Update 8th May 2018: As of the 15th of May 2018 a new version of WordPress is being released that will natively allow opt in consent boxes to comments/reviews, individual user data deletion and more. That’s alot less head scratching needed!
If you haven’t heard of the General Data Protection Regulation (GDPR) and it’s far reaching impact on the way that all businesses process and handle data, we’ll assume that you’ve been in hiding. It now isn’t long until the GDPR comes into effect on the 25th May 2018. This new regulation will take over from the largely outdated Data Protection Act, tightening requirements for companies that collect, process and store data. If this comes as surprising news to you, don’t worry – there is still time to implement processes and procedures to ensure you are compliant with the new EU legislation.
For the purposes of this post, we assume that you have done a little research already on what this new regulation means for the internal running of your business (if you have no idea, brush up a little here) and want to focus specifically on working towards a GDPR compliant website. Even if you’re comfortable with what the GDPR broadly means, we understand that it can still be confusing to translate this into a practical to do list. We’ve done a vast amount of research and have compiled a guide that you can follow step by step. Please note that your responsibilities under the GDPR regarding social media, email and anything else digital or otherwise are outside of the scope of this guide – you’ll need to do a little more research for these areas.
Step 1. What data are you collecting at the moment and why?
There will be different types of data that you collect about people through your website. This may be through individuals leaving comments, through cookies that you rely on for analytics or remarketing as well as your contact forms and newsletter signups. The first step to becoming GDPR compliant is to understand where this data is specifically collected and stored.
– Website enquiry forms: Individuals will be filling in at the very least their name and email address.
– Newsletter signups: Again, you may be collecting email addresses as well as names when people sign up to your newsletter.
– User accounts: If your website allows users to create an account with you then you’ll be collecting and storing names, telephone numbers, addresses and more.
– Comment boxes: Every time somebody leaves a comment on your website you will be typically storing their name, website and email address.
– Social media account connections: Social sharing functions tend to set cookies in a browser that will include identifiable information.
– CRM Connection: Does your website sync data to connected systems like Hubspot or Salesforce?
– Plugins: Are any of your plugins collecting data from your website or setting cookies?
Once you know specifically what data you are collecting and where you are collecting it from, you need to determine three things:
What are you using the data for?
Are you using the data stored for the purposes that you originally stated? It’s fine if you are holding email addresses for your newsletter but there may be other instances where you should not be holding data. For example, you can no longer send promotional emails to individuals who bought from you, unless they specifically consented to be added to an email marketing list.
Where is the data being stored?
Is the data stored in a way that is secure and minimises the risk of a data breach? Encryption and Pseudonymisation would be best practice here.
Do you still need the data?
The easiest way to comply with the GDPR is simply to delete data that you don’t need anymore. If you have a list of emails that you used years back for a specific promotion, it may be safer to delete this now. Equally, if you collect birth dates on your sign up forms but have no good reason to do this, stop now!
A note about third party data processors
If you collect data and pass it to another company to be stored, these organisations are now classed as third party data processors. Examples of these would be using Mailchimp to store your email subscriber list, Google if you monitor website use through Google Analytics or Hubspot to store your marketing contacts. You will most likely have identified a number that you use through your audit of the above list.
It is your responsibility to check their respective privacy policies and make sure that they are GDPR compliant. We have no doubt that all companies that deal with EU users will be working towards GDPR compliancy, but if you can’t find any evidence that they are doing this you should switch to another provider that is. It is also your responsibility to ensure that the transfer of this data is secure.
Step 2. Now that you know what, where and why data is collected, what do you do now?
There are now a number of things that you’ll need to change on your website so that you are GDPR compliant. Most of these will centre around ensuring that users can consent to the collection and use of their data. As per the GDPR, consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” This means no more auto-ticked consent boxes, or assumed cookie consent banners.
Go through these points one by one, determine whether or not they apply to your website and if they do, implement the changes required.
Cookies and consent
Fortunately there are a number of solutions online that can support you to implement this functionality, all with pros and cons. This is not an exhaustive list – with the GDPR being an opportunity we are sure there are many more tools about so do a bit of research.
Cookiebot: A great automated option that allows users to select which cookies they consent for. Better in some ways than others as it automatically scans and finds your cookies so there’s little effort needed to get started. Unfortunately the free version only supports websites that are up to 100 pages – great for small websites but if you’re blogging regularly you’ll probably need a paid option.
Civic UK: A nice looking interface that allows users to consent to different types of cookies. Takes a little more to set up than Cookiebot but there’s no limit to the size of your site (although you can upgrade for styling options and more). Also available as a WordPress Plugin.
Some other plugins: We haven’t used these, but two promising looking WordPress plugins that should help you achieve GDPR compliancy are:
Your third party processors
This is another reminder that you need to determine whether your third party processors (like Hubspot, Mailchimp, Salesforce and Mizmoz) are already GDPR compliant or will be before the deadline. Move to another provider if you find that they are not. Again, also ensure that the transfer of this data to your third party processors is secure.
If you use Google Analytics, Google have been proactive with compliance around the GDPR and will soon introduce required features such as the ability to delete individual visitor information. Specifically you are required to agree to the new contractual terms and conditions as well as choose a time period for which data will be retained. This should have been explained to you in an email on the 11th April 2018 but if not, log into your account and you will see what you need to do. You’ll also need to add a legal entity to your Analytics account through the 360 suite and add at least one primary contact that is your organisation’s data protection officer and contact for anything GDPR related.
