Becoming GDPR compliant with a wordpress site

by | May 24, 2018 | GDPR

*These are entirely my views, and I’m not a lawyer or GDPR expert.  Please do your own research or consult a lawyer if you’re unsure about anything. 

Why

Well let’s face it the world can be a bit of a nasty place.  Personal data is really valuable, and in the wrong hands it can be used to powerful effect (Facebook/ Cambridge Analitica???) People are always trying to hack your site, yes your tiny wordpress site.  And are you storing people’s personal data (you may be surprised at how much).

So while it’s a right royal pain, I’m not that sad about GDPR.  And even if you don’t operate in the EU, I expect something similar will be heading your way, or maybe you’re marking yourself out as someone to do business with as you’ve taken the time to care about the information you hold on people.

The good news is while GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.

Does it apply?

But I’m not in the EU – do I have to do this?  Most likely.  Unless you are using IP blocking to block EU countries from your website.  If anyone comments on your blog from the EU then you become obligated.  Here’s a list of other potential ways you will end up storing data:

  • Do you use google analytics? YES – You’ll be using cookies
  • Do you have a contact form? YES – You store customer data contact form submissions in your email program. who provides your email program?
  • Do you have a newsletter sign up? YES – you’ll be collecting data (email at a minimum) – it will most likely be stored with your newsletter provider service, eg mailchimp, convertkit)
  • Do you sell products and services on your site?  YES – you will be storing name, email, address information, and a users order history
  • Do you let people comment on your blog posts, use a Comments plugin or Facebook comments? YES – your using peoples names, email and sometimes their image
  • Do you use any other tracking plugins for advertising?  Like Facebook pixel, or Google Adsense. YES – these will store cookies on a users device
  • Do you use Security plugins? YES – they do add cookies on a users whereabouts and usually have settings where you can turn these off
  • Do you have some kind of membership functionality?  YES – then you store usernames, passwords and often other information.
  • Do you use a service like SUMO Me to collect leads? YES – most likely uses cookies.
  • There’s likely more I can add to this list, but that’s a minimum for now.

What do I actually have to do – GDPR website checklist

The following checklist contains links where I expand upon these sections more.

  1. Find out what Data you store by reviewing plugins you’ve added – you may want to write some notes for your privacy/cookie policy
  2. Update any plugins and wordpress to the latest versions – wordpress developers are working like crazy to make their offerings compliant so you’ll be seeing loads of updates.  Keep on top of them.
  3. Security and Malware: Part of GDPR is keeping your users data safe too. You should have a security plugin installed already, but if not now’s a good time to get one.  I like Wordfence.  You should also have a Malware plugin installed that you run regularly.  I like Sucuri Malware plugin.  You’ll write about these in your Privacy Policy.
  4. WordPress Settings: Because you’ve already got the latest version of WordPress (ahem!) Go to Settings>>Privacy to point to your privacy policy page (you may need to create a new page first)….not sure how it’s used but set it anyway (ooohhh just found it being used in WooCommerce for one.)
  5. Content: Create a Privacy Policy page. If you’ve updated to the latest wordpress version they have some helpful text for a starter point for this. I can’t actually find it in the menu, but if you paste /wp-admin/tools.php?wp-privacy-policy-guide=1 after your URL you should get it. Actually if you’ve set your privacy policy page in WordPress>>Settings>>Privacy, when you edit that page there is a link to the guide there. You’ll add to this several times as you go through your site and get a better understanding of what data you are processing.
  6. Cookies: Check what cookies your site stores
  7. Content: Create a Cookie Policy
  8. Plugins: Install and customise Cookie Compliance Plugin – see my cookie section below.
  9. Cookies: Have you added any scripts from other websites to your headers (maybe in your theme customiser or do you have plugins for scripts like Google analytics, Facebook pixel, Sumo Me?)  They set cookies and need moving to your Cookie Compliance plugin so people can turn them off.  NB: You do need to delete these from their current home, and add them to the cookie compliance plugin. You can’t just add them to cookie compliance plugin as if they remain in the header they’ll still be set regardless of what your user selects. You can explain why they might not want to turn off cookies in the Cookie Compliance plugin settings section or in your Cookie policy but ultimately it’s their choice).
  10. Content: Create links in your Footer to Privacy Policy and Cookie Policy.
  11. Content: If you sell things you probably want to put in a Terms and Conditions policy (https://termsfeed.com/terms-use/generator/).
  12. Mailing lists: If you have a newsletter provider – Mailchimp or Convertkit or similar – sign their Data Agreement policy (even if you’re not doing GDPR, you should still do this!)
  13. Mailing lists: Go through your mailing list providers GDPR info and follow their directions to clean your list.
  14. Content: Write about your newsletter/mailing list in your Privacy Policy.
  15. Contact form: Add Privacy Policy link and checkbox to your Contact Form
  16. Data Deletion/Requests: Consider how you will deal with personal data deletion requests and requests made by people to see the data you hold on them.  The latest version of wordpress has options to comply with data requests and deletion using a persons email address, on the Dashboard under the Tools section.   THIS IS A MANUAL PROCESS.  There are however plugins you can add to your site that add a button to your site and let people do this themselves. I have not tried any yet.  Write about your chosen process in your Privacy Policy.
  17. Comments: If you let users comment on your blog posts – The latest version of wordpress adds a checkbox to the comment form which will store a cookie so they don’t have to fill this in every time they comment.  Write about this in your Cookie Policy under Additional Cookies.
  18. E-Commerce: If you sell stuff – think about the data you’ve collected during the order process.  Read my comments below about WooCommerce. Write about this in your Privacy Policy.
  19. Membership site: If you have a membership site – think about the data you’ve collected.  Read my comments below about Membership sites.  Write about this in your Privacy Policy.

