Bringing Your WordPress Website or Other Type of Website into GDPR Compliance
If you do business with European citizens, you know you need to get your customer data management policies and procedures in line with the General Data Protection Regulation (GDPR) that went into effect last month.
European companies are updating their policies and procedures to keep themselves on the right side of the law and avoid hefty fines for non-compliance. American companies should move in that direction, too, as it is only a matter of time before some or all of the GDPR guidelines become adopted in the U.S.
These are the core steps to take ensure that your database and website are GDPR-compliant:
- Update your privacy policy
- Ask for clear consent to use cookies from site visitors
- Ensure your site plugins comply with GDPR
- Limit the data you collect and store via form submissions
- Update your current mailing lists, and structure your database to retain the data European
customers have the right to see. - Revise database management system to comply with GDPR
- Privacy Policy
Update your privacy policy to make clear how you collect, use and protect customer data. Explain cookie usage, and your data privacy rules about when user data is shared. Include information about data that is collected by website plugins.
Try not to use too much legalese. Keep the language clear, especially those rights your customer has to control/access/delete their data.
Include items like:- We do not sell data.
- We do not share data unless compelled by law.
- We only ask for personal information if it’s needed to provide a service.
- Permission to Use Cookies
The GDPR considers cookies to be personal data that identifies an individual (more accurately, the owner of the device being used.) You must obtain clear, specific consent from site visitors to place cookies on their machines and track them. Usually this is handled with an alert that appears on the site when the visitor first arrives, and it must have an option to approve cookie permission. Without that explicit approval, you can’t place your cookies on their browser. The site will still be accessible without cookie placement, though site speed may suffer. - Ensure your plugins comply with GDPR
Many plugins gather and use user data. Review which plugins make use of your user data and what they do with it, because plugins must also comply with GDPR. For WordPress websites (which are the dominant format for KO Website clients) there are specially designed plugins that we can use to bring sites into better compliance with data collection.
All plugins must be able to export, provide and delete the user data they collect. - Limit the data you collect and store via form submissions
Your website contact forms can collect lots of interesting personal data, and up to now adding extra questions had little risk. That changes with GDPR. Collect only the fields you actually need for processing the request. Limit the data the form pushes into the customer database. - Clean up your mailing lists
For mailing lists, you should be employing industry-standard procedures such as double opt-in for your list. Double opt-in is not required by GDPR; however, it is a good way of ensuring that you can prove proper consent was obtained.
If you signed any of your current subscribers up without consent, those records are likely not GDPR compliant. At the very least, ensure that you include proper unsubscribe links in any communication you send. - Update Database management to support GDPR consumer rights
The Right to Access and Portability
You’ll need to implement a method for exporting user data to CSV or another commonly used format.
The Right to be Forgotten
Be sure to implement a procedure for deleting all personal data when requested.
Privacy by design
Ensure you have safeguards in place to protect data and restrict sharing. Only collect data that is necessary.
Create a tight data retention policy and erase data you no longer need
Set up restrictive access so only people who actually need particular data can access it. Consider moving your site to HTTPS, which encrypts communications between your website and a user’s browser.
If You Do Business in the EU Your Web Design Needs to Comply with the GDPR
Website GDPR compliance isn’t simple, but getting started on building the ability to comply before it becomes U.S. or state law makes sense.