Since Analytics relies on cookies to function, you’ll need to ensure you set up your consent correctly so you lose no data and avoid breaching GDPR requirements. As IP addresses are collected through Analytics, you have two options. The first is to include your Analytics cookies within those that the user can consent to. This is an easy option but may mean that if users decide to not opt in, you’ll lose vast insight into how your website is being used. The second and preferred method is to amend your tracking code so that IP addresses are anonymised. This means you do not need consent to use them and just need to notify your website visitors of their integration. You can do this simply by amending your code as per the below:
This is how the tracking code normally looks:
ga('create', 'UA-XXXXXXXX-X', 'auto');
Simply add “ga(‘set’, ‘anonymizeIp’, true);” to anonymise IP addresses, as per the below:
ga('create', 'UA-XXXXXXXX-X', 'auto');
ga('set', 'anonymizeIp', true);
You will need to invest in an SSL certificate for your website if you haven’t already. As well as having benefits for SEO and building trust with visitors, this is the most secure way to transmit and receive user data. You can invest in a branded SSL certificate through your web hosting company or work with a developer to install a free certificate through the Let’s Encrypt service.
Anonymisation of data
The GDPR encourages the use of anonmyisation and pseudonymisation for any data that you collect from your website visitors. By default no CMS we have ever worked with does this at the moment. It is quite possible to hire a developer to work on implementing this change but it is likely to be quite a complicated and lengthy job. An SSL certificate will also provide a small measure of protection here as a starting point.
Fortunately at present you only need to be working towards this standard and we have full faith in the various development teams around the world to eventually make this possible.
Newsletter signups/email opt ins/lead magnets
Your newsletter or email opt in boxes need to now include some additional information and options. Firstly, you need to state why a user’s personal data is needed – in this instance something like “Enter your email address to receive our weekly newsletter“ will be fine.
And lastly, if you’re collecting more data than you need (e.g. date of birth), you’ll need to make it clear why you want that personal piece of data. For this reason, if you don’t need it, don’t ask for it.
Note: It’s unclear whether a double opt in will be sufficient for GDPR (although it is already good practice). We’ll update you when we know more.
As before you’ll need a consent tick box for the handling of data and remove all pre-ticked boxes to automatically sign the enquirer up to a newsletter.
User account creation
Remember that if a user consents to you holding their information, this does not give you permission to add them to your newsletter or use the information for anything other than what you have stated within your original consent form.
Comment boxes and reviews are a bit tricky at the moment. If you use WordPress or most other common CMS’ then every time somebody leaves a comment on your website you will be storing their name, website and email address at the least. To be GDPR compliant you are required to add yet another tick box so that users can explicitly consent once again.
It’s difficult to add a checkbox to WordPress comment boxes without a plugin, but if you can afford to add one more then we’d recommend:
If you don’t want to add another plugin, you have two options. The first is the most simple – you can just disable comments. If you desperately need comment functionality for things like product reviews, the second option is to ensure that users consent for you to handle this data when they create an account. Then all you need to do is ensure that users have to be logged in to leave a comment or review.
For Woocommerce or extended functionality:
If your website does more than a standard brochure site, for example you accept membership subscriptions or sell products, then you’ll have a bit more to do.
WooCommerce Terms & Conditions (Checkout page) – You’ll need to amend this content (as per below) and ensure this page is set in WooCommerce settings.
WooCommerce Cart Abandonment (Checkout page) – Functionality like this is a bit tricky, as it will record a visitor’s email address and email them with no easy way for them to consent. The best advise we have for this one is pick a plugin that is compliant, or disable this functionality until developers can implement features to ensure GDPR compliancy.
You now have a duty to outline a number of elements that you didn’t pre-GDPR. This includes what data you collect, why you collect it and how you handle it. You also need to make a user aware of their rights under the GDPR and how they can exercise them.
A user now has the below rights with regards to their personal information:
- The right to be informed
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right to access
You will have covered two of these – the right to be informed and the right to object – within your new cookie functionality and opt in boxes (it’s also wise to include what specific cookie you use and why in your policy too). However you still need to outline the process that an individual would have to follow to achieve the rest. Do your visitors need to send you an email, fill in an online form or send you a request in writing to delete or access their data? How long will this process take? Make sure you display the process for a user to ask to have all the data you hold about them permanently removed from your system and who to contact to find out what data is held about a user and request how it’s being used.
You also need to include your Data Protection Officer’s details somewhere within this document as well as the process to begin a SAR ‘Subject Access Request’ for full disclosure of data held by the site.
- What data you collect
- Why you collect this data/What you do with the data
- How you obtain this data
- How long you retain this information
- How secure this data is, in terms of encryption and accessibility
- Who you share data with (remember your third party processors from before!) as well as any partners or business subsidiaries
If you want to go even further to implement GDPR functionality within your WordPress website, it might be worth looking at these plugins. If you’ve followed this guide thoroughly then you will be compliant, however these plugins will allow you to automate data requests, removal of data and much more. Useful if you have space for another plugin!
We hope you’ve found this guide to be useful and that you are now working to be GDPR compliant. If you have any issues getting to a point where you comply with the new regulation, we’re well practised at adjusting websites so that they are. If you’d like to have a chat with us about how we can help, get in touch. Further reading can be found here.
Disclaimer: This article was prepared by Liam Pedley as non-authoritative guidance. Neither Liam Pedley Design or the author accepts any responsibility or liability that might occur directly or indirectly as a consequence of the use, application or reliance on this material.