A few days ago I received an email from a client asking if a message…
Please note: I’m not a lawyer so take this article with a grain of salt. I’ve done my best to relay accurate and timely information but I would still highly recommend thoroughly researching the GDPR’s rules and regulations to ensure that your company’s data handling practices are compliant with the GDPR.
But what’s all the fuss about and should you really care? The short answer is yes, you should at least be familiar with the new law and what it entails.
The General Data Protection Regulation (GDPR) is a European Union (EU) law that takes effect on May 25, 2018. The GDPR is intended to give EU citizens more control over their personal data and there will be hefty fines for those organizations that do not comply with the law.
Just How Big is Hefty?
After May 25th, 2018 any business or organization that is not in compliance with the GDPR’s requirements can face fines up to 4% of their annual global revenue or €20 million (approximately $30 million CAD), whichever is greater. But there is no need for widespread panic – the law doesn’t technically apply to every website on the web, and the EU isn’t some evil organization that will be handing out fines willy-nilly.
First and foremost, the law only applies to websites that store the personal information of EU citizens. If your website only sells to Canadians, you have no EU citizens as customers visitors and you don’t communicate with anyone in the EU, you really don’t have to worry. In this case, the GDPR simply doesn’t apply to you.
Secondly, the steep fines are really meant to encourage large companies like Facebook and Google to take the new privacy regulations seriously. You won’t be receiving a $30 million CAD fine in the mail just because you missed something on your website.
First you will receive a written warning, then a formal reprimand, then your data processing privileges will be suspended (your website could be blocked in EU countries), and after all those steps you may receive a fine.
And most importantly, someone has to lodge a complaint against your website before any of these steps even take place.
If you’re not interested in learning the intricacies of the GDRP, or how to ensure your website is compliant, we’d be happy to help you out. Just stop reading right here and contact us. We’ll take care of all the details and make sure your website is GDRP compliant. You can even say “Make It So”, we’d be completely thrilled. If you’re looking for tea though, you’re out of luck, we’re coffee drinkers around here.
What is the GDPR?
The following are some of the major benefits EU citizens (and people around the world) will receive once the GDPR goes in to effect:
- Individuals can resubmit, edit and delete their personal information that has been stored.
- Anyone can ask for permanent deletion of their personal information.
- The GDPR gives an individual more legal rights, such as to limit the processing of any personal information by showing lawful reasons for example that the data has been forcefully collected.
- Individuals may ask for a copy of their personal information at any time.
- Websites can not collect personal information without explicit user consent, this includes services like Google Analytics or Facebook Pixel.
- If you request to be unsubscribed to marketing or other emails a company or organization is legally obligated to comply; they also can not send you future emails without your express consent.
What Sort of Data Is Included?
Any sort of personally identifiable information, including name, email address, physical location, IP address, health information, income, marital status, etc. would be covered by this new regulation.
Below are the most important things to keep in mind when collecting personal information on your website:
Consent Must Be Explicit – if you are collecting personal information from an EU citizen you must first obtain explicit consent. For example you can’t just send marketing emails to people who gave you their business card or filled out a contact form on your website – in both cases they did not opt-in to receive your marketing email and that would be considered spam (and a really bad business practice, regardless of this law).
To make your contact form GDPR compliant you would need to add a check box that clearly states the user is consenting to receiving your marketing messages. And no, the check box can’t be pre-checked.
Data Breach Notification – companies and organizations must report data breaches to the relevant authorities within 72 hours, unless the data breach is considered harmless and no personally identifiable data was revealed. If the data breach is found to have revealed a large amount of personal information, affected individuals must be notified immediately. This regulation should prevent cover-ups like Yahoo’s massive email data breach that was not revealed until years later.
Data Protection Officers – if your company or organization is public and stores or processes a significant amount of personal information, you will need to appoint a Data Protection Officer. This is not required for small businesses.
All in all this sounds pretty good in theory. But what do you need to do to ensure your website is GDPR compliant? The answer to this question really depends on your specific website, how it’s built and what you’re doing with it.
So What Should I Do?
You have three choices when dealing with the GDPR:
- Your company or organization can make an attempt to meet as many of the new regulations as possible. Most of them are relatively simple to comply with the it shouldn’t take much.
- Your company or organization can completely ignore the GDPR and hope for the best (the worst that could happen is you receive a warning letter asking you to comply after someone complains about your website).
- Your company or organization can block all EU citizens from viewing your website, thereby eliminating the need to comply with the GDPR at all. This is exactly what the websites of major American newspapers did on May 25 – the day the law came into effect. You can read more about that situation here…
Is WordPress GDPR Compliant?
