GDPR is here! Is your WordPress website ready?

The General Data Protection Regulation (GDPR) requires the privacy and protection of personal data for European Union citizens interacting with your website. Failure to comply with the new regulation could result in severe fines to your business.  If your website is not ready yet, you’re not alone.

Despite all the press, many people still aren’t sure if they need to be compliant with GDPR.  If your website collects personal data of any kind from members of the EU, than yes, your website needs to be GDPR compliant. Collecting personal data on a website comes in many forms, pun intended:

  • Contact Forms
  • Blog Comments
  • Live Chat
  • Forums
  • Transactions
  • Newsletter Signups
  • Use of cookies or tracking systems (such as Google Analytics)

Aside from the obvious items above, there can be some hidden tracking going on that you’re not aware of.  WordPress itself doesn’t track users but some plugins (software extensions for WordPress) do collect data on user activity and send it back to the software companies that make the plugins.  Under GDPR this is not allowed, and your website developers should be attempting to eradicate any plugins from your site that are surreptitiously collecting user data.

So what do you need to do to make your website complaint?

Making your website GDPR compliant boils down to your website users consenting to the storage and potential usage of their personal information by your business. There’s also an onus on you as the website owner to ensure that you’ve done all  you reasonably can to make sure that the data that you do collect is stored safely.  That means that you need to be careful how you store customer data.  If you don’t need it, don’t store it.  If you do need it, store it in a safe place.  Apart from storing it safely you must process the data in accordance with the permissions that you were given.  That means that if I purchase a widget from your website, you can store my customer and order data, but unless I agreed to receive marketing information, you can’t put me on your marketing mailing list.  Additionally, users must have the option to download and delete their personal data from your website should they desire.

It’s easier to think about compliance in these terms — your website should be opt-in, not opt-out. So, your website should not be collecting any data from a user without their knowledge or consent. Additionally, no opt-in option should be selected by default.

Thankfully, if you use WordPress to power your website, there are a number of tools to help you with GDPR compliance.  WordPress released a new version of the WordPress core (version 4.9.6) which gives you some useful tools to help you achieve compliance and we recommend that you update to this version as soon as possible. We also recommend the WP GDPR Compliance plugin to help you find and resolve any issues. The plugin provides guidance in preparing your website for the enforcement of the GDPR.

9 Simple Steps to getting your site compliant:

  1. Update to the latest version of WordPress
  2. Make sure your website has a privacy and cookies policy that covers you.
  3. Add a cookies popup box to your site that alerts customers to the fact that you’re using cookies and links to the privacy & cookies policy on your site.
  4. If you run a mailing list make sure it’s double opt in. We recommend MailChimp and if you’re using MailChimp there are GDPR settings in the system for your lists that you should enable and configure.
  5. If you have contact forms add a required field to the form (e.g. a checkbox) that tells the user that by submitting the form they are consenting to allow you to store their data.
  6. Avoid storing customer data on your website database if possible. If you have a lot of contact form or other collected personal data stored on your server and you get hacked, then you’re putting your customers privacy at risk.
  7. Get your site set up to use SSL encryption.  It’s not strictly required, but it’s best practice and if you’re collecting data from customers you owe it to them to keep it safe.
  8. If you use 3rd party services like PayPal or Stripe you should add a link to their privacy policies from your privacy policy.
  9. If you’re not sure about something ask your web guys.  They should be able to point you in the right direction.  If they can’t, then contact us and we’d be happy to help you.

Useful Links

Here’s some useful links to resources on the web to get you started: