New Data Laws

I’m sure many of you have heard about GDPR (General Data Protection Regulation) the new European data protection laws that come into effect on May 25th. We have been busy reading about what this means for us and our customers…

The short version is that the GDPR says that users have complete control over their data, and you have to tell them why YOU need it. At which point, they can give the go-ahead or not.

Practically, however, it’s a little more complicated than that.

Your Website and the GDPR

Data trickles and flows between our sites and users, and GDPR says that it’s up to us to manage our sites well enough so that users can manage their data. Even though this is a regulation passed by the EU, it affects pretty much the entire world. Because if you collect a bit or a byte of data from a person in EU (regardless of your own location), you are subject to this law because you then have information owned by an EU citizen. And if you are found to have been in non-compliance, you can be fined up to 20 million Euros.

That’s scary for a lot of people. But it doesn’t have to be.

The good news is that your website is almost certainly built on the WordPress platform and there are a dedicated team of WordPress Core contributors working on GDPR-proofing the Core code before May 25. They have a website (and associated Slack channel) set up where admins and devs can keep up with the progress and to see what you need to do to get yourself (and your clients) in compliance.

Here’s the breakdown of what you’re responsible for:

• Explaining who you are, how long you are keeping the data, why you need it, and who on your team or externally has access to it
• Getting explicit and clear consent to collect data through an opt-in
• Giving users access to their own data, the ability to download it, and to delete it from your records completely
• In the event of a hack or security breach, letting your users know about it

For longer-form explanations of GDPR, you can check out Elegant Themes overview of data regulations in 2018, the official European Commission infographic on GDPR, and the official support post from Automattic regarding WordPress and the GDPR.

How do I make sure that I comply with GDPR?

All that said, you need to know what you can do to comply with the GDPR. So here are some specific, actionable steps you can take to keep yourself (and your user’s data) safe.

The GDPR Opt-In

The single most important aspect of all this is the GDPR opt-in. Lets be clear on this. An opt-in is under no circumstances the same thing as an opt-out. The EU has said that you must “get their clear consent to process the data.” That means that users have to explicitly say YES, not only have the option to say no.

Here’s an example: you have an online shop, and maybe you use WooCommerce. When users get to your checkout page, you have a checkbox that reads “[x] Yes, I want to sign up for your amazing email list!”

No problem, right? If you have the box checked by default, you are at fault. That is giving them the chance to opt-out. That’s not what the GDPR opt-in rule says. They must explicitly choose to share their information with you.

The same thing goes for comment sections that automatically subscribe people to a comment thread, or any kind of automated contact that is not directly user-initiated. (Pop-up chat boxes can be okay because that’s not reaching into their data, but could still be affected under the GDPR’s pseudonymisation clause.)

Your #1 goal is to take nothing by default. And honestly, take as little information as possible when you do get explicit permission.

Ask for the Bare Minimum of Information

A lot of websites, forms, plugins and shops ask for information they really don’t need. In general, a good rule of thumb is to ask for as little information as possible from your users. If you don’t need their names, don’t take them. Or maybe only their first name? Sometimes, all it takes is their email to get your job done.

That is not to say that you can’t ask for the other information. The GDPR simply says you have to tell people why you need it. If you’re asking for their first and last name, tell them why. If you ask for their birthday, make it clear that you send out vouchers as birthday gifts for example. Due to GDPR, there is no more asking for info “just in case” or “for future, undetermined projects.”

Many forms and plugins let you include a note next to the primary label, so if you have a field for phone numbers, you can have a note that says “We ask for your phone number so our customer service representatives can complete the set up process for your custom orders.”

Additionally, when you’re asking for information, the EU says you have to disclose “who you are […], how long it will be stored, and who receives it.” How and when you have to disclose this information can differ. Most importantly you have to tell people who YOU are at the same time you make the request for their data. This can be a sentence or a brief paragraph.

For example:

“This website’s data is handled by R.J. Keene, the CEO of Awesomestuff International and its subsidiaries.”

“Data submitted by this form will be used by Awesomestuff International and no one else” 

Both will work.

That means, your contact form, sign-up form, checkout pages or wherever users may be giving you their info needs to clearly identify who you are and how you intend to use the collected data.

Your Terms & Conditions and Privacy Policy

Other details on how you comply with GDPR, such as a why you store data, how you store data, and who’s data you store should be included in both your “Terms of Service” and your “Privacy Policy”. Both of these should be easily accessible as they form an important part of the GDPR opt-in.

The actionable step here is two-fold: First, make sure your Terms of Service and Privacy Policy are GDPR compliant. Secondly, create explicit required fields on every form indicating acceptance of both documents before processing anything. Checkboxes are fine, and text fields where users can type “I agree” are even better (but tricky for multilingual sit).

We would suggest adding a paragraph to your Terms of Service about accepting the Privacy Policy as a term and linking to it directly from the Terms of Service. Then, in the Privacy Policy, add a paragraph discussing its role in the terms of service, as well as exactly how your site manages data in compliance to the GDPR.

Specifically, you will need to provide detailed instructions in your Privacy Policy explaining each of the following.

• How to access and download a complete record of any data you have on them
• The process through which users can fully delete their data from your records (and not simply unsubscribe, etc.) as a part of the ‘right to be forgotten’ laws previously passed in the EU
• Exactly how you will inform users of data breaches if they ever happen
• Detailed explanations of who you are, what you use the data for, who has access to it, and how long you retain it

It is now more important than ever to have a Privacy Policy in place. It was pretty important before because Google wanted you to have one. And that importance has just skyrocketed.

How to write a Privacy Policy

We have put together some resources and guides on our website that you can access here.

Sounds Like a Lot, Right?

Luckily, you’re not on your own. There are teams of open source developers hard at work building plugins and updating existing ones to help with GDPR opt-in and compliance. There are still many details you will have to work out for your own business, but we are also here to help with any site specific changes you may need.

Basically, to make your site GDPR compliant you need to make sure you are transparent with people. Let them know what your doing, don’t ask for extraneous information, and let them opt-in to giving it to you, rather than you taking it by default.