Ever since the implementation of the General Data Protection Regulation (GDPR) by the European Union (EU), every business website needs to inform users about the data that it collects. Severe data breaches at Yahoo, Uber and other companies have brought privacy concerns to the forefront. Making your website GDPR compliant is necessary and helps protect users' data.
Understanding what the GDPR is all about and how to implement it can feel overwhelming. Let’s take a look at what the GDPR act covers and how you can make your site GDPR compliant.
What is the GDPR?
The GDPR is an EU regulation that protects the online privacy of all EU citizens. It covers how personal data is used and extracted when users visit and interact with a website. This act affects all websites since they are likely to get visitors from the EU region.
Here are some of the key features of the GDPR act that affects businesses:
- All websites must explicitly disclose that they are collecting personal data.
- Businesses must inform individuals about why, how and where they store and process users' data.
- Users have a right to ask for a portable copy of the data collected from them.
- They have the right to have their data erased under some circumstances.
- Businesses with core activities where they collect personal data must have a data protection officer.
- Businesses must report serious breaches of information within 72 hours.
- GDPR violators can be fined up to €20 million or up to 4% of the annual worldwide turnover.
The intent behind the GDPR regulation is to protect people against data breaches. Most WordPress sites or other sites collect information in different ways. If a site uses analytics, WordPress forms, optin forms or email marketing, then it is collecting personal information.
Your biggest concern as a website owner is to gain consent from site visitors. According to the GDPR, you have to get explicit consent from EU citizens to collect and process their personal information. Without consent, you cannot share this data with your advertising and remarketing accounts.
Before you begin:
Get expert legal help: When it comes to legal matters, you should always get professional advice. It's a good idea to consult with a lawyer who is well versed in the GDPR. They can guide you to correctly comply with the act.
Review all data collection points on your website: Make a list of the different data collection points on your website. This includes your checkout page, a registration page, IP addresses, analytics accounts and others. You're also storing user information if you're working on membership site platforms. It's important to cover all these areas to get consent to collect information.
How to make your website GDPR compliant
There's good news for WordPress users. WordPress now has GDPR-compliant features as part of its core. To begin making your WordPress site more GDPR compliant, here's what you do:
Update to WordPress version 4.9.6 or higher
WordPress 4.9.6 and the later versions have a number of built-in privacy settings. By updating your WordPress core software, you're on the way to successful GDPR compliance.
Let's look at the new key features of WordPress that adhere to GDPR policy. They include explicit consent in comments, new data export and erase features and a policy generator.
Explicit consent in WordPress comments
In older versions, WordPress automatically stored people's names and details when filling in comments. This ensured that people did not have to retype their information when making a new comment.
Now, WordPress includes a checkbox that people have to manually check. Doing so means that their names and emails are remembered and they don’t have to retype them.
New data export and erase features
WordPress has added two items under Tools in your WordPress dashboard: Export Personal Data and Erase Personal Data.
You can use these to easily export a user's information into a .zip file or completely erase them from your database if they request it. These features support you in managing users' personal data more easily and automatically.
Policy generator
WordPress has also created a pre-made privacy policy template. This allows you to create a page that informs visitors about what data you store and how you handle it.
You can find the policy generator by going to Settings and Privacy on your dashboard. If you already have a privacy policy page then you can set that under Change your Privacy Policy page.
You can also choose Create New Page. This will create a new page with pre-made content for disclosures and privacy information. There are also helpful headings and suggestions. You will have to create content for these sections.
With these major features in place, WordPress makes it easy for you to take a step towards GDPR compliance. Let's look at some other things you need to take care of.
Additional steps to make your site GDPR compliant
It isn't possible to cover everything you need to know to make your website 100% GDPR compliant. You will need to get legal advice to do so. However, here are some important aspects of your website that you can look after. This will make your website conform to the act more closely.
HTTPS
It is generally a good idea to encrypt traffic to your website. Do this by using HTTPS for your website. There are many benefits to moving to HTTPS. It also gives visitors to your site a feeling of security and trust.
Contact forms
Users need to be aware that your site will collect their data when they use your contact form. This is the case with any other form on your site such as a registration form or opt-in form.
Create a tick box so that users can click on it to confirm that they accept your terms of service when they click submit. You have to add another tick box so that users know that you will send them further marketing communication. The tick box must not be checked beforehand. Users need to click on it to give explicit consent. Fortunately, popular contact forms like WPForms, Ninja Forms and Contact Form 7 make it easy to add these tick boxes.
Add a cookie notice
It's necessary to notify users on your site that your website collects cookies. You can do this by creating an overlay with a cookie notification plugin. Some plugins you can use are Cookie Notice and Cookie Consent.
Notifications for policy updates or data breach
Have a system in place to inform users about policy updates and data breaches. You can use an email blast to update users about policy changes. Another helpful way is to use a GDPR compliance plugin to create notifications for you.
Analytics, tracking and remarketing
This refers to any third-party service or plugin you use that collects data. This includes Google Analytics, Google Adwords, remarketing services and e-commerce analytics.
To manage this you need to anonymize the data before storage and processing. Doing so can be complicated if you've manually added Google Analytics to your site. However, you can use a tool or a plugin that automatically connects Google Analytics to your site. Choose one that has GDPR compliance options and can make data anonymization easy.
WooCommerce
If you're using WooCommerce for your online stores, then you can use its built-in tool to manage user privacy. You can go to Settings and Accounts and Privacy. Enable the options for personal data retention. Also, enable options for erasure and privacy policy.
Add the necessary information and disclosure to your WooCommerce privacy policy. It is helpful to add information especially related to shopping and payment security.
Implementing GDPR creates a good impression in visitors' minds. Nearly 88% of consumers who are ready to share personal information want transparency about how businesses use their information. Adding GDPR policies helps you and your business more than it inconveniences it.
GDPR compliance benefits individuals and businesses
Although the GDPR act may seem intimidating, it is actually beneficial to everybody. It aims to prevent future data breaches and protects people and businesses.
It ensures that people’s personal information is not misused. Companies are more vigilant about how they collect and manage data. It also creates more trust in those businesses that do comply with the GDPR act. You can take several steps right away to inform users about how you collect and use data. You’ll be able to implement the GDPR requirements by following the suggestions here and engaging with your users.