As of WordPress 4.9.6, the WordPress core is officially GDPR compliant. Several GDPR related enhancements have been added to ensure sure that the WordPress core is GDPR compliant. .
Of course, this doesn’t mean that if you update your WordPress core to the latest version your website will automatically be GDPR compliant, there’s a lot more to it than that, but an update will definitely assist you in getting closer to where you need to be.
By default WordPress 4.9.6 now comes with the following GDPR enhancements:
- Comments Consent – WordPress used to store a commenters name, email and website URL as a cookie on the user’s web browser. This made it easier for users to leave comments because those fields would be pre-populated when the user returned. Because of the GDPR’s consent requirement WordPress has added a consent checkbox under the standard “Leave a Reply” section. It’s still possible for a user to leave a comment without checking this consent box, they will just need to manually enter their information each time they leave a comment. This feature wouldn’t necessarily apply if you are using a plugin like Disqus Commenting System or require users to be logged in to leave a comment, but it’s still a good idea to ask permission.
- Data Export and Erase Feature – The WordPress core now offers the ability to easily comply with the GDPR’s data handling requirements, allowing you to honour a user’s request for exporting their personal data, or completely removing it from your website. The new data handling features can be found under Tools > Export Personal Data or Tools > Erase Personal Data within the WordPress admin dashboard.
These three new features available in WordPress 4.9.6 are probably enough to make a basic WordPress website GDPR compliant. However, if you’ve added any third party plugins or customizations to your website it’s likely you’ll need to take a few more steps to ensure your website is in full compliance.
Ensuring Your Website is Compliant
Depending on which WordPress plugins you are running on your website you may need to make other tweaks or modifications to ensure your website is GDPR compliant. Luckily many of the top WordPress plugins have already implemented GDPR related updates to help you get started.
You’re probably using a forms plugin on your WordPress website (like Gravity Forms or Contact Form 7) – almost every single website does. If so you will need to add an extra field to any form that explicitly asks for permission to store and process a user’s personal information.
Below are a few things you should think about to make your WordPress forms GDPR compliant:
- Ask for explicit consent to store a users information.
- Ask for explicit consent if you plan to use their personal information for marketing purposes, like adding the user to a mailing list.
- If you are using a software as a service for your WordPress forms, like Google Forms ensure they are also GDPR compliant.
Gravity Forms, one of our favourite WordPress plugins of all time, has a fantastically in-depth article on how to ensure your forms are GDPR compliant, please click here to read more. A lot of what is mentioned in the article is overkill for most people though, if you are asking for permission to collect the information you are requesting for you should have no trouble.
The majority of website users are using Google Analytics to track website statistics. This means that you may be tracking a users IP address, cookies they have stored and other data that can be used to profile their behaviour. Obviously this isn’t compatible with the GDPR regulations but there are two easy options you have to ensure compliance.
- Anonymize a user’s data before you ever process or store it.
- Add a feature to your website indicating that you are using tracking software and that the user must give their permission prior to tracking. This can be done with a pop-up window, overlay or banner ad.
There is no easy way to anonymize user data if you just copy and paste Google’s tracking code into your website – this just isn’t how Google Analytics works. Luckily Monster Insights has recently introduced an EU compliance addon that makes the anonymization of user data massively simpler. MonsterInsights has also published a fantastic blog post called GDPR and Google Analytics that is a must read if you’re using Google Analytics on your website.
Email Marketing Opt-in Forms
Email marketing subscription forms are pretty much identical to any other contact form and the path to GDPR compliance is very similar. You can either:
- Add a simple checkbox that a user has to click before subscribing, giving you permission to email them.
- Enabling double opt-in for your email subscription forms. I personally don’t like this option because it creates a barrier to people subscribing to your mailing list. You will probably see a huge increase in unconfirmed subscribers because they either didn’t receive the opt-in confirmation email, or didn’t bother clicking on the link to activate their subscription.
If you’re are running an online store using WooCommerce there are a few steps you need to take to ensure your website is in full compliance with GDPR. The steps are too detailed for this article but the WooCommerce team has put together a comprehensive guide for WooCommerce store owners to help them ensure they are GDPR compliant.
It’s Already Here!
The GDRP has been in effect less than 24 hours and there have already been complaints filed against Google, Facebook, Instagram and WhatsApp. It remains to be seen what comes of these complaints but you can be sure that this new law has the potential to completely change the way the internet works.