Update 8th May 2018: As of the 15th of May 2018 a new version of WordPress is being released that will natively allow opt in consent boxes to comments/reviews, individual user data deletion and more. That’s alot less head scratching needed!

 

If you haven’t heard of the General Data Protection Regulation (GDPR) and it’s far reaching impact on the way that all businesses process and handle data, we’ll assume that you’ve been in hiding. It now isn’t long until the GDPR comes into effect on the 25th May 2018. This new regulation will take over from the largely outdated Data Protection Act, tightening requirements for companies that collect, process and store data. If this comes as surprising news to you, don’t worry – there is still time to implement processes and procedures to ensure you are compliant with the new EU legislation.

For the purposes of this post, we assume that you have done a little research already on what this new regulation means for the internal running of your business (if you have no idea, brush up a little here) and want to focus specifically on working towards a GDPR compliant website. Even if you’re comfortable with what the GDPR broadly means, we understand that it can still be confusing to translate this into a practical to do list. We’ve done a vast amount of research and have compiled a guide that you can follow step by step. Please note that your responsibilities under the GDPR regarding social media, email and anything else digital or otherwise are outside of the scope of this guide – you’ll need to do a little more research for these areas.

 

Step 1. What data are you collecting at the moment and why?

 

There will be different types of data that you collect about people through your website. This may be through individuals leaving comments, through cookies that you rely on for analytics or remarketing as well as your contact forms and newsletter signups. The first step to becoming GDPR compliant is to understand where this data is specifically collected and stored.

Cookies/Pixels: Analytics software and tracking pixels both rely on the use of cookies and will include data that is personally identifiable (eg. IP addresses). If you’re not sure whether your site is collecting data and setting cookies you can follow a great guide to find out here.
Website enquiry forms: Individuals will be filling in at the very least their name and email address.
Newsletter signups: Again, you may be collecting email addresses as well as names when people sign up to your newsletter.
User accounts: If your website allows users to create an account with you then you’ll be collecting and storing names, telephone numbers, addresses and more.
Comment boxes: Every time somebody leaves a comment on your website you will be typically storing their name, website and email address.
Social media account connections: Social sharing functions tend to set cookies in a browser that will include identifiable information.
CRM Connection: Does your website sync data to connected systems like Hubspot or Salesforce?
Plugins: Are any of your plugins collecting data from your website or setting cookies?

Once you know specifically what data you are collecting and where you are collecting it from, you need to determine three things:

What are you using the data for?

Are you using the data stored for the purposes that you originally stated? It’s fine if you are holding email addresses for your newsletter but there may be other instances where you should not be holding data. For example, you can no longer send promotional emails to individuals who bought from you, unless they specifically consented to be added to an email marketing list.

Where is the data being stored?

Is the data stored in a way that is secure and minimises the risk of a data breach? Encryption and Pseudonymisation would be best practice here.

Do you still need the data?

The easiest way to comply with the GDPR is simply to delete data that you don’t need anymore. If you have a list of emails that you used years back for a specific promotion, it may be safer to delete this now. Equally, if you collect birth dates on your sign up forms but have no good reason to do this, stop now!

A note about third party data processors

If you collect data and pass it to another company to be stored, these organisations are now classed as third party data processors. Examples of these would be using Mailchimp to store your email subscriber list, Google if you monitor website use through Google Analytics or Hubspot to store your marketing contacts. You will most likely have identified a number that you use through your audit of the above list.

It is your responsibility to check their respective privacy policies and make sure that they are GDPR compliant. We have no doubt that all companies that deal with EU users will be working towards GDPR compliancy, but if you can’t find any evidence that they are doing this you should switch to another provider that is. It is also your responsibility to ensure that the transfer of this data is secure.

 

Step 2. Now that you know what, where and why data is collected, what do you do now?

 

There are now a number of things that you’ll need to change on your website so that you are GDPR compliant. Most of these will centre around ensuring that users can consent to the collection and use of their data. As per the GDPR, consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” This means no more auto-ticked consent boxes, or assumed cookie consent banners.

Go through these points one by one, determine whether or not they apply to your website and if they do, implement the changes required.

 

Cookies and consent

From the 25th May, users will require the ability to consent to specific types of cookies when they first visit your website. You can no longer set the condition that if a user continues to browse your site they automatically consent to your use of cookies. Nor can you restrict the use of your website if a user does not consent to cookies, as this does not represent a situation where consent is “freely given”.

Fortunately there are a number of solutions online that can support you to implement this functionality, all with pros and cons. This is not an exhaustive list – with the GDPR being an opportunity we are sure there are many more tools about so do a bit of research.

