Help with GDPR
What is GDPR and how to comply
New Data Laws
I’m sure many of you have heard about GDPR (General Data Protection Regulation) the new European data protection laws that come into effect on May 25th. We have been busy reading about what this means for us and our customers…
The short version is that the GDPR says that users have complete control over their data, and you have to tell them why YOU need it. At which point, they can give the go-ahead or not.
Practically, however, it’s a little more complicated than that.
Your Website and the GDPR
Data trickles and flows between our sites and users, and GDPR says that it’s up to us to manage our sites well enough so that users can manage their data. Even though this is a regulation passed by the EU, it affects pretty much the entire world. Because if you collect a bit or a byte of data from a person in EU (regardless of your own location), you are subject to this law because you then have information owned by an EU citizen. And if you are found to have been in non-compliance, you can be fined up to 20 million Euros.
That’s scary for a lot of people. But it doesn’t have to be.
The good news is that your website is almost certainly built on the WordPress platform and there are a dedicated team of WordPress Core contributors working on GDPR-proofing the Core code before May 25. They have a website (and associated Slack channel) set up where admins and devs can keep up with the progress and to see what you need to do to get yourself (and your clients) in compliance.
Here’s the breakdown of what you’re responsible for:
- Explaining who you are, how long you are keeping the data, why you need it, and who on your team or externally has access to it
- Getting explicit and clear consent to collect data through an opt-in
- Giving users access to their own data, the ability to download it, and to delete it from your records completely
- In the event of a hack or security breach, letting your users know about it
For longer-form explanations of GDPR, you can check out Elegant Themes overview of data regulations in 2018, the official European Commission infographic on GDPR, and the official support post from Automattic regarding WordPress and the GDPR.
How do I make sure that I comply with GDPR?
All that said, you need to know what you can do to comply with the GDPR. So here are some specific, actionable steps you can take to keep yourself (and your user’s data) safe.
The GDPR Opt-In
The single most important aspect of all this is the GDPR opt-in. Lets be clear on this. An opt-in is under no circumstances the same thing as an opt-out. The EU has said that you must “get their clear consent to process the data.” That means that users have to explicitly say YES, not only have the option to say no.
Here’s an example: you have an online shop, and maybe you use WooCommerce. When users get to your checkout page, you have a checkbox that reads “[x] Yes, I want to sign up for your amazing email list!”
No problem, right? If you have the box checked by default, you are at fault. That is giving them the chance to opt-out. That’s not what the GDPR opt-in rule says. They must explicitly choose to share their information with you.
The same thing goes for comment sections that automatically subscribe people to a comment thread, or any kind of automated contact that is not directly user-initiated. (Pop-up chat boxes can be okay because that’s not reaching into their data, but could still be affected under the GDPR’s pseudonymisation clause.)
Your #1 goal is to take nothing by default. And honestly, take as little information as possible when you do get explicit permission.
Ask for the Bare Minimum of Information
A lot of websites, forms, plugins and shops ask for information they really don’t need. In general, a good rule of thumb is to ask for as little information as possible from your users. If you don’t need their names, don’t take them. Or maybe only their first name? Sometimes, all it takes is their email to get your job done.
That is not to say that you can’t ask for the other information. The GDPR simply says you have to tell people why you need it. If you’re asking for their first and last name, tell them why. If you ask for their birthday, make it clear that you send out vouchers as birthday gifts for example. Due to GDPR, there is no more asking for info “just in case” or “for future, undetermined projects.”
Many forms and plugins let you include a note next to the primary label, so if you have a field for phone numbers, you can have a note that says “We ask for your phone number so our customer service representatives can complete the set up process for your custom orders.”
Additionally, when you’re asking for information, the EU says you have to disclose “who you are […], how long it will be stored, and who receives it.” How and when you have to disclose this information can differ. Most importantly you have to tell people who YOU are at the same time you make the request for their data. This can be a sentence or a brief paragraph.
“This website’s data is handled by R.J. Keene, the CEO of Awesomestuff International and its subsidiaries.”
“Data submitted by this form will be used by Awesomestuff International and no one else”
Both will work.
That means, your contact form, sign-up form, checkout pages or wherever users may be giving you their info needs to clearly identify who you are and how you intend to use the collected data.
- How to access and download a complete record of any data you have on them
- The process through which users can fully delete their data from your records (and not simply unsubscribe, etc.) as a part of the ‘right to be forgotten’ laws previously passed in the EU
- Exactly how you will inform users of data breaches if they ever happen
- Detailed explanations of who you are, what you use the data for, who has access to it, and how long you retain it
Sounds Like a Lot, Right?
Luckily, you’re not on your own. There are teams of open source developers hard at work building plugins and updating existing ones to help with GDPR opt-in and compliance. There are still many details you will have to work out for your own business, but we are also here to help with any site specific changes you may need.
Basically, to make your site GDPR compliant you need to make sure you are transparent with people. Let them know what your doing, don’t ask for extraneous information, and let them opt-in to giving it to you, rather than you taking it by default.
Further Reading . . .
We have written the following articles on how to comply with GDPR. If you have any questions please get in touch.