GDPR, short for General Data Protection Regulations, is the hot buzzword of the moment that has been clogging up inboxes all over the planet. If you haven’t heard of GDPR yet, or maybe the panic has just finally kicked in, don’t fret as in this post will give you the quick survival guide for GDPR for WordPress. Like all things in life once you are able to get an understanding of what something entails then solving it is a lot easier. So, let’s get right into it.
What Is GDPR
General Data Protection Regulations (GDPR) was introduced by the EU a little over 2 years ago but came into force on the 25th of May 2018. At it’s core GDPR is all about giving users control over their personal data and letting users hold businesses to account about what data they are harvesting or processing. The overarching idea behind GDPR is that businesses should not be using users personal data without their explicit consent and that users should be able to query businesses about what data they have on them and request that the business delete or remove it. That is what prompted the recent flurry of emails before the 25th May with businesses pleading with you to resubscribe to their list – they needed to get your explicit consent so that they could continue to market and sell to you (ahem aka, inform and entertain you).
GDPR is also global in scope insofar as any site that is collecting or using personal data from an EU citizen has to conform with the GDPR. In truth it will be interesting to see how this shakes out for non EU based businesses. Some businesses have taken the approach of banning traffic from EU rather than falling foul of the new regulations and that is probably just the start of the unintended consequences. I think in time the GDPR will be pared back significantly as some of the conditions are quite demanding and the burden will be too onerous for lots of small businesses. But, for now GDPR is here and so let’s talk about GDPR for WordPress and what you should do to try get compliant quickly.
GDPR for WordPress – Here’s A Caveat!
So, first things first here and an all important caveat. I’m not a lawyer, barrister, solicitor or wig wearer of any hue and as such my interpretation of what you should do to get your WordPress site GDPR compliant is just that, my interpretation. You should do some further reading to help solidify your own interpretation of GDPR for WordPress sites and continue to stay on top of it as it may change.
I’m not a lawyer, barrister, solicitor or wig wearer of any hue and as such my interpretation of what you should do to get your WordPress site GDPR compliant is just that, my interpretation.
Now, onto the good stuff.
GDPR Compliance for WordPress – What Should You Do?
From helping clients roll out GDPR compliance on their own sites and indeed by dotting the i’s on my own site, here are the steps you should take to try get your site GDPR compliant.
2. Cookie Notification: Depending on some interpretations of the GDPR you have to allow users the choice to accept whichever cookies they want when using your site. This is where things can get a bit hazy – not just in the degree to which you should let users choose their own cookies but potentially your site analytics could get hazy. If users don’t accept cookies for say Google Analytics, or my favourite, Clicky Analytics, then as a site owner you’ll be flying blind about how many people visit your site, what pages are viewed, how people get there etc etc. As such, I think having a cookie notification bar initially should be OK to let users know that by using the site cookies are being used and that they can view your full privacy policy for more info about which cookies are being used.
3. Personal Data Requests: Another key part of the GDPR is to allow users to request their own personal data. These requests should be completed within 30 days of receipt and to make things easier for users the core WordPress 4.9.6 update provided site admins with some tools they can use to query the WordPress database to see what, if any, data they may have about a certain site user. These core tools are great but somewhat limited if you use Gravity Forms or WooCommerce or MailChimp (or any of the other thousands of services/plugins that the core WordPress tools don’t query). One plugin which does query the 3 services mentioned (as well as some others) is the aptly titled WP-GDPR plugin. This plugin creates a specific standalone page where users can request their data from a variety of services. This is an approach I like as, if nothing else, by adding in these features and tools for users it will help show that attempts were made to be compliant with GDPR and, should the rubber hit the road, should stand you in good stead.
4. Checkboxes & Consent Blurbs: The next item to address for GDPR on your WordPress site is to make sure you have checkboxes in place on forms letting users know that you’ll use their data inline with your privacy policy. This may seem like overkill (and I think it is) as ultimately if a user is filling in a form on your site (anyone looking to hire a WordPress developer for example) you’d think that they are agreeing for their personal data (eg, name/email/phone number) to be used so that the site owner can then follow up on their enquiry. And, whilst they may be agreeing tacit agreement isn’t enough, it now has to be explicit and so adding in checkboxes on contact forms and content blurbs for mailing list signups is now recommended. Some schools of thought say that the checkboxes aren’t needed but again I think having checkboxes will go a long way to demonstrate that all efforts were made to be compliant. One word of advice here is to keep an eye on conversion rates – if you notice that they fall off a cliff after the addition of the checkbox then mighty be worth removing it as after all you have to keep your business up and running first and foremost, and be compliant thereafter.
5. Monitor, Update & Announce: Once you have the few items outlined above in place on site for GDPR you should then make sure to monitor, update and announce. Monitor any new tools, plugins or services you are using that may use personal data. If these tools merit a change to your privacy policy then make sure you update your privacy policy and announce that it has been changed. These announcements can be done via a mail blast or by adding a notice to the homepage to let users know that the privacy policy has been updated.
Getting GDPR Compliant
I hope the above guide to GDPR has given you a better understanding of what GDPR is all about and some of the steps you should take to try be compliant with GDPR. Realistically, I think things will be in a state of flux for the next few months (/years) as GDPR starts to get bedded down. I also think there may be some legal challenges to it in the future so will be interesting to see how that may impact it and as such would recommend keeping an ear to the ground so you don’t miss out on any GDPR related changes. Ultimately, the most important thing to do to get GDPR compliant is to take the first step to try be compliant – don’t fear it!
If you’ve any questions about GDPR, or how to get your WordPress site GDPR compliant, please comment below or get in touch here!