
Google is working to become compliant with the new GDPR rules, but there are some steps you can take as well to make sure YOU are in compliance within your own account.
Things you should NOT be storing in Google Analytics include email addresses, usernames, phone numbers etc. For most of you this is NOT an issue – but for those that may have used custom dimensions in their analytics setups – you have to address this.
More common issues are noted below though which we feel most people will probably have to address.
IP ADDRESSES
IP Addresses are considered a Personally Identifiable Information piece and you may already know that this is stored in Google Analytics and although you cannot see them, people at Google can. So we need to make sure they are now not captured by making them “anonymized”.
To make sure you are complying by ANONYMIZING the IP addresses you need to add the following line to your Google Analytics code on your website.
ga(‘set’, ‘anonymizeIp’, true);
So in the latest version of the Google Analytics code it would look like this:
Miscellaneous
- If you are offering a free download – you cannot auto subscribe them to your email list. You MUST have a checkbox giving them the OPTION to subscribe.
- If you are running an e-commerce website – there are a lot more things you need to be aware of. Ensure your e-commerce plugin or platform is working on GDPR compliance.
- Here is a great website that kind of sums it all up in a pretty way!
Final Thoughts
Questions? Concerns? We will do our best to help – but again this is a legal issue and consulting a business attorney may be best!
If you need help with a WordPress how to to help you with GDPR then let us know!
Need help with your website?
We can’t wait to talk about your project. Let’s set up a call.
