Category Archive: GDPR

In less than two weeks (May 25, 2018), the most significant change in data privacy in 20 years and protection regulation goes into full effect. The EU’s General Data Protection Regulation (GDPR) is aimed at protecting the personal and sensitive information of all EU residents, regardless of where an organization is based. Under GDPR, individuals are allowed greater control over their personal information that is shared with organizations.

GDPR is built around the idea that organizations make good data governance a high priority. While your organization may not be required to comply with the new regulations, ensuring your site and processes embrace the spirit of data protection and privacy will gain and keep the trust of your users. Once your organization has completed a comprehensive data governance review (If you haven’t, check out our blog post on how to do this!), take these five steps to ensure your website matches your organization’s stance on data privacy by design.

1. Make sure your site is secure.

An SSL certificate is a small bit of code on your web server that creates an encrypted connection between a user’s web browser and your website. Having SSL on your website is like sealing your message in an envelope that your recipient will open and read. Having an SSL certificate signals to your users that your organization values the security of any personal information that they share with you.
There are many other benefits to having an SSL certificate installed on your site. In cases where you are collecting payment information, SSL is required to be on your site to meet the security standards set by the Payment Card Industry (PCI). In addition, major browsers like Google Chrome and Mozilla Firefox have started to include a warning for all insecure sites.

2. Review your newsletter, registration, and other email subscription forms.

When it comes to GDPR, one of the major areas of change facing website administrators and digital marketers is how to collect and store email subscription consent. To maintain compliance, organizations must collect affirmative consent that is, “freely given, specific, informed, and unambiguous.”
At a minimum, your email subscription forms must:

• Be separate from other terms and conditions: Signing up to receive marketing communications must not be a requirement for registering for a service.
• Contain a clear affirmative action: For consent to be valid under GDPR, users must actively confirm their consent, such as by checking an empty opt-in checkbox. Pre-checked boxes or inactivity does not constitute consent under GDPR.
• Describe who will be using the information and how: Each form must state the name of your organization and any other third-party services that process the information in the submitted form. You will also need to state why and how the user’s information will be processed.

3. Review installed and active plugins, as well as any information that you collect and store on the website.

Note: While the information in this step is specific to WordPress, this can be applied to any site using any content management system. For non-WordPress sites, be sure you review all modules and custom-built functionalities that may collect and process personal data.

The WordPress community is already hard at work at adding WordPress core tools for GDPR compliance and other privacy laws and requirements. As the website owner, you are ultimately responsible for ensuring your installed plugins, as well as the usage of them, are GDPR compliant.

We recommend you review every plugin that you have installed and activated on your WordPress site for the following:

• What individual data is being collected by this plugin? Of the data collected, is any of it personal or sensitive?
• What services process the data that is collected?
• Contact Form or Comments plugins: Can you add a required checkbox that allows the user to consent the storing and processing of their data?
• Analytics, retargeting, and tracking plugins: Do you have the option to anonymize the IP address of your users? Can you modify data retention settings?

In addition, make sure that you have an internal process to perform the following:
Manage requests to view and delete user information
Provide a user with a downloadable file of their personal data

There are many WordPress plugins available for download that can help you with the task of auditing your installed plugins for GDPR compliance, implementing form consent checkboxes, and even allowing your users to request secure access to their data.

4. Update your website’s Privacy Policy statement.

Any organization that processes personal data is required by GDPR to provide clear, accessible information about how user personal data is being used. This is often done through a Privacy Policy statement on the organization’s website. Once you have finished reviewing and documenting your website’s plugin and data usage, you can start working with your legal team to update your website’s Privacy Policy statement.
The UK’s Information Commissioner’s Office (ICO) comprehensive guide to GDPR includes a privacy notice checklist and what to include in your privacy notice that your organization can use when updating your site’s Privacy Policy and terms of use.
At a minimum, your website’s Privacy Policy should include details on:

• How and why your organization collects and processes personal data;
• How your organization gains and records user consent; and
• What data is shared with other third parties

As a best practice, your Privacy Policy should also include information on:

• Consequences of not providing personal information – for example, declining to provide an email address will result in not being able to receive member e-newsletters;
• What your organization is doing to ensure the security of personal information;
• How users can manage and update their personal information;
• Information about data subject rights; and
• What you will not do with their data