It’s really not that bad.
If you are worrying about GDPR and what it means for your WordPress website then you’ve come to the right place, Ixis has you covered with this handy how to guide on what you can do to make your website GDPR compliant! Buckle up, have a coffee and let’s give you the whistle stop tour.
What is GDPR?
On the 25th of May 2018, new legislation will come into force to replace the 1998 Data Protection Act, updating it for the 21st Century. The EU’s General Data Protection Regulation (GDPR) will give consumers much more control over how organisations use their personal data. GDPR will also introduce very large penalties for organisations which fail to comply with the new rules. The worst offenders can expect fines of up to €20 Million, or 4% of turnover, whichever is higher.
What do I Need to Do To be GDPR Compliant?
The requirements for GDPR are far reaching and varied. The rules are intentionally left open to interpretation meaning there is no “rubber stamp” you can get. You are left to figure out exactly how to comply yourself.
We’ve written this handy guide to some of the key steps you can take to make your website GDPR compliant. This post is aimed at GDPR Compliance for WordPress but a lot of what is written here will be useful regardless of what kind of website you have.
Remember that there may be more you need to do, so we recommend consulting with a legal professional to ensure you do all you need to become GDPR ready.
Do Some Data Mapping
Do you know every piece of data you collect from your customers? If you are like most people you probably don’t.
Doing a data mapping exercise is one of the first steps you should do on the road to compliance. The best way to do this is to plot down your customer journey through your site, and think about what data you collect at each point. After that you should figure out the journey for each of these pieces of data – What is it used for? Where do you store it? What third parties do you give it to?
I’d recommend using some sort of flowchart software for this, such as draw.io. By the end of this task you’ll have a visual map of all the data flows on your website making life much easier when it comes to doing all the other tasks and all the documentation for GDPR.
Record Your Data Processing Activities
Once you have your shiny new data map, it’s time to look at the data you collect. For each piece of data you need to figure out why you are collecting the data you do. Record exactly why you are collecting each piece of data in a spreadsheet. You can use this spreadsheet for figuring out your legal basis for processing the data as well as how long you keep it (more on this later).
If you are looking at a piece of data and trying to figure out why you need it, perhaps you should consider whether you need it at all. Under GDPR rules you should only process data if you genuinely need to, so take this exercise as an opportunity to earmark data you are collecting that you can do without.
Figure Out Your Data Retention Policy
Once you know why you are using your data you should figure out how long you need it. For each item of data do some thinking and figure out how long you need to keep it for. For some data you may have a legal requirement to keep it for a certain length of time but for other data it will come down to a judgement call. GDPR requires you to hold data no longer than is necessary, but generally how long that is is up to you.
Figure Out Your Lawful Basis for Processing Data
You now know what data you collect, know where you keep it, know why you have it and how long you need it for – Now you need to figure out your legal basis for processing it. Under GDPR there are six different legal basis you can use to justify your processing of personal data. For most WordPress websites however you’ll generally use one of three:
Performance of Contract
Generally this legal basis is the one you use if you need to process personal data for someone to fulfil a contractual obligation to them, such as a plumbing company needing to process a person’s address to direct a plumber to their home for a callout they have purchased. It can also be because they have asked you to do something before entering into a contract, such as if a customer had requested a quote you would need to process their email address in order to give them the quote they had requested.
In GDPR, Legitimate interest means that you believe it is in someone’s legitimate interest to process personal data. You use this basis when you believe processing the personal data is within your interests, or those of the person whose data you are processing. Generally it might cover situations like emailing a past customer with an offer on a similar product to one they’ve bought previously. You have to prove a lot if you want to rely on legitimate interest, though it can generally be broken down into a three part test:
- Test Your Purpose: Is the interest legitimate?
- Test Whether it is necessary: Do you need to process data to fulfill this interest?
- The balancing test: Does the individual’s interest override the legitimate interest?
Remember that people can always object to you using data this way, and you need to keep anyone whose data you process in this way informed.
If all else fails, you can still process personal data with consent from the data subject (that is, the person who the data is about). Under GDPR, consent is much harder to obtain. It needs to be explicit (no hiding it in your terms and conditions), informed (you need to explain what you are asking permission for) and requires an affirmative action (no pre-ticked checkboxes!). If that wasn’t tough enough, if you are relying on consent to process your users’ data you should know that users can withdraw their consent at any time, and you need to make it easy for them to do so.
As scary as it sounds there are some simple things you can do as a site owner to make sure all of your consent requests are GDPR compliant. For most sites the main area you might ask for consent for is with email newsletters, you should adjust all of your contact forms to have a check box asking to send marketing emails to clients, if you plan to do so. Likewise if you plan to telemarket using numbers given on your website, or send mail advertising to peoples’ addresses when they enter them on your site and you rely on consent for this, a simple checkbox explaining what you want permission for should suffice in most cases, just make sure you store these responses as proof!
You should also explain how a customer can remove cookies from their computer (i.e by clearing their browser’s cache of cookies and then rejecting to have the cookies installed on their next visit).
This one is big. Your website should have an easy-to-access privacy notice, explaining the following:
- What personal data you process
- What you use this personal Information for
- How and when you collect this personal data
- How the information is stored and protected
- Who you share this information with
- Your Lawful Basis for processing the information.
You should also make it clear where your users can ask questions about what you do with data. If you have a Data Protection Officer (DPO) then you should give contact details for them, otherwise it should be the contact details of whomever in your company has been given responsibility for GDPR and data protection. You should also let them know who to contact if they think there is a problem.
Make Sure Your Website is Secure
As the owner of a website this is a no brainer, even without GDPR you’d want to keep your website secure. However, under GDPR, protection of personal data held on your website is your responsibility. If you haven’t already set it up we’d recommend getting an SSL set up on your website. In addition to this there are plenty of WordPress plugins for security that you can use to make sure your site is as secure as you could reasonably expect.
Make an Incident Response Plan
Plan for the worst. No website will be impenetrable so you should take the time to come up with a response plan in case your website ever does get breached and data stolen. Remember under GDPR rules you have just 72 hours to inform the ICO once you become aware of a data compromise – better to calmly plan now than do it with a pressing deadline later.
Data Processing Agreements
A big thing for GDPR is making sure any contractors or processors you use have agreed to follow the rules also. While most big processors you are likely to use like Google, Facebook, MailChimp and the like will have already made their commitments to GDPR public or have asked you to agree to a data processing addendum, others may not have. Go back to your data map and for each third party that processes data for you, ensure you have a data processing agreement with them as you’ll be held liable if they misuse data you give them!
Make sure to have these agreements in place with any freelancers you use or your web development or digital marketing agency also if they process data on your behalf! Another key area to check is companies based outside the EU who may not be as interested or knowledgeable of GDPR rules.
Handle Subject Access Requests and the Right to be Forgotten
One of the fundamental rights and freedoms of EU citizens is the right to request the data you hold on them and the right to be forgotten. Luckily for you you’ve now done your data mapping so you know exactly what data you hold and where it is by now. Still, you should make a plan for how exactly you fulfill these requests.
If you’ve read this far I hope you’ve found this information helpful and feel more ready to tackle the GDPR beast. Just remember though – there’s plenty you need to do within your own company too, not just your WordPress website! Make sure you get familiar with GDPR – it is not going away any time soon. For more information on GDPR visit the ICO at their website.
DISCLAIMER: Ixis are not legal professionals. This document contains non-authoritative guidance. Neither Ixis nor the Author accept any liability or responsibility that might occur as a consequence of the use, application or reliance on this material. We highly recommend seeking legal advice to ensure that you are fully GDPR compliant.