And you’re done!  Until I think of something else!!!

For Photographers – offline GDPR

So a few other questions you might want to think about consider…this is less likely to effect you if you’re not in the EU, but not a bad idea to think about anyway.

  • How long do you store your clients photos after a shoot? Do you have this written anywhere?
  • How do you store written contracts of your clients safely?
  • How long do you keep written contracts with your clients personal data?
  • How do you keep order information? Do you delete this periodically?

You may want to draw up a little policy on all this offline stuff too, as GDPR doesn’t just relate to what’s online.

The Nitty-Gritty

Data you store

  • Look through your plugins – update those you use, delete or turn off any you are not currently using.
  • What data do you store on people?
  • Where is it stored? – in your wordpress database? Don’t forget contact form submissions may be stored in your email program, who provides your email program?
  • Do you need to store it still?
  • Delete anything you don’t still need.

Privacy Policy

  1. Create one
    A privacy policy generator is a good place to start, but you will need to customise it depending on what data you store.  You should add information of where data is stored (what email service provider you use, you might link to their privacy and or security policy).
    Add in information on:

    • Your contact form submission process (what info is collected, where is it stored (link to security policy of email provider), who can access the email account (just you or staff, or your web developer), when are emails deleted, how would a person get their emails deleted if they wanted too?)
    • Any store related information eg  how long you keep order data
    • Any newsletter related info – eg who you use for this and you can link to their security policy too.
    • Your security measures
    • How can a person request their data?
    • How can a person request deletion of their data?
    • Put in a link to your Cookie policy
    • If you have membership site then add about this here too.
  2.  Link it in your menu somewhere (I’d suggest footer for now)
  3.  Add information about how long you store information, when you delete information and how can someone get in touch to have their data deleted.
  4.  Assuming you’ve updated to the latest version of wordpress go to Settings>>Privacy to point to your privacy policy page.
  5. You may want to keep your Privacy Page open on the edit screen as you go through you’ll probably end up adding to it.

Cookies and Cookie Policies

  1. Check what cookies your site stores
    http://www.cookie-checker.com/ You might want to google some of them if you don’t recognise their names and turn off plugins that are adding cookies if you don’t use them.
  2. Create a cookie policy – be sure to tailor to your actual site.  I’ve added in names of cookies people might see, and the purpose of them
    https://cookiepolicygenerator.com/
  3. Install Cookie compliance plugin (Why this one? I have seen the owners of this company talk and they are well regarded in the WordPress Community)
    https://wordpress.org/plugins/gdpr-cookie-compliance/
  4. Customise Cookie compliance plugin
    For the one I’ve linked too:

    • Add your logo
    • Choose your site colors.
    • Click on Cookie Policy tab, turn it on and add the link to your cookie policy
    • Click on Third Party cookies – add in any scripts you have from your header file, so Google analytics, sumome, facebook pixel.  Then turn this on.  NB: it won’t turn on if you don’t add any code into the boxes.
    • Click on Strictly necessary cookies – add any explanation here, like if you have membership content and people turn this off they won’t be able to access it. as their login details won’t be remembered across the site.
    • Click on Additional Cookies – add any you’ve found that meet this criteria but don’t fall under third party or strictly necessary. For example if you allow comments on your site WordPress have added a checkbox to the comment form that will store a cookie if checked.

Google analytics

Yep we want to know what pages everyone looks at and where they go next, but technically we don’t have a right to collect that without permission.

  1. Find your Google Analytics code: You will have your google analytics code somewhere on your site, it might be in a plugin, or in a header snippet or in your theme customiser.
  2. Remove it from the plugin/header etc
  3. Add it into Third Party Cookies head section in the Cookie Compliance plugin
  4. Make sure you’ve added that you use it to your Cookies Policy

Contact Forms

    1. Add to your Privacy Policy a section on Content form submissions including the following
      • what info is collected
      • where is it stored (link to security policy of email provider),
      • who can access the email account (just you or staff, or your web developer),
      • where is data processed (is it just you in your own country or do you have a VA in another country working on it)
      • when are emails deleted,
      • how would a person get their emails deleted if they wanted too?
    2. Add an unchecked checkbox to your contact form that asks people to confirm they’ve read your privacy policy (link it).  The submit button should be disabled until this button is checked.  Of course people won’t read your privacy policy but you can at least say you tried. Contact Form 7 have the following code you add in at the bottom of your form. Make the privacy policy a link.
      [acceptance your-consent] I consent to my submitted data being collected and stored. View our Privacy Policy. [/acceptance]

      NB: This checkbox has to be ticked before the form can be sent, but weirdly it’s not included in the contact form validator by default.  So when you set up your Contact form, click on Additional settings on the form and add in this bit of code.  Then if your user tries to send without clicking it, they’ll be prompted to do so.

      acceptance_as_validation: on

      Other contact plugin providers have probably added something similar.

Here’s what I’ve added to a privacy policy for one of my clients .  Feel free to copy for your Privacy Policy, but make sure you change the bits in CAPS

When you contact us using our contact form we collect your name, email address and message information.  If you are booking classes we will also collect your booking preferences.  These are stored in our email system (please see NAME OF YOUR EMAIL PROVIDER HERE Security policy PUT A LINK HERE TOO).  This information is accessible and processed by WHOEVER in COUNTRY.  It is deleted periodically.  If you would like your data deleted after it’s processed please state this in the message body.

Mailing lists

There is a whole mine field here about what you can offer/ can’t offer etc in exchange for email addresses and I’m not going to go into that here.  Here’s what you need to do in the first instance to get your mailing lists up to scratch.  I expect there’ll be a lot of clever people scrambling to explain how to do your optins coming soon!

Don’t forget to write about the fact you collect email addresses for mailing lists in your Privacy policy.

ConvertKit and GDPR:

  1. Follow this: https://convertkit.com/gdpr/
  2. Data Agreement Policy

Mailchimp and GDPR:

  1. Segment mailchimp list based on EU subscribers https://kb.mailchimp.com/lists/manage-contacts/about-geolocation
  2. Send email campaign to EU subscribers https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms Use links of the left and go to COLLECT CONSENT for instructions
  3. Send follow up if necessary
  4. Remove non subscribers from your list prior to 25th May
  5. Sign Mailchimps Data processing agreement https://mailchimp.com/legal/forms/data-processing-agreement/ Info about that here: FAQ -legal requirement

Woocommerce

Questions to ask yourself

  • How long do I keep order information for?  So it’s lovely to see all your orders, and who has purchased from you in the past.  But you don’t have an automatic right to hold this information indefinitely.  Once the order is fulfilled and any return/refund dates have passed you should delete personal data held on the order.
  • Can someone update or delete their information I hold? They have a right to do this.
  • Where is data held?  In most cases this will be in your website database (security controlled by a) your own security plugins, and b) security of your host)
  • Do I automatically add people who purchase goods to my mailing list?  You can add plugin that do this – but you now need to make sure there is an UNCHECKED tick box for people to agree to being added to the mailing list before the submit order button.
  • There is now an ACCOUNTS AND PRIVACY tab in the Woocommerce settings.  Take a look and make sure it says what you want it too.  It uses the Privacy Policy page you have set in your WordPress Settings.
  • There is a great Personal Data retention section covering the questions I’ve asked above, and you can set how long to retain any data.  So make your choices and write down what they are in your privacy policy.

Add the answers to your Privacy Policy.

Membership site

Questions to ask yourself

  • Am I collecting any unnecessary data on an individual?
  • If a member leaves how and when do I delete their personal data?

Add the answers to your Privacy Policy.