Cookiebot: A great automated option that allows users to select which cookies they consent for. Better in some ways than others as it automatically scans and finds your cookies so there’s little effort needed to get started. Unfortunately the free version only supports websites that are up to 100 pages – great for small websites but if you’re blogging regularly you’ll probably need a paid option.

cookiebot.com/en/

Civic UK: A nice looking interface that allows users to consent to different types of cookies. Takes a little more to set up than Cookiebot but there’s no limit to the size of your site (although you can upgrade for styling options and more). Also available as a WordPress Plugin.

https://www.civicuk.com/cookie-control/v8/download

Some other plugins: We haven’t used these, but two promising looking WordPress plugins that should help you achieve GDPR compliancy are:

https://codecanyon.net/item/weepie-cookie-allow-easy-complete-cookie-consent-plugin/10342528
https://en-gb.wordpress.org/plugins/cookie-notice/

 

Your third party processors

This is another reminder that you need to determine whether your third party processors (like Hubspot, Mailchimp, Salesforce and Mizmoz) are already GDPR compliant or will be before the deadline. Move to another provider if you find that they are not. Again, also ensure that the transfer of this data to your third party processors is secure.

If you use Google Analytics, Google have been proactive with compliance around the GDPR and will soon introduce required features such as the ability to delete individual visitor information. Specifically you are required to agree to the new contractual terms and conditions as well as choose a time period for which data will be retained. This should have been explained to you in an email on the 11th April 2018 but if not, log into your account and you will see what you need to do. You’ll also need to add a legal entity to your Analytics account through the 360 suite and add at least one primary contact that is your organisation’s data protection officer and contact for anything GDPR related.

Since Analytics relies on cookies to function, you’ll need to ensure you set up your consent correctly so you lose no data and avoid breaching GDPR requirements. As IP addresses are collected through Analytics, you have two options. The first is to include your Analytics cookies within those that the user can consent to. This is an easy option but may mean that if users decide to not opt in, you’ll lose vast insight into how your website is being used. The second and preferred method is to amend your tracking code so that IP addresses are anonymised. This means you do not need consent to use them and just need to notify your website visitors of their integration. You can do this simply by amending your code as per the below:

This is how the tracking code normally looks:

(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

ga('create', 'UA-XXXXXXXX-X', 'auto');
ga('send', 'pageview');

Simply add “ga(‘set’, ‘anonymizeIp’, true);” to anonymise IP addresses, as per the below:

(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

ga('create', 'UA-XXXXXXXX-X', 'auto');
ga('set', 'anonymizeIp', true);
ga('send', 'pageview');

 

SSL Certificate

You will need to invest in an SSL certificate for your website if you haven’t already. As well as having benefits for SEO and building trust with visitors, this is the most secure way to transmit and receive user data. You can invest in a branded SSL certificate through your web hosting company or work with a developer to install a free certificate through the Let’s Encrypt service.

 

Anonymisation of data

The GDPR encourages the use of anonmyisation and pseudonymisation for any data that you collect from your website visitors. By default no CMS we have ever worked with does this at the moment. It is quite possible to hire a developer to work on implementing this change but it is likely to be quite a complicated and lengthy job. An SSL certificate will also provide a small measure of protection here as a starting point.

Fortunately at present you only need to be working towards this standard and we have full faith in the various development teams around the world to eventually make this possible.

 

Newsletter signups/email opt ins/lead magnets

Your newsletter or email opt in boxes need to now include some additional information and options. Firstly, you need to state why a user’s personal data is needed – in this instance something like “Enter your email address to receive our weekly newsletter“ will be fine.

Most crucially, you will need to include an opt in box that ensures the visitor understands how you will handle their data – an example would be “Tick the box to agree to the processing of your data as per our Privacy Policy.” Linking to your privacy policy here ensures that the user has the opportunity to understand how to delete/download the data at any time and how to opt-out (more on what you need to amend in your cookie/privacy policies below). A log of when they agreed to the terms must also be recorded somewhere so that it can be recovered and provided to the user if they request it.

And lastly, if you’re collecting more data than you need (e.g. date of birth), you’ll need to make it clear why you want that personal piece of data. For this reason, if you don’t need it, don’t ask for it.

Note: It’s unclear whether a double opt in will be sufficient for GDPR (although it is already good practice). We’ll update you when we know more.

 

Enquiry forms

Similar to the above, you will now need to amend any of your contact forms that collect any sort of data. At the very least you need to make sure your site has an SSL certificate and that details are not stored in the website’s SQL database unless stored encrypted (most should email you the details by default). If emailed to you then you need to check your email provider’s privacy policy to ensure GDPR compliancy.

As before you’ll need a consent tick box for the handling of data and remove all pre-ticked boxes to automatically sign the enquirer up to a newsletter.

 

User account creation

If you allow users to create accounts on your website you’ll be storing a lot of data about them. If you are an e-commerce store then this will include names, addresses and more. The main thing you need to do to comply with this requirement is to ensure that users consent to you holding this information, why you are collecting it and ensure they understand how it will be handled. Again this is a case of you gaining explicit consent by implementing a tick box alongside a link to your privacy policy.

Remember that if a user consents to you holding their information, this does not give you permission to add them to your newsletter or use the information for anything other than what you have stated within your original consent form.

 

Comment/Review boxes

Comment boxes and reviews are a bit tricky at the moment. If you use WordPress or most other common CMS’ then every time somebody leaves a comment on your website you will be storing their name, website and email address at the least. To be GDPR compliant you are required to add yet another tick box so that users can explicitly consent once again.

It’s difficult to add a checkbox to WordPress comment boxes without a plugin, but if you can afford to add one more then we’d recommend:

Comment Policy Checkbox

If you don’t want to add another plugin, you have two options. The first is the most simple – you can just disable comments. If you desperately need comment functionality for things like product reviews, the second option is to ensure that users consent for you to handle this data when they create an account. Then all you need to do is ensure that users have to be logged in to leave a comment or review.

 

For Woocommerce or extended functionality:

If your website does more than a standard brochure site, for example you accept membership subscriptions or sell products, then you’ll have a bit more to do.

WooCommerce Terms & Conditions (Checkout page) – You’ll need to amend this content (as per below) and ensure this page is set in WooCommerce settings.
WooCommerce Privacy Policy (Checkout page) – You’ll need to amend this content (as per below) and ensure this page is set in WooCommerce settings.
WooCommerce/Paid Memberships Pro User registration (My Account page) – As per the above, ensure users have to both consent to their data being handled in the way you set out in your privacy policy as well as your terms and conditions
WooCommerce Cart Abandonment (Checkout page) – Functionality like this is a bit tricky, as it will record a visitor’s email address and email them with no easy way for them to consent. The best advise we have for this one is pick a plugin that is compliant, or disable this functionality until developers can implement features to ensure GDPR compliancy.
Payment gateways – If you use a payment gateway like PayPal, you need to make sure that the payment gateway privacy policies are checked and referenced in your own privacy policy, in the same way that you have detailed your third party processors. If they are UK (or European) based, they will need to be GDPR compliant, if US-based, Privacy Shield compliant.

 

Step 3. Updating your Cookies and Privacy policy to reflect your GDPR compliancy.

 

You now have a duty to outline a number of elements that you didn’t pre-GDPR. This includes what data you collect, why you collect it and how you handle it. You also need to make a user aware of their rights under the GDPR and how they can exercise them.

 

A user now has the below rights with regards to their personal information:

  • The right to be informed
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right to access

You will have covered two of these – the right to be informed and the right to object – within your new cookie functionality and opt in boxes (it’s also wise to include what specific cookie you use and why in your policy too). However you still need to outline the process that an individual would have to follow to achieve the rest. Do your visitors need to send you an email, fill in an online form or send you a request in writing to delete or access their data? How long will this process take? Make sure you display the process for a user to ask to have all the data you hold about them permanently removed from your system and who to contact to find out what data is held about a user and request how it’s being used.

You also need to include your Data Protection Officer’s details somewhere within this document as well as the process to begin a SAR ‘Subject Access Request’ for full disclosure of data held by the site.

 

Within your privacy policy you now also need to include complete information on all of these areas:

  • What data you collect
  • Why you collect this data/What you do with the data
  • How you obtain this data
  • How long you retain this information
  • How secure this data is, in terms of encryption and accessibility
  • Who you share data with (remember your third party processors from before!) as well as any partners or business subsidiaries

If you would like to see a GDPR compliant cookie and privacy policy, you can view ours on https://liampedleydesign.co.uk/terms.

 

Bonus:

If you want to go even further to implement GDPR functionality within your WordPress website, it might be worth looking at these plugins. If you’ve followed this guide thoroughly then you will be compliant, however these plugins will allow you to automate data requests, removal of data and much more. Useful if you have space for another plugin!

https://wordpress.org/plugins/gdpr-personal-data-reports/
https://wordpress.org/plugins/gdpr/

 

Final thoughts

 

We hope you’ve found this guide to be useful and that you are now working to be GDPR compliant. If you have any issues getting to a point where you comply with the new regulation, we’re well practised at adjusting websites so that they are. If you’d like to have a chat with us about how we can help, get in touch. Further reading can be found here.

Disclaimer: This article was prepared by Liam Pedley as non-authoritative guidance. Neither Liam Pedley Design or the author accepts any responsibility or liability that might occur directly or indirectly as a consequence of the use, application or reliance on this material.

 

Related Posts

Are You Making Any Of These 5 GDPR Mistakes? Whilst we’re all bracing ourselves against a steady bombardment of privacy change emails and consent forms, the General Data Protection became law las...
Find potential website design client email address... Automator, for Mac, is a powerful but vastly underused tool for automating pretty much any task you can think of. In this guide we are going to explai...
Managing Your Social Media Love it or hate it, Social Media presents the most effective way of reaching out to new and existing customers. If done correctly, Social Media allows...
How To Make Your Website GDPR Compliant: A Practical Guide ultima modifica: 2018-05-03T10:00:22+00:00 da Liam Pedley