The EU General Data Protection Regulations (GDPR) came into force on 25 May 2018. The basic objective of the regulations is to protect the privacy of user data of users who live in the EU. Currently the regulations are full of ambiguous language that is probably going to test courts in serious ways in the future.
Although the regulations only apply to the EU, I’m sure it is bound to catch up to other countries and I guess more and more Web owners will be made more accountable and responsible losing a lot of their freedom to operate cross boundary than they have today. For example, I’m wondering how VPSs with locations in Europe may be affected, and I can just imagine that soon the EU will ask Data Centers outside the EU to take stricter control of owners with Websites that have EU IPs and EU citizens as target markets.
Below are a few Guide Lines and tips to follow, however bear in mind the GDPR regulations are in infancy and bound to change and evolve all of the time. So those with exposure to the GDPR regulations should see this as a work-in-progress and keep a watch on changes in interpretation of the rules all of the time.
WordPress is well prepared for GDPR. It both created pages in all of its new installations after its last update, and there are already a few plugins available that help with GDPR compliancy.
For plugins I’ve come across the GDPR Framework Plugin that is a good plugin to install. You can find all of the information you need about GDPR in it and tools that are helpful with setting up the pages. Be sure to read the Plugin Companion – the WordPress Site Owner’s Guide to GDPR. Info may be a bit confusing and if you have a serious business with serious interaction with EU customers it will at least give you a framework of what topics to consult with a lawyer. Better be prepared.
2. Mailing lists
Since mailing lists are at the core of dealing with users and their data this is a very important focus of the GDPR regulations. Don’t take anything that you created to get information from the users for granted. Like if not properly explained and consented to, this may open you up for a law suit.
If you have a mailing list, you need to alter the language on your opt-in forms to explain what the subscriber can expect after sign up. If your lead magnet opt-in includes a subscription to your newsletter, you need to explain that. It’s also a good idea to create it so that there is a double opt-in for email subscribers.Make sure your confirmation message includes the consent language used on your opt-in form.
Also make sure that your email service is logging the time and date of each opt-in. If you are ever the subject of a GDPR audit these logs demonstrate that you made an effort to follow the rules.
3. Document all places where subscriber and customer data is stored
It’s important to have a handle on all of the places in your databases where subscriber and customer data is stored. That includes things like your mailing list service, shopping cart system, help desk system, and contact forms. For a simple blog, there’s not much to document. For an online business with an active marketing program, you may find that your subscriber/customer data is spread far and wide. It’s important that you know all of the places where that data lives.
Create a system for producing customer data when requested. If you have a very simple site, the GDPR Framework plugin creates a page where anonymous website visitors can make self-serve data requests. However, businesses with active marketing campaigns may need to develop a multi-step manual process that pulls together data from various sources.
4. Create a system for deleting customer data when requested
This is an important part of the regulations. The right of customers or subscribers to ask that all of their data is deleted. I’m still trying to get a handle on how this effect discussion forums, but for anything else a customer has the right to ask that everything is removed.
The GDPR Framework plugin includes a self-serve data deletion form similar to the data request form. However, if you’re collecting data through plugins or third party services (email, for example), then you’ll likely have to develop a manual process for